Re: AES-based PRF for IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 6:22 AM +0200 3/26/03, Hugo Krawczyk wrote:
>Preshared key is NOT used in the calculation of SKEYSEED.
>Sorry if my text gave the wrong impression.
>
>The only thing we need to make sure is that the ikev2 document will
>mandate a minimal length for the nonces Ni and Nr (each has to be at least
>of half the length of the prf), and a minimal size of the preshared key
>(which has to be at least of the length of the prf key).

OK, then I'm still confused. Why does the length of the preshared key 
have to be half the length of the prf key? Why are they linked at all?

>There is no reason that an implementation will not be able to meet these
>requirements. The only case in which this may happen is if someone tries
>to use a password as a preshared key.

Exactly. This is quite common in the real world.

>  But that should be seen as a
>vioaltion of the purpose of pre-shared key mode. Especially in view that
>ikev2 explicitly supports password-based authentication methods through
>its EAP exchange.

If the preshared key is only used for authentication, not key 
strength, it is not a violation of the spec for someone to have weak 
authentication. If using a password instead of a real preshared key 
weakens the key strength, we need to point that out very clearly in 
the text. (But I still don't see where that happens.)

--Paul Hoffman, Director
--VPN Consortium