Skip to main content

Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) using PQC
draft-reddy-ipsecme-ikev2-pqc-auth-00

Document Type Active Internet-Draft (individual)
Authors Tirumaleswar Reddy.K , Valery Smyslov , Scott Fluhrer
Last updated 2024-05-15
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-reddy-ipsecme-ikev2-pqc-auth-00
ipsecme                                                         T. Reddy
Internet-Draft                                                     Nokia
Intended status: Standards Track                              V. Smyslov
Expires: 17 November 2024                                     ELVIS-PLUS
                                                              S. Fluhrer
                                                           Cisco Systems
                                                             16 May 2024

Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
                               using PQC
                 draft-reddy-ipsecme-ikev2-pqc-auth-00

Abstract

   Signature-based authentication methods are utilized in IKEv2
   [RFC7296].  The current version of the Internet Key Exchange Version
   2 (IKEv2) protocol supports traditional digital signatures.

   This document outlines how post-quantum digital signatures,
   specifically Module-Lattice-Based Digital Signatures (ML-DSA) and
   Stateless Hash-Based Digital Signatures (SLH-DSA), can be employed as
   authentication methods within the IKEv2 protocol.  It introduces ML-
   DSA and SLH-DSA capability to IKEv2 without necessitating any
   alterations to existing IKE operations.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-reddy-ipsecme-ikev2-pqc/.

   Discussion of this document takes place on the ipsecme Working Group
   mailing list (mailto:ipsecme@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/ipsec/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/ipsecme/.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

Reddy, et al.           Expires 17 November 2024                [Page 1]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 17 November 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Specifying ML-DSA within IKEv2  . . . . . . . . . . . . . . .   4
   4.  Specifying SLH-DSA within IKEv2 . . . . . . . . . . . . . . .   5
   5.  Mechanisms for Signaling Supported Key Pair Types . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   7
   References  . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     Normative References  . . . . . . . . . . . . . . . . . . . . .   7
     Informative References  . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   The Internet Key Exchange, or IKEv2 [RFC7296], is a key agreement and
   security negotiation protocol; it is used for key establishment in
   IPsec.  In the initial set of exchanges, both parties independently
   select and use their preferred authentication method, which may even
   differ between the initiator and the responder.  In IKEv2, it occurs
   in the exchange called IKE_AUTH.  One option for the authentication
   method is digital signatures using public key cryptography.
   Currently, traditional digital signatures are defined for use within
   IKE_AUTH: RSA signatures, Digital Signature Algorithm (DSA) Digital
   Signature Standard (DSS) and ECDSA.

Reddy, et al.           Expires 17 November 2024                [Page 2]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

   The presence of a Cryptographically Relevant Quantum Computer (CRQC)
   would render state-of-the-art traditional public-key algorithms
   obsolete and insecure.  This is because the assumptions about the
   intractability of the mathematical problems these algorithms rely on,
   which offer confident levels of security today, no longer apply in
   the presence of a CRQC.  Consequently, there is a requirement to
   update protocols and infrastructure to use post-quantum algorithms.
   Post-quantum algorithms are public-key algorithms designed to be
   secure against CRQCs as well as classical computers.  The traditional
   cryptographic primitives that need to be replaced by PQC algorithms
   are discussed in [I-D.ietf-pquip-pqc-engineers].

   Module-Lattice-Based Digital Signatures (ML-DSA) [FIPS204] and
   Stateless Hash-Based Digital Signatures (SLH-DSA) [FIPS205] are
   quantum-resistant digital signature schemes standardized by the US
   National Institute of Standards and Technology (NIST) PQC project.
   This document specifies the use of the ML-DSA and SLH-DSA algorithms
   in IKEv2.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document uses terms defined in
   [I-D.ietf-pquip-pqt-hybrid-terminology].  For the purposes of this
   document, it is helpful to be able to divide cryptographic algorithms
   into two classes:

   "Asymmetric Traditional Cryptographic Algorithm": An asymmetric
   cryptographic algorithm based on integer factorisation, finite field
   discrete logarithms or elliptic curve discrete logarithms, elliptic
   curve discrete logarithms, or related mathematical problems.

   "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that
   is believed to be secure against attacks using quantum computers as
   well as classical computers.  Post-quantum algorithms can also be
   called quantum-resistant or quantum-safe algorithms.  Examples of
   quantum-resistant digital signature schemes include ML-DSA and SLH-
   DSA.

Reddy, et al.           Expires 17 November 2024                [Page 3]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

3.  Specifying ML-DSA within IKEv2

   ML-DSA [FIPS204] is a digital signature algorithm (part of the
   CRYSTALS suite) based on the hardness lattice problems over module
   lattices (i.e., the Module Learning with Errors problem (MLWE)).  The
   design of the algorithm is based on the "Fiat-Shamir with Aborts"
   [Lyu09] framework introduced by Lyubashevsky, that leverages
   rejection sampling to render lattice based FS schemes compact and
   secure.  ML-DSA uses uniform distribution over small integers for
   computing coefficients in error vectors, which makes the scheme
   easier to implement.

   ML-DSA is instantiated with 3 parameter sets for the security
   categories 2, 3 and 5.  Security properties of ML-DSA are discussed
   in Section 9 of [I-D.ietf-lamps-dilithium-certificates].  This
   document specifies the use of the ML-DSA algorithm in IKEv2 at three
   security levels: ML-DSA-44, ML-DSA-65, and ML-DSA-87.

   ML-DSA offers both deterministic and randomized signing.  By default
   ML-DSA signatures are non-deterministic, the private random seed rho'
   is pseudorandomly derived from the signer’s private key, the message,
   and a 256-bit string, rnd - where rnd should be generated by an
   approved Random Bit Generator (RBG).  In the deterministic version,
   rnd is instead a 256-bit constant string.  In the context of
   signature-based authentication in IKEv2, the composition of the data
   used for generating a digital signature is unique for each IKEv2
   session.  This uniqueness arises because the data used for signature
   creation includes session-specific information such as nonces,
   cryptographic parameters, and identifiers.  If ML-DSA is used as an
   authentication method within the IKEv2 protocol, the deterministic
   version of ML-DSA MUST be used.

   IKEv2 can use arbitrary signature algorithms as described in
   [RFC7427].  The "Digital Signature" authentication method, as defined
   in [RFC7427], supersedes previously defined signature authentication
   methods.  In this case, the three security levels of ML-DSA are
   identified via AlgorithmIdentifier ASN.1 objects, as specified in
   [I-D.ietf-lamps-dilithium-certificates].  [RFC7427] defines the
   SIGNATURE_HASH_ALGORITHMS notification where each side of the IKE
   negotiation lists its supported hash algorithms.  However, in the
   case of ML-DSA, it internally incorporates the necessary hash
   operation as part of its signing algorithm.  ML-DSA directly takes
   the original message, applies a hash function to it internally, and
   then uses the resulting hash value for the signature generation
   process.  In order to signal within IKE that no pre-hashing needs to
   be done with ML-DSA, the "Identity" (5) value defined in [RFC8420]
   MUST be set in the SIGNATURE_HASH_ALGORITHMS notification to indicate
   that pre-hashing is not required.

Reddy, et al.           Expires 17 November 2024                [Page 4]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

4.  Specifying SLH-DSA within IKEv2

   SLH-DSA [FIPS205] utilizes the concept of stateless hash-based
   signatures.  In contrast to stateful signature algorithms, SLH-DSA
   eliminates the need for maintaining state information during the
   signing process.  SLH-DSA is designed to sign up to 2^64 messages and
   it offers three security levels.  The parameters for each of the
   security levels were chosen to provide 128 bits of security, 192 bits
   of security, and 256 bits of security.  This document specifies the
   use of the SLH-DSA algorithm in IKEv2 at three security levels.  It
   includes the small (S) or fast (F) versions of the algorithm and
   allows for the use of either SHA-256 [FIPS180] or SHAKE256 [FIPS202]
   as the hash function.  The small version prioritizes smaller
   signature sizes, making them suitable for resource-constrained
   environments IoT devices.  Conversely, the fast version prioritizes
   speed over signature size, minimizing the time required to generate
   and verify signatures.  On the other hand, ML-DSA outperforms SLH-DSA
   in both signature generation and validation time, as well as
   signature size.  SLH-DSA, in contrast, offers smaller key sizes but
   larger signature sizes.

   The following combinations are defined:

   *  SLH-DSA-128S-SHAKE

   *  SLH-DSA-128F-SHAKE

   *  SLH-DSA-128S-SHA2

   *  SLH-DSA-128F-SHA2

   *  SLH-DSA-192S-SHAKE

   *  SLH-DSA-192F-SHAKE

   *  SLH-DSA-256S-SHAKE

   *  SLH-DSA-256F-SHAKE

   SLH-DSA does not introduce a new hardness assumption beyond those
   inherent to the underlying hash functions.  It builds upon
   established foundations in cryptography, making it a reliable and
   robust digital signature scheme for a post-quantum world.  While
   attacks on lattice-based schemes like ML-DSA can compromise their
   security, SLH-DSA will remain unaffected by these attacks due to its
   distinct mathematical foundations.  This ensures the continued
   security of systems and protocols that utilize SLH-DSA for digital
   signatures.

Reddy, et al.           Expires 17 November 2024                [Page 5]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

   SLH-DSA offers both deterministic and randomized signing, depending
   on whether opt_rand is set to a fixed value or a random value.  If
   opt_rand is set to a public seed (an element in the public key), then
   signing will be deterministic — signing the same message twice will
   result in the same signature.  If SLH-DSA is used as an
   authentication method within the IKEv2 protocol, the deterministic
   version of SLH-DSA MUST be used.

   IKEv2 can use arbitrary signature algorithms as described in
   [RFC7427].  The "Digital Signature" authentication method, as defined
   in [RFC7427], supersedes previously defined signature authentication
   methods.  In this case, the different combinations of SLH-DSA are
   identified via AlgorithmIdentifier ASN.1 objects, as specified in
   [I-D.ietf-lamps-cms-sphincs-plus].  In case of SLH-DSA, it internally
   performs randomized message compression using a keyed hash function
   that can process arbitrary length messages.  In order to signal
   within IKE that no pre-hashing needs to be done with SLH-DSA, the
   "Identity" (5) value defined in [RFC8420] MUST be set in the
   SIGNATURE_HASH_ALGORITHMS notification to indicate that pre-hashing
   is not required.

5.  Mechanisms for Signaling Supported Key Pair Types

   The following mechanisms can be used by peers to signal the types of
   public/private key pairs they possess:

   *  One method to ascertain that the key pair type the initiator wants
      the responder to use is through a Certificate Request payload sent
      by the initiator.  For example, the initiator could indicate in
      the Certificate Request payload that it trusts a certificate
      authority certificate signed by an ML-DSA or SLH-DSA key.  This
      indication implies that the initiator can process ML-DSA or SLH-
      DSA signatures, which means that the responder can use ML-DSA or
      SLH-DSA keys when authenticating.

   *  Another method is to leverage
      [I-D.draft-ipsecme-ikev2-auth-announce] that allows peers to
      announce their supported authentication methods.  It improves
      interoperability when IKEv2 partners are configured with multiple
      credentials of different type to authenticate each other.  The
      responder includes a SUPPORTED_AUTH_METHODS notification in the
      IKE_SA_INIT response message containing the PQC digital signature
      scheme(s) it supports.  The initiator includes the
      SUPPORTED_AUTH_METHODS notification in either the IKE_AUTH request
      message or in the IKE_INTERMEDIATE request.  This notification
      lists the PQC digital signature scheme(s) supported by the
      initiator, ordered by preference.

Reddy, et al.           Expires 17 November 2024                [Page 6]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

6.  Security Considerations

   ML-DSA and SLH-DSA are modeled under existentially unforgeable
   digital signatures with respect to an adaptive chosen message attack
   (EUF-CMA).

   ML-DSA-44, ML-DSA-65, and ML-DSA-87 are designed to offer security
   comparable with the SHA-256/SHA3-256, AES-192, and AES-256
   respectively.  Similarly, SLH-DSA-128{S,F}-{SHA2,SHAKE}, SLH-DSA-
   192{S,F}-SHAKE, and SLH-DSA-256{S,F}-SHAKE are designed to offer
   security comparable with the AES-128, AES-192, and AES-256
   respectively.

   The Security Considerations section of
   [I-D.ietf-lamps-dilithium-certificates] and
   [I-D.ietf-lamps-cms-sphincs-plus] applies to this specification as
   well.

Acknowledgements

   TODO

References

Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC7427]  Kivinen, T. and J. Snyder, "Signature Authentication in
              the Internet Key Exchange Version 2 (IKEv2)", RFC 7427,
              DOI 10.17487/RFC7427, January 2015,
              <https://www.rfc-editor.org/rfc/rfc7427>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8420]  Nir, Y., "Using the Edwards-Curve Digital Signature
              Algorithm (EdDSA) in the Internet Key Exchange Protocol
              Version 2 (IKEv2)", RFC 8420, DOI 10.17487/RFC8420, August
              2018, <https://www.rfc-editor.org/rfc/rfc8420>.

Informative References

Reddy, et al.           Expires 17 November 2024                [Page 7]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

   [FIPS180]  "NIST, Secure Hash Standard (SHS), FIPS PUB 180-4, August
              2015", <https://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.180-4.pdf>.

   [FIPS202]  "NIST, SHA-3 Standard: Permutation-Based Hash and
              Extendable-Output Functions, FIPS PUB 202, August 2015.",
              <https://nvlpubs.nist.gov/nistpubs/fips/
              nist.fips.202.pdf>.

   [FIPS204]  "FIPS 204 (Initial Public Draft): Module-Lattice-Based
              Digital Signature Standard",
              <https://doi.org/10.6028/NIST.FIPS.204.ipd>.

   [FIPS205]  "FIPS 205 (Initial Public Draft): Stateless Hash-Based
              Digital Signature Standard",
              <https://doi.org/10.6028/NIST.FIPS.205.ipd>.

   [I-D.draft-ipsecme-ikev2-auth-announce]
              "*** BROKEN REFERENCE ***".

   [I-D.ietf-lamps-cms-sphincs-plus]
              Housley, R., Fluhrer, S., Kampanakis, P., and B.
              Westerbaan, "Use of the SLH-DSA Signature Algorithm in the
              Cryptographic Message Syntax (CMS)", Work in Progress,
              Internet-Draft, draft-ietf-lamps-cms-sphincs-plus-04, 7
              May 2024, <https://datatracker.ietf.org/doc/html/draft-
              ietf-lamps-cms-sphincs-plus-04>.

   [I-D.ietf-lamps-dilithium-certificates]
              Massimo, J., Kampanakis, P., Turner, S., and B.
              Westerbaan, "Internet X.509 Public Key Infrastructure:
              Algorithm Identifiers for ML-DSA", Work in Progress,
              Internet-Draft, draft-ietf-lamps-dilithium-certificates-
              03, 5 February 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
              dilithium-certificates-03>.

   [I-D.ietf-pquip-pqc-engineers]
              Banerjee, A., Reddy.K, T., Schoinianakis, D., and T.
              Hollebeek, "Post-Quantum Cryptography for Engineers", Work
              in Progress, Internet-Draft, draft-ietf-pquip-pqc-
              engineers-03, 22 February 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-
              pqc-engineers-03>.

   [I-D.ietf-pquip-pqt-hybrid-terminology]
              D, F. and M. P, "Terminology for Post-Quantum Traditional
              Hybrid Schemes", Work in Progress, Internet-Draft, draft-

Reddy, et al.           Expires 17 November 2024                [Page 8]
Internet-Draft   Signature Authentication in IKEv2 using        May 2024

              ietf-pquip-pqt-hybrid-terminology-03, 9 May 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-
              pqt-hybrid-terminology-03>.

   [IANA-IKEv2]
              "IKEv2 Parameters",
              <http://www.iana.org/assignments/ikev2-parameters>.

   [Lyu09]    "V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications
              to Lattice and Factoring-Based Signatures“, ASIACRYPT
              2009", <https://www.iacr.org/archive/
              asiacrypt2009/59120596/59120596.pdf>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/rfc/rfc7296>.

Authors' Addresses

   Tirumaleswar Reddy
   Nokia
   Bangalore
   Karnataka
   India
   Email: kondtir@gmail.com

   Valery Smyslov
   ELVIS-PLUS
   Russian Federation
   Email: svan@elvis.ru

   Scott Fluhrer
   Cisco Systems
   Email: sfluhrer@cisco.com

Reddy, et al.           Expires 17 November 2024                [Page 9]