draft-ietf-ipsecme-qr-ikev2-06.txt   draft-ietf-ipsecme-qr-ikev2-07.txt 
Internet Engineering Task Force S. Fluhrer Internet Engineering Task Force S. Fluhrer
Internet-Draft D. McGrew Internet-Draft D. McGrew
Intended status: Standards Track P. Kampanakis Intended status: Standards Track P. Kampanakis
Expires: July 22, 2019 Cisco Systems Expires: July 26, 2019 Cisco Systems
V. Smyslov V. Smyslov
ELVIS-PLUS ELVIS-PLUS
January 18, 2019 January 22, 2019
Postquantum Preshared Keys for IKEv2 Postquantum Preshared Keys for IKEv2
draft-ietf-ipsecme-qr-ikev2-06 draft-ietf-ipsecme-qr-ikev2-07
Abstract Abstract
The possibility of Quantum Computers pose a serious challenge to The possibility of Quantum Computers pose a serious challenge to
cryptography algorithms deployed widely today. IKEv2 is one example cryptography algorithms deployed widely today. IKEv2 is one example
of a cryptosystem that could be broken; someone storing VPN of a cryptosystem that could be broken; someone storing VPN
communications today could decrypt them at a later time when a communications today could decrypt them at a later time when a
Quantum Computer is available. It is anticipated that IKEv2 will be Quantum Computer is available. It is anticipated that IKEv2 will be
extended to support quantum secure key exchange algorithms; however extended to support quantum secure key exchange algorithms; however
that is not likely to happen in the near term. To address this that is not likely to happen in the near term. To address this
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 22, 2019. This Internet-Draft will expire on July 26, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 14, line 12 skipping to change at page 14, line 12
An attacker with a Quantum Computer that can decrypt the initial IKE An attacker with a Quantum Computer that can decrypt the initial IKE
SA has access to all the information exchanged over it, such as SA has access to all the information exchanged over it, such as
identities of the peers, configuration parameters and all negotiated identities of the peers, configuration parameters and all negotiated
IPsec SAs information (including traffic selectors), with the IPsec SAs information (including traffic selectors), with the
exception of the cryptographic keys used by the IPsec SAs which are exception of the cryptographic keys used by the IPsec SAs which are
protected by the PPK. protected by the PPK.
Deployments that treat this information as sensitive or that send Deployments that treat this information as sensitive or that send
other sensitive data (like cryptographic keys) over IKE SA MUST rekey other sensitive data (like cryptographic keys) over IKE SA MUST rekey
the IKE SA before the sensitive information is sent to ensure this the IKE SA before the sensitive information is sent to ensure this
information is protected by the PPK. Note that [RFC6023] allows to information is protected by the PPK. It is possible to create a
skip creating Child SA in the IKE_AUTH exchange, so that the childless IKE SA as specified in [RFC6023]. This prevents Child SA
supporting peers can rekey the IKE SA before any Child SA is created. configuration information from being transmited in the original IKE
Note also that some information (identities of the peers, feature SA that is not protected by a PPK. Some information related to IKE
negotiation notifications, Vendor IDs etc.) is always exchanged in SA, that is sent in the IKE_AUTH exchange, such as peer identities,
initial exchanges and thus cannot be protected from the attack feature notifications, Vendor ID's etc. cannot be hidden from the
described above by performing an IKE SA rekey. attack described above, even if the additional IKE SA rekey is
performed.
In addition, the policy SHOULD be set to negotiate only quantum- In addition, the policy SHOULD be set to negotiate only quantum-
resistant symmetric algorithms; while this RFC doesn't claim to give resistant symmetric algorithms; while this RFC doesn't claim to give
advice as to what algorithms are secure (as that may change based on advice as to what algorithms are secure (as that may change based on
future cryptographical results), below is a list of defined IKEv2 and future cryptographical results), below is a list of defined IKEv2 and
IPsec algorithms that should NOT be used, as they are known not to be IPsec algorithms that should NOT be used, as they are known not to be
quantum resistant quantum resistant
o Any IKEv2 Encryption algorithm, PRF or Integrity algorithm with o Any IKEv2 Encryption algorithm, PRF or Integrity algorithm with
key size less than 256 bits. key size less than 256 bits.
 End of changes. 5 change blocks. 
11 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/