[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IKEv2 and SIGMA
Andrew, I am glad you keep insisting in understanding this,
and I am sorry for not being clear. Below is another try
> > > BTW, Hugo, you never explained why it was essential for
> > IKEv2 to sign the
> > > identity and I can't see any justification for this
> > requirement. Is this
> > > because:
> > >
> > > a) It has not been proven secure not to sign the identity?
> > > b) It has been proven insecure not to sign the identity?
> >
> > It has been proven INSECURE not to MAC the identity. If you sign the
> > identity but do not include a MAC the protocol is insecure.
> > This uses a
> > 10+ year (simple but non-obvious) attack discovered by Diffie, van
> > Oorschot and Wiener, and a main motivation behind SIGMA's (and IKE)
> > design.
>
> When I said "sign the identity", what I really meant was "include the
> identity in the data which is signed." *Of course* you MAC it first. But in
> in IKEv2, you only MAC the identity; in SIGMA, you MAC the identity and then
> sign it.
I repeat: the "essential" thing is to have the ID under the MAC.
I did not say, and never said before that it is a must to have the ID
or MAC under the signature!
>
> Let's try this again...
>
> You never explained why it was essential for IKEv2 to *sign* the MAC of the
> identity and I can't see any justification for this requirement. Is this
Indeed, I never explained why signing the MAC of the identity is
essential. You know why? Because it is NOT. (And I never said it was.) The
only ESSENTIAL thing is that the MAC be applied to the identity!
And yes, I put the MAC under the signature in IKE for convenience (both
space saving and uniformity of HASH derivation for the different
authentication modes). I still find it more convenient to do so in the
context of SIGMA and IKEv2: for example, to allow the use of ESP
mechanisms for the SOLE purpose of identity protection (rather than for
key exchange authenttication as currently specified in IKEv2-00 draft.)
But as I recently said in the discussions concerning the SIGMA-4 proposal
(2 RTs with built-in DoS and defense of responder's identity against
active attacks), it is ok with me to put the MAC outside.
Just make sure you cover the ID of the sender with the MAC (regardless of
whether we provide identity protection or which message in the protocol
transports the ID)
> because:
>
> a) It has not been proven secure not to sign the MAC of the identity?
> b) It has been proven insecure not to sign the MAC of the identity?
> c) It saves space to put just a signature in message 3 instead of a
> signature and a MAC.
>
> Answering (c) would be a cop-out, since that wouldn't be "essential for
> security"...
Please read again my answer to you in the previous message and the above
(re-iterated) statements: the security requirement is "MAC the ID",
whether the MAC goes under the signature or outside is immaterial for
provable security. It may make a difference for bandwidth and for other
design issues (e.g. re-use of ESP for identity protection, robustness of
the security to future changes such as optional ID protection, etc),
but NOT to the core security of the key exchange.
Hugo
PS: It may help to pay attention to the following (at least for mnemonics):
SIGMA stands for SIGN-and-MAC; it does NOT stand for SIGN-the-MAC.
^^^ ^^^ ^^^
>
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
>
>
>
Follow-Ups:
References: