Postquantum Preshared Keys: Difference between revisions
No edit summary |
Paul Wouters (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
Postquantum Preshared Keys ('''PPK''') are | Postquantum Preshared Keys ('''PPK''') are an addition to the IKEv2 protocol to ensure that currently encrypted traffic which is stored is safe against against future quantum computer decryption. | ||
A PPK is shared securely out-of-band and is used as an imput into the SKEYSEED generation. This means that even if the IKEv2 DiffieHellman is compromised, an attacker cannot obtain the key material (KEYMAT). The PPK method is currently specified in [https://tools.ietf.org/html/draft-fluhrer-qr-ikev2 draft-fluhrer-qr-ikev2] | |||
== Implementation == | == Implementation == | ||
To allow the use of PPK's in libreswan, the following options were added: | |||
* The values 40960 and 40961 were picked as private use numbers for PPK_SUPPORT and PPK_IDENTITY Notify messages, respectively. | * The values 40960 and 40961 were picked as private use numbers for PPK_SUPPORT and PPK_IDENTITY Notify messages, respectively. This will be updated once IANA assigns the actual numbers. | ||
* Changes were made in source files (programs/pluto/''ikev2_*.c'') where IKEv2 is implemented. | * Changes were made in source files (programs/pluto/''ikev2_*.c'') where IKEv2 is implemented. | ||
* New test cases were added. | * The secret reading/handling code in lib/libswan was updated to support PPKs | ||
* New test cases were added. These can be found as ''ikev2-ppk-*'' folders in the testing/pluto/ directory | |||
== Configuring a PPK and connection in libreswan == | == Configuring a PPK and connection in libreswan == | ||
Each PPK has its own PPK_ID - a unique string that | Each PPK has its own PPK_ID - a unique string that identifies which PPK to use. | ||
which PPK to use | |||
In libreswan PPK are stored in secrets file | In libreswan PPK are stored in the ''secrets file'' (eg /etc/ipsec.secrets) | ||
Two types of PPK are supported: ''static'' and ''dynamic''. | Two types of PPK are supported: ''static'' and ''dynamic''. | ||
| Line 39: | Line 36: | ||
a different PPK for it. '' '''note:''' '' Dynamic PPK feature is not finished. | a different PPK for it. '' '''note:''' '' Dynamic PPK feature is not finished. | ||
The | The ''ppk'' option is specified in the connection configuration. Accepted values are ''never/no'', ''propose/yes'' and ''insist''. | ||
The PPK option is only valid when using IKEv2. | |||
== Source code == | == Source code == | ||
The experimental git branch on which this feature is implemented and tested can be found [https://github.com/vukasink/libreswan/tree/ikev2 here]. | The experimental git branch on which this feature is implemented and tested can be found [https://github.com/vukasink/libreswan/tree/ikev2 here]. | ||
The main developer of this feature is Vukasin Karadzic, and this has been done as a summer project under the mentorship of Paul Wouters and Tuomo Soini. | The main developer of this feature is Vukasin Karadzic, and this has been done as a summer project under the mentorship of Paul Wouters and Tuomo Soini. | ||
For any questions, found bugs or suggestions feel free to contact him on vukasin.karadzic@gmail.com | For any questions, found bugs or suggestions feel free to contact him on vukasin.karadzic@gmail.com | ||
Revision as of 18:08, 29 August 2017
Introduction
Postquantum Preshared Keys (PPK) are an addition to the IKEv2 protocol to ensure that currently encrypted traffic which is stored is safe against against future quantum computer decryption. A PPK is shared securely out-of-band and is used as an imput into the SKEYSEED generation. This means that even if the IKEv2 DiffieHellman is compromised, an attacker cannot obtain the key material (KEYMAT). The PPK method is currently specified in draft-fluhrer-qr-ikev2
Implementation
To allow the use of PPK's in libreswan, the following options were added:
- The values 40960 and 40961 were picked as private use numbers for PPK_SUPPORT and PPK_IDENTITY Notify messages, respectively. This will be updated once IANA assigns the actual numbers.
- Changes were made in source files (programs/pluto/ikev2_*.c) where IKEv2 is implemented.
- The secret reading/handling code in lib/libswan was updated to support PPKs
- New test cases were added. These can be found as ikev2-ppk-* folders in the testing/pluto/ directory
Configuring a PPK and connection in libreswan
Each PPK has its own PPK_ID - a unique string that identifies which PPK to use.
In libreswan PPK are stored in the secrets file (eg /etc/ipsec.secrets)
Two types of PPK are supported: static and dynamic.
1. Static PPK is represented with two strings separated by spaces. The first string is PPK_ID and the second one PPK. The keyword for .secrets file in libreswan in PPKS.
e.g. 10.1.0.1 10.2.0.1 : PPKS "lsw1" "very_long_string_that_is_a_postquantum_preshared_key"
2. Dynamic PPK (work in progress) is represented with two strings separated by spaces. The first string is PPK_ID and the second one is a path to another file which the PPKs will be taken from. This file should also have only two strings in it. The first one would be offset and the second one a long string that will be used as a one-time pad. Each time when a PPK should be loaded into the libreswan, the string of fixed length will be taken from a second string with an offset from first string. After this PPK has been used, libreswan overrides that part of a string with zeros (0x30) and updates the offset to offset+PPK size. This way each time two peers establishing an IPSEC tunnel will use a different PPK for it. note: Dynamic PPK feature is not finished.
The ppk option is specified in the connection configuration. Accepted values are never/no, propose/yes and insist.
The PPK option is only valid when using IKEv2.
Source code
The experimental git branch on which this feature is implemented and tested can be found here. The main developer of this feature is Vukasin Karadzic, and this has been done as a summer project under the mentorship of Paul Wouters and Tuomo Soini.
For any questions, found bugs or suggestions feel free to contact him on vukasin.karadzic@gmail.com