[Cryptography] IPsec DH parameters, other flaws

[William Allen Simpson]

[reading some older list items, branching off]

On 6/3/20 2:29 AM, Peter Gutmann wrote:
> [1] I've never understood why IPsec and the cargo-cult protocols that reused
>      the parameters from it fixed on a single set of DH parameters.  IPsec is
>      possibly one of the most unnecessarily flexible protocols in the world
>      where absolutely everything is up for negotiation, but there's one single
>      set of parameters that every single user has to share to create a single
>      point of failure for attackers to exploit.

The original IPsec (Karn, Metzger, and Simpson) did not!

Photuris was designed around negotiating variable DH parameters
and avoiding easy denial of service attacks.  From the beginning!

Karn also insisted the option field be limited to 8 bits, so there
would never be many options.  We'd only assign a few combinations
that were well vetted together.

All of that went by the wayside after NSA (and BBN) got involved.

Also, among other things, requiring the IV sent in the clear was
another Steve Kent innovation.  Even though he'd been on a paper
years earlier that the IV should be secret.

And there was the Null encryption option.  And the ability to
negotiate a downgrade.  And the serious problems we published via
Usenix, because IETF wouldn't....

We knew so many things to be wrong.  The best explanation is that
flaws in the resulting IPsec were deliberate.

Thankfully, after a quarter century, TLS 1.3 has almost all the
features we originally presented in 1995.