[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Position statement on IKE development



In message <>, Alex Alten writes:


>>
>>Agreed.  And large parts of the Schneier/Ferguson analysis of the 
>>packet-level parts are just plain wrong.
>>
>
>
>Steve, with all due respect, you, Jeff and Marcus stated the following.
>
>"In the several years since the standardization of the IPSEC protocols
>(ESP, AH, and ISAKMP/IKE), there have come to light several security
>problems with the protocols, most notably the key-agreement protocol,
>IKE.  Formal and semi-formal analyses by Meadows, Schneier et al, and
>Simpson, have shown that the security problems in IKE stem directly
>from its complexity."
>
>If IKE is no longer considered viable because of it's complexity, then
>I am concerned that the other protocols of IPsec are also at risk. This
>is not my concern alone, others have expressed it to me as well.
>
>At this point, to restore confidence in the security of the design I 
>would hope that the IETF will retain the services of a quality 
>cryptanalysis consulting firm and publish the results.  To do otherwise
>will be to risk the discrediting of the entire IPsec standard.

Frankly, a lot of very competent folks did look at the cryptography.  
WIth all due modesty, I published two papers on the subject myself, and 
I wasn't the only one.  In fact, that's one of the reasons why IPsec 
took so long -- the result of those analyses is why RFCs 1825-29 were 
replaced by 2401 et al. -- because we found and fixed a fair number of 
problems.  The flaws in the Schneier/Ferguson analysis are 
because they don't understand the networking context.  I sent Bruce a 
long, detailed note about that before he ever published the analysis.

You say "retain the services of a quality cryptanalysis consulting firm".
Apart from the point that there aren't that many -- and I and others 
know most of the likely players in the field -- the question is whether 
or not they understand the networking context.  I have no particular 
reason to think that the results would be any better than what we have 
now.

Is IPsec perfect?  No, of course not.  I'd like to get rid of AH, for 
example, not because it doesn't work -- it does -- but because it adds 
complexity to implementations without (to me) doing anything useful.  
There are a few other minor things I'd have done differently.  But I 
have a great deal of confidence in the correctness of the packet-level 
transforms.

		--Steve Bellovin, http://www.research.att.com/~smb