Hi Group,
Here is a new draft for an IKEv2 hybrid authentication scheme that contains
both PQC and traditional algorithms, using certificates without or with
composite keys; following is the summary, comments are welcomed!
https://datatracker.ietf.org/doc/draft-hu-ipsecme-pqt-hybrid-auth/
Abst
Hi Shuzhou,
Thanks for your interest in the draft, following are my comments regarding your
questions:
After reading your draft, I liked the idea behind this draft but at the same
time have some questions.
1. Does Figure 2 defines a new Auth Method in the "IKEv2 Authentication
Method"?
Hi,
We'd like to request a 10min slot for draft-hu-ipsecme-pqt-hybrid-auth, will
post an update before the meeting
-Original Message-
From: Tero Kivinen
Sent: Saturday, October 26, 2024 6:07 PM
To: ipsec@ietf.org
Subject: [IPsec] IPsecME agenda items for IETF #121
CAUTION: This is a
Thanks all for your comments. Let me try to address your comments in one reply
1. Do we need to address both type-1 and type-2? I do
think we need to address both because it is not entirely up to IPsec system to
decide which type to use, it is also depends on the CA, and I
Hi,
It seems that draft submission is closed till Nov.2, so here is a link to v01
version of draft-hu-ipsecme-pqt-hybrid-auth before that:
https://hujun-open.github.io/ikev2-pqt-hybrid-auth/draft-hu-ipsecme-pqt-hybrid-auth-01/draft-hu-ipsecme-pqt-hybrid-auth.html
--
Hu Jun
RFC4739 was used in the original version, but no longer needed in current
version, just forgot to remove the reference.
Will explain the reason in my presentation.
-Original Message-
From: Daniel Van Geest
Sent: Thursday, October 31, 2024 8:53 AM
To: Jun Hu (Nokia) ; Tero Kivinen
thanks, this make sense. It would be nice to document the clarification
somewhere, maybe either go into 9370bis(if there gona be one) or
draft-kampanakis-ml-kem-ikev2 (if it gets adopted) ?
From: Valery Smyslov
Sent: Thursday, September 19, 2024 1:01 AM
To: Jun Hu (Nokia)
Cc: ipsec@ietf.org
Hi,
I don't know if this has been discussed before, but what would be the
interaction between 9370 and 8784 if they are both used? I know it seems
unnecessary to use both of them, but it could happen technically, I see
following options:
1. Not allowing this: e.g. if a responder receives USE
Hi Valery,
Thank you for the comments, pls see my reply in line below
From: Valery Smyslov
Sent: Wednesday, November 6, 2024 12:31 AM
To: Jun Hu (Nokia) ; 'Wang Guilin' ;
'Daniel Van Geest' ; 'Scott Fluhrer
(sfluhrer)' ; 'tirumal reddy'
Cc: 'ip
I support the adoption
-Original Message-
From: IETF Secretariat
Sent: Tuesday, March 18, 2025 2:08 AM
To: draft-kampanakis-ml-kem-ik...@ietf.org; ipsec@ietf.org;
ipsecme-cha...@ietf.org
Subject: [IPsec] The IPSECME WG has placed draft-kampanakis-ml-kem-ikev2 in
state "Call For Adoptio
...@ietf.org
Sent: Thursday, May 1, 2025 9:00 AM
To: Guilin WANG ; Jun Hu (Nokia) ;
Wang; Guilin ; Yasufumi Morioka
Subject: New Version Notification for draft-hu-ipsecme-pqt-hybrid-auth-02.txt
CAUTION: This is an external email. Please be very careful when clicking links
or opening attachments
deployments
From: Daniel Van Geest
Sent: Monday, July 21, 2025 4:05 PM
To: Jun Hu (Nokia) ; Valery Smyslov ;
'Christopher Patton'
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Re: Binding properties of draft-ietf-ipsecme-ikev2-mlkem-00
CAUTION: This is an external email. Please be very ca
just got time to read through this thread, this downgrade attack requires both
peers to allow IKEv2 with only weak DH, it won’t work if either peer only
allows strong DH or a hybrid DH include strong DH.
Such attack is valid on theory, but I wonder how likely a real deployment is
vulnerable?
Al
Pls see my comments in line
From: Daniel Van Geest
On 2025-07-21 10:12 a.m., Jun Hu (Nokia) wrote:
just got time to read through this thread, this downgrade attack requires both
peers to allow IKEv2 with only weak DH, it won’t work if either peer only
allows strong DH or a hybrid DH include
Clarifying question: How exactly would it work to disable weak KEs for peers
that support strong KE? The peer doesn't identify itself until the IKE_AUTH
exchange, at which point the sequence of KEs has already been negotiated and
executed. Is it possible to abort due to insufficient KE paramete
Thanks for your comment, just to clarify, there is no intention to and people
should not reuse key between composite key and separate key; and I don’t expect
people will actually do that in typical actual deployments; there is already
some text in the security consideration of the draft regardi
range of to-be-signed
data (tbsCertificate) of a composite cert
From: Scott Fluhrer (sfluhrer)
Sent: Friday, July 25, 2025 11:31 AM
To: Falko Strenzke ; Daniel Van Geest
; Jun Hu (Nokia) ;
ipsec@ietf.org; draft-hu-ipsecme-pqt-hybrid-a...@ietf.org
Subject: Re: [IPsec] Re: comment on signature
you could continue to use traditional key chain when adding PQ chain, just
create a new , dedicated key for the ikev2 auth
Sent from mobile
From: Daniel Van Geest
Sent: Friday, July 25, 2025 10:03:08 AM
To: Jun Hu (Nokia) ; Falko Strenzke
; ipsec@ietf.org
aft, there should be texts in the draft
mentioning all these mitigations beside protocol changes.
From: Christopher Patton
Sent: Thursday, July 31, 2025 6:08 AM
To: Blumenthal, Uri - 0553 - MITLL
Cc: Jun Hu (Nokia) ; Michael Richardson
; Valery Smyslov ; Scott Fluhrer
; ipsec
Subject: Re: [EX
So if A just passthrough Y's certificate payload to X in the IKE_AUTH response
A sent to X, how could A signs the AUTH payload without having Y's private key
that corresponds to Y's certificate?
From: Valery Smyslov
Sent: Wednesday, July 30, 2025 12:28 AM
To: Jun Hu (Nokia)
tbound messages, so
even though X and Y have a split view of the handshake transcript, they never
actually confirm this. Y would have sent the same IKE_AUTH in its conversation
with A as it would have in its conversation with X.
Chris P.
On Wed, Jul 30, 2025 at 2:09 PM Jun Hu (Nokia)
mailto
From: Christopher Patton
Sent: Tuesday, July 29, 2025 2:22 PM
To: Scott Fluhrer (sfluhrer)
Cc: ipsec
Subject: [IPsec] Re: draft-smyslov-ipsecme-ikev2-downgrade-prevention
First, there is a stronger variant not described in -00 that doesn't require
compromising either of the victim peers. Thi
Sorry, I need rephrase that, the attack doesn't rely on a CRQC could break a
digital signature in live communication
-Original Message-
From: Jun Hu (Nokia)
Sent: Wednesday, July 30, 2025 11:08 AM
To: Michael Richardson
Cc: Valery Smyslov ; 'Christopher Patton'
;
[HJ] sure, but my understanding is the attack we are discussing here doesn't
rely on a CRQC
Jun Hu \(Nokia\) wrote:
> So if A just passthrough Y's certificate payload to X in the IKE_AUTH
> response A sent to X, how could A signs the AUTH payload without having
&
24 matches
Mail list logo
