[Swan-dev] Fwd: [Cryptography] on brute forcing 3DES to attack SIMs

[Paul Wouters]

On Fri, 9 Jan 2015, D. Hugh Redelmeier wrote:

> | > I understand it's not broken yet. But 3DES was basically replaced by
> | > AES_CBC which was replace by AES_GCM. I'm not saying to remove support,
> | > but I think for IKEv2 (not IKEv1) we should really consider removing
> | > 3des, md5 and sha1 from the default proposal set, and add aes_gcm and
> | > sha2_256/sha2_512.
> |
> | Oh, and probably change DH group 2,5,14 to something newer like at the
> | very least drop DH2 (modp1024) but probably add group 18 (8192 modp)
> | and group 24 (2048-bit MODP Group with 256-bit Prime Order Subgroup)
>
> I'm surprised that you are willing to drop ciphers, which are an
> interop thing, and not drop crap from our config file, which is NOT
> an interop thing.

I meant "drop from our default proposal list", not "remove support".

> If something is interop, all organizations that interop might be
> affected.
>
> If it is a config file change, that can be unilaterally handled.
>
> Clearly changing interop things are a much bigger problem for users.

I think for IKEv1, the case is pretty most lost. It will almost mostly
be on 3des-md5;modp1024 due to the many many cisco admins out there :P

And most proprietary vendors did not touch the IKEv1 stack to add
improved ciphers but instead just added IKEv2 as a whole new
implementation and they have their new ciphers added there. So while
a lot of devices will support AES_GCM in IKEv2, they won't support it
in IKEv1.

For IKEv2, I think everything is new and non-deployed enough that I feel
we can still tweak the default proposal list (and I think we should
because ours is currently based on our ikev1 default proposal list)

Paul


My experience with IKEv2 is that most implementations will have