[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 and SIGMA

To: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
Subject: RE: IKEv2 and SIGMA
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 14 Dec 2001 13:06:58 +0200 (IST)
cc: "'IPsec WG'" <ipsec@lists.tislabs.com>
In-Reply-To: <001a01c18480$3a8d3ea0$44c6830c@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Beating a dead horse.
I said it far too many times: the concern is to make sure
the MAC covers the ID. 

For cleanliness and robustness I preferred the ID to appear as an explicit
input to the MAC, but if people are content with having the ID under the
ciphertext and the latter is MACed (with SKEYID_a/SKEYSEED_a) that's fine
too. Just MAKE SURE that in the design process the ID stays there. Also
make sure that the spec clearly documents the need for this ID to be
there. 

BTW, as for my emphatic response to Dan as you quote, what it means is
that covering the ID by the signature is no replacement for covering it
with the MAC. SIgnature and MAC have different roles here.

Hugo

On Fri, 14 Dec 2001, Andrew Krywaniuk wrote:

> > Andrew, I am glad you keep insisting in understanding this,
> > and I am sorry for not being clear. Below is another try
> 
> ...
> 
> > Indeed, I never explained why signing the MAC of the identity is
> > essential. You know why? Because it is NOT. (And I never said
> > it was.) The
> > only ESSENTIAL thing is that the MAC be applied to the identity!
> 
> 
> I went back through the archives to try to determine the source of this
> confusion.
> 
> Dan said:
> 
> > In this case IDi would be signed by each party. Since you're proposing
> > putting all things, including IDi, into the signed hash anyway why is it
> > dangerous to add just IDi to the mix of exponentials and nonces?
> 
> and you replied:
> 
> > IT IS VERY DANGEROUS! DOING WHAT YOU SUGGEST IS INSECURE!
> 
> In this case, a buffer containing IDi would be signed by each party, but
> using the PCKS#1 format which also involves a hashing step. Wouldn't this be
> secure?
> 
> (I see from the context that this discussion was relating to the potential
> "outer id", rather than the "inner id").
> 
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
> 
>

References:

RE: IKEv2 and SIGMA

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: Comment regarding Nonce size
Next by Date: Re: IKEv2 and NAT traversal
Prev by thread: RE: IKEv2 and SIGMA
Next by thread: RE: IKEv2 and SIGMA
Index(es):
- Main
- Thread