Internet-Draft IKEv2 PQTH Auth November 2024
Jun & Morioka Expires 7 May 2025 [Page]
Workgroup:
ipsecme
Internet-Draft:
draft-hu-ipsecme-pqt-hybrid-auth-01
Published:
Intended Status:
Standards Track
Expires:
Authors:
H. Jun
Nokia
Y. Morioka
NTT DOCOMO, INC.

Post-Quantum Traditional (PQ/T) Hybrid PKI Authentication in the Internet Key Exchange Version 2 (IKEv2)

Abstract

One IPsec area that would be impacted by Cryptographically Relevant Quantum Computer (CRQC) is IKEv2 authentication based on traditional asymmetric cryptograph algorithms: e.g RSA, ECDSA; which are widely deployed authentication options of IKEv2. There are new Post-Quantum Cryptograph (PQC) algorithms for digital signature like NIST [ML-DSA], however it takes time for new cryptograph algorithms to mature, so there is security risk to use only the new algorithm before it is field proven. This document describes a IKEv2 hybrid authentication scheme that could contain both traditional and PQC algorithms, so that authentication is secure as long as one algorithm in the hybrid scheme is secure.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://example.com/LATEST. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-hu-ipsecme-pqt-hybrid-auth/.

Discussion of this document takes place on the WG Working Group mailing list (mailto:[email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/ipsec/. Subscribe at https://www.ietf.org/mailman/listinfo/ipsec/.

Source for this draft and an issue tracker can be found at https://github.com/USER/REPO.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 May 2025.

Table of Contents

1. Changes in -01

2. Introduction

A Cryptographically Relevant Quantum Computer (CRQC) could break traditional asymmetric cryptograph algorithms: e.g RSA, ECDSA; which are widely deployed authentication options of IKEv2. New Post-Quantum Cryptograph (PQC) algorithms for digital signature were recently published like NIST [ML-DSA], however consider potential flaws in the new algorithm's specifications and implementations, it will take time for these new PQC algorithms to be field proven. So it is risky to only use PQC algorithms before they are mature. There is more detailed discussion on motivation of a hybrid approach for authentication in Section 1.3 of [I-D.ietf-pquip-hybrid-signature-spectrums].

This document describes an IKEv2 hybrid authentication scheme that contains both traditional and PQC algorithms, so that authentication is secure as long as one algorithm in the hybrid scheme is secure.

Each IPsec peer announce the support of hybrid authentication via SUPPORTED_AUTH_METHODS notification as defined in [RFC9593], generates and verifies AUTH payload using composite signature like the procedures defined in [I-D.ietf-lamps-pq-composite-sigs].

Following two types of setup are covered:

  1. Type-1: A single certificate that has composite key as defined in [I-D.ietf-lamps-pq-composite-sigs]

  2. Type-2: Two certificates, one with traditional algorithm key and one with PQC algorithm key

3. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Cryptographically Relevant Quantum Computer (CRQC): A quantum computer that is capable of breaking real world cryptographic systems.

Post-Quantum Cryptograph (PQC) algorithms: Asymmetric cryptograph algorithms are thought to be secure against CRQC.

Traditional Cryptograph algorithms: Existing asymmetric cryptograph algorithms could be broken by CRQC, like RSA, ECDSA ..etc.

4. IKEv2 Key Exchange

There is no changes introduced in this document to the IKEv2 key exchange process, although it MUST be also resilient to CRQC when using along with the PQ/T hybrid authentication, for example key exchange using the PPK as defined in [RFC8784], or hybrid key exchanges that include PQC algorithm via multiple key exchange process as defined in [RFC9370].

5. Exchanges

The hybrid authentication exchanges is illustrated in an example depicted in Figure 1, the key exchange uses PPK, however it could be other key exchanges that involves PQC algorithm since how key exchange is done is transparent to authentication.

Initiator                         Responder
-------------------------------------------------------------------
HDR, SAi1, KEi, Ni,
          N(USE_PPK) -->
                  <--  HDR, SAr1, KEr, Nr, [CERTREQ,] N(USE_PPK),
                                      N(SUPPORTED_AUTH_METHODS)

HDR, SK {IDi, CERT+, [CERTREQ,]
        [IDr,] AUTH, SAi2,
        TSi, TSr, N(PPK_IDENTITY, PPK_ID),
        N(SUPPORTED_AUTH_METHODS)} -->
                            <--  HDR, SK {IDr, CERT+, [CERTREQ,]
                                      AUTH, [N(PPK_IDENTITY)]}
Figure 1: Hybrid Authentication Exchanges with RFC8784 Key Exchange

5.1. Announcement

Announcement of support hybrid authentication is through SUPPORTED_AUTH_METHODS notification as defined in [RFC9593], which includes a list of acceptable authentication methods announcements, this document defines a hybrid authentication announcements with following format:

                     1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Length (>=2) |  Auth Method  |   Cert Link 1 | Alg 1 flag    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Alg 1 Len     |                                               |
+-+-+-+-+-+-+-+-+                                               |
~                      AlgorithmIdentifier 1                    ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert Link 2   | Alg 2 flag    |  Alg 2 Len    |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
|                                                               |
~                      AlgorithmIdentifier 2                    ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
~                      ...                                      ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert Link 3   | Alg 3 flag    |  Alg 3 Len    |               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
|                                                               |
~                      AlgorithmIdentifier N                    ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Hybrid Authentication Announcement

The announcement include a list of N algorithms could be used for hybrid signature

  • Auth Method: A new value to be allocated by IANA

  • Cert Link N: Links corresponding signature algorithm N with a particular CA. as defined in Section 3.2.2 of [RFC9593]

  • Alg N Flag:

    • C: set to 1 if the algorithm could be used in type-1 setup

    • S: set to 1 if the algorithm could be used in type-2 setup

    • C and S MUST NOT be zero at the same time

    • RESERVED: set to 0

     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |C|S| RESERVED  |
    +-+-+-+-+-+-+-+-+
Figure 3: Algorithm Flag
  • AlgorithmIdentifier N: The variable-length ASN.1 object that is encoded using Distinguished Encoding Rules (DER) [X.690] and identifies the algorithm of a composite signature as defined in Section 7 of [I-D.ietf-lamps-pq-composite-sigs].

5.1.1. Sending Announcement

As defined in [RFC9593], responder include SUPPORTED_AUTH_METHODS in IKE_SA_INIT response (and potentially also in IKE_INTERMEDIATE response), while initiator include the notification in IKE_AUTH request.

Sender include a hybrid authentication announcement in SUPPORTED_AUTH_METHODS, which contains 0 or N composite signature AlgorithmIdentifiers sender accepts, each AlgorithmIdentifier identifies a combination of algorithms:

  • a traditional PKI algorithm with corresponding hash algorithm (e.g. id-RSASA-PSS with id-sha256)

  • a PQC algorithm (e.g. id-ML-DSA-44)

    • in case of Hash ML-DSA, there is also a pre-hash algorithm (e.g. id-sha256)

In case of type-2 setup, even though the certificate is not composite key certificate, system still uses a composite signature algorithm that corresponds to the combination of two certificates PKI algorithms and hash algorithm(s).

C and S bits in flag field are set according to whether sender accept the algorithm combination in type-1/type-2 setup.

Announcement without any AlgorithmIdentifiers signals that there is no particular restrictions on algorithm.

5.1.2. Receiving Announcement

If hybrid authentication announcement is received, and receiver choose to authenticate itself using hybrid authentication, then based on its local policy and certificates, one AlgorithmIdentifier (which identify a combination of algorithms) in the hybrid authentication announcement and a PKI setup (type-1 or type-2) are chosen to create its AUTH and CERT payload(s).

5.2. AUTH & CERT payload

The IKEv2 AUTH payload has following format as defined in Section 3.8 of [RFC7296]:

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Next Payload  |C|  RESERVED   |         Payload Length        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Auth Method   |                RESERVED                       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  ~                      Authentication Data                      ~
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: AUTH payload

For hybrid authentication, the AUTH Method has value defined in Section 5.1

The Authentication Data field follows format defined in Section 3 of [RFC7427]:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | ASN.1 Length  | AlgorithmIdentifier ASN.1 object              |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  ~        AlgorithmIdentifier ASN.1 object continuing            ~
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  ~                         Signature Value                       ~
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Authentication Data in hybrid AUTH payload

Based on selected AlgorithmIdentifier and setup type, the Signature Value is created via procedure defined in Section 5.2.1, Section 5.2.2.

5.2.1. Type-1

Assume selected AlgorithmIdentifier is A.

  1. There is no change on data to be signed, e.g. InitiatorSignedOctets/ResponderSignedOctets as defined in Section 2.15 of [RFC7296]

  2. Follow Sign operation identified by A, e.g. Section 4.2.1 of [I-D.ietf-lamps-pq-composite-sigs] or Section 4.3.1 of [I-D.ietf-lamps-pq-composite-sigs]; the ctx input is the string of "IKEv2-PQT-Hybrid-Auth".

Following is an initiator example:

  1. A is id-HashMLDSA44-RSA2048-PSS-SHA256, which uses Hash ML-DSA-44

  2. Follow Section 4.3.1 of [I-D.ietf-lamps-pq-composite-sigs] with following input:

    • sk is the private key of the signing composite key certificate

    • M is InitiatorSignedOctets

    • ctx is "IKEv2-PQT-Hybrid-Auth"

    • PH is SHA256

The signing composite certificate MUST be the first CERT payload.

5.2.2. Type-2

The procedure is same as Type-1, use private key of traditional and PQC certificate accordingly; e.g. in Sign procedure define in Section 4.2.1 of [I-D.ietf-lamps-pq-composite-sigs], the mldsaSK is the private key of ML-DSA certificate, while tradSK is the private key of traditional certificate.

With the example in Section 5.2.1:

  • mldsaSK is the private key of ML-DSA certificate, tradSK is the private key of the RSA certificate

  • M is InitiatorSignedOctets

  • ctx is "IKEv2-PQT-Hybrid-Auth"

  • PH is SHA256

The signing PQC certificate MUST be the first CERT payload in the IKEv2 message, while traditional certificate MUST be the second CERT payload.

5.2.2.1. RelatedCertificate

In type-2 setup, the signing certificate MAY contain RelatedCertificate extension, then the receiver SHOULD verify the extension according to Section 4.2 of [I-D.ietf-lamps-cert-binding-for-multi-auth], failed verification SHOULD fail authentication.

6. Security Considerations

The security of general PQ/T hybrid authentication is discussed in [I-D.ietf-pquip-hybrid-signature-spectrums].

This document uses mechanisms defined in [I-D.ietf-lamps-pq-composite-sigs], [RFC7427] and [RFC9593], the security discussion in the corresponding RFCs also apply.

7. IANA Considerations

This document requests a value in "IKEv2 Authentication Method" subregistry under IANA "Internet Key Exchange Version 2 (IKEv2) Parameters" registry

8. References

8.1. Normative References

[I-D.ietf-lamps-cert-binding-for-multi-auth]
Becker, A., Guthrie, R., and M. J. Jenkins, "Related Certificates for Use in Multiple Authentications within a Protocol", Work in Progress, Internet-Draft, draft-ietf-lamps-cert-binding-for-multi-auth-05, , <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cert-binding-for-multi-auth-05>.
[I-D.ietf-lamps-pq-composite-sigs]
Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite ML-DSA For use in X.509 Public Key Infrastructure and CMS", Work in Progress, Internet-Draft, draft-ietf-lamps-pq-composite-sigs-03, , <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-sigs-03>.
[I-D.ietf-pquip-hybrid-signature-spectrums]
Bindel, N., Hale, B., Connolly, D., and F. D, "Hybrid signature spectrums", Work in Progress, Internet-Draft, draft-ietf-pquip-hybrid-signature-spectrums-00, , <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-hybrid-signature-spectrums-00>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7296]
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, , <https://www.rfc-editor.org/rfc/rfc7296>.
[RFC7427]
Kivinen, T. and J. Snyder, "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, DOI 10.17487/RFC7427, , <https://www.rfc-editor.org/rfc/rfc7427>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9593]
Smyslov, V., "Announcing Supported Authentication Methods in the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 9593, DOI 10.17487/RFC9593, , <https://www.rfc-editor.org/rfc/rfc9593>.
[X.690]
"Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ISO/IEC 8825-1:2021 (E), ITU-T Recommendation X.690, .

8.2. Informative References

[ML-DSA]
"Module-Lattice-Based Digital Signature Standard", NIST FIPS-204, State Initial Public Draft, , <https://csrc.nist.gov/pubs/fips/204/ipd>.
[RFC8784]
Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov, "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security", RFC 8784, DOI 10.17487/RFC8784, , <https://www.rfc-editor.org/rfc/rfc8784>.
[RFC9370]
Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, , <https://www.rfc-editor.org/rfc/rfc9370>.

Acknowledgments

TODO acknowledge.

Authors' Addresses

Hu, Jun
Nokia
United States of America
Yasufumi Morioka
NTT DOCOMO, INC.
Japan