RE: Some comments to draft-ietf-ipsec-ikev2-00.txt

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

>  > 3.1 Generating Keying Material for the IKE-SA
> ...
>  >        SKEYSEED = prf(Ni | Nr, g^ir)
>
> As this is the only place where nonces are used their entropy is
> limited to the output of the PRF. I.e it is no use of using nonces
> whose combined entropy is more than 128 bits if we using the HMAC-MD5
> as PRF, as the output of the SKEYSEED is going to be 128 bits.
>
>  >        SKEYSEED_d = prf(SKEYSEED, g^ir | CKY-I | CKY-R | 0)
>  >        SKEYSEED_a = prf(SKEYSEED, SKEYSEED_d | g^ir |
> CKY-I | CKY-R | 1)
>  >        SKEYSEED_e = prf(SKEYSEED, SKEYSEED_a | g^ir |
> CKY-I | CKY-R | 2)
>
> I think that could be fixed by adding the nonces to the above
> calculations also in addition of the cookies.


Or by simply replacing the cookies with the nonces. That would be the
*obvious* method ;-)

Still, I notice that IKEv2 carries forward the "broken" phase 1 key
stretching algorithm from IKEv1:

      K1 = prf(SKEYSEED_e, 0)
      K2 = prf(SKEYSEED_e, K1)
      K3 = prf(SKEYSEED_e, K2)

As was noted from earlier discussions, g^xy ought to be reintroduced at each
stage in order to preserve the full entropy of the key exchange.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

---

Follow-Ups:

• RE: Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

• Some comments to draft-ietf-ipsec-ikev2-00.txt
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: comments on jfk and ikev2 drafts
• Next by Date: Réf. : RE: Please save the pre-shared key mode
• Prev by thread: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Next by thread: RE: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Index(es):
  • Main
  • Thread