[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure legacy authentication for IKEv2

To: David Jablon <dpj@theworld.com>, Stephen Kent <kent@bbn.com>
Subject: Re: Secure legacy authentication for IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Mon, 23 Dec 2002 08:15:28 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: <5.1.0.14.0.20021220184329.00a2aac0@pop.theworld.com>
References: <5.1.0.14.0.20021219134708.00a55b00@pop.theworld.com><5.1.0.14.0.20021219134708.00a55b00@pop.theworld.com><5.1.0.14.0.20021220184329.00a2aac0@pop.theworld.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:18 PM -0500 12/20/02, David Jablon wrote:
>The "clean separation" to which you refer merely insures that the quality
>of the initial DH key can *never* be improved or strengthened by the quality
>of the client authentication method.  Got a password-authenticated key?
>Just throw it away.  Yep, it's clean all right.

The same argument goes for IKEv2's authentication. Are you saying 
that we should change the key derivation for IKEv2 itself to include 
material from those authentication methods? If so, please suggest 
text so the cryptographers can analyze it.

The current IKEv2 draft has:

        SKEYSEED = prf(Ni | Nr, g^ir)
        {SK_d, SK_ai, SK_ar, SK_ei, SK_er}
                  = prf+ (SKEYSEED, Ni | Nr | CKY-I | CKY-R)

What is your proposal for improving this in a provably secure way?

--Paul Hoffman, Director
--VPN Consortium

References:
- Re: Secure legacy authentication for IKEv2
  - From: David Jablon <dpj@theworld.com>
- Re: Secure legacy authentication for IKEv2
  - From: David Jablon <dpj@theworld.com>

Prev by Date: Re: Proposed Configuration payload for IKEv2
Next by Date: Re: Secure legacy authentication for IKEv2
Prev by thread: Re: Secure legacy authentication for IKEv2
Next by thread: Re: Secure legacy authentication for IKEv2
Index(es):
- Date
- Thread