[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 and SIGMA



     *HARDCORE PRIVACY ADVOCATES*

Alright... that ought to be enough to prevent my message from being sent to
tfs@ebsdr.com.


> > BTW, Hugo, you never explained why it was essential for
> IKEv2 to sign the
> > identity and I can't see any justification for this
> requirement. Is this
> > because:
> >
> > a) It has not been proven secure not to sign the identity?
> > b) It has been proven insecure not to sign the identity?
>
> It has been proven INSECURE not to MAC the identity.  If you sign the
> identity but do not include a MAC the protocol is insecure.
> This uses a
> 10+ year (simple but non-obvious) attack discovered by Diffie, van
> Oorschot and Wiener, and a main motivation behind SIGMA's (and IKE)
> design.

When I said "sign the identity", what I really meant was "include the
identity in the data which is signed." *Of course* you MAC it first. But in
in IKEv2, you only MAC the identity; in SIGMA, you MAC the identity and then
sign it.

Let's try this again...

You never explained why it was essential for IKEv2 to *sign* the MAC of the
identity and I can't see any justification for this requirement. Is this
because:

a) It has not been proven secure not to sign the MAC of the identity?
b) It has been proven insecure not to sign the MAC of the identity?
c) It saves space to put just a signature in message 3 instead of a
signature and a MAC.

Answering (c) would be a cop-out, since that wouldn't be "essential for
security"...

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.




Follow-Ups: References: