[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] FW: Remaining issues for IKEv2

Ted TS'o wrote:
>On Mon, May 10, 2004 at 04:02:13PM -0700, Charlie Kaufman wrote:
>> 
>> Proposal by Pasi.Eronen supported by Hugo Krawczyk on 3/30/04 to 
>> change the computation of the AUTH payload. This is yet another 
>> "gilding the lily" crypto modification. I am confident it adds no 
>> cryptographic strength to the protocol and it breaks compatibility 
>> with anyone who has implemented this stuff already, but it adds only 
>> trivial complexity to the protocol and a trivial computational 
>> overhead. In the past, it's been easier to just accept these
proposals 
>> than to argue. One last time??
>> 
>
>I've looked through both archives and the VPNC mailing list, and I
can't >find this proposal.  Was it actually sent to the entire ipsec
mailing list?  >In any case, I tend to agree with previously expressed
sentiments that >absent a very strong, compelling need to make changes
in the crypto core of >IKEv2, it is long past time to shoot the
engineers and ship the product.

Gak! My error. I didn't notice that the messages of 3/30 were sent only
to me and not posted to the ipsec list. They are included below (without
permission, but they don't appear to contain anything embarrassing).

The proposed change provides a certain consistency of usage of the
various keys, which could simplify some security analysis. But unlike
the previous related change supported by CFRG, this one changes the wire
formats of all exchanges - not just ones using non-recommended EAP
methods.

The current syntax was introduced in March 2003 in response to a
different theoretical objection from Hugo.

	--Charlie


-----Original Message-----
From: Pasi.Eronen@nokia.com [mailto:Pasi.Eronen@nokia.com] 
Sent: Tuesday, March 30, 2004 9:53 PM
To: Charlie Kaufman; hugo@ee.technion.ac.il
Subject: Key derivation changes in IKEv2

Hi,

I just checked the key derivation changes in IKEv2 -13,
and noticed that one place still used the SK_ar/SK_ai
keys for PRF.

I belive that in Section 2.15, "prf(SK_ar,IDr')" should be now
"prf(SK_pr,IDr')" and "prf(SK_ai,IDi')" should be "prf(SK_pi,IDi')".

Hugo, could you check that this was what you intended?

Best regards,
Pasi



-----Original Message-----
From: Hugo Krawczyk [mailto:hugo@ee.technion.ac.il] 
Sent: Tuesday, March 30, 2004 10:30 PM
To: Pasi.Eronen@nokia.com
Cc: Charlie Kaufman
Subject: Re: Key derivation changes in IKEv2

you are right.
unfortunately i did not have time to take a look at the new draft;
it's good that someone is paying attention.
Thanks!

Hugo

On Wed, 31 Mar 2004 Pasi.Eronen@nokia.com wrote:

> Hi,
>
> I just checked the key derivation changes in IKEv2 -13,
> and noticed that one place still used the SK_ar/SK_ai
> keys for PRF.
>
> I belive that in Section 2.15, "prf(SK_ar,IDr')" should be now
> "prf(SK_pr,IDr')" and "prf(SK_ai,IDi')" should be "prf(SK_pi,IDi')".
>
> Hugo, could you check that this was what you intended?
>
> Best regards,
> Pasi
>
>

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec