Quantum Safe Key Exchange » History » Version 1
Andreas Steffen, 04.08.2020 14:22
| 1 | 1 | Andreas Steffen | h1. Quantum Safe Key Exchange |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 1 | Andreas Steffen | The IETF IPsec working group (ipsecme) is currently working on two standards that will allow a quantum-safe key exchange: |
| 4 | 1 | Andreas Steffen | |
| 5 | 1 | Andreas Steffen | * "draft-ietf-ipsecme-ikev2-intermediate":https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate: Intermediate Exchange in the IKEv2 Protocol |
| 6 | 1 | Andreas Steffen | |
| 7 | 1 | Andreas Steffen | * "draft-ietf-ipsecme-ikev2-multiple-ke":https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-multiple-ke: Multiple Key Exchanges in IKEv2 |
| 8 | 1 | Andreas Steffen | |
| 9 | 1 | Andreas Steffen | Start of the strongSwan charon daemon via systemd: |
| 10 | 1 | Andreas Steffen | <pre> |
| 11 | 1 | Andreas Steffen | systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... |
| 12 | 1 | Andreas Steffen | 00[LIB] loaded plugins: charon-systemd random drbg nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 frodo gmp curl kernel-netlink socket-default updown vici |
| 13 | 1 | Andreas Steffen | 00[JOB] spawning 16 worker threads |
| 14 | 1 | Andreas Steffen | 13[CFG] loaded certificate 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' |
| 15 | 1 | Andreas Steffen | 09[CFG] loaded certificate 'C=CH, O=strongSwan Project, CN=strongSwan Root CA' |
| 16 | 1 | Andreas Steffen | 05[CFG] loaded RSA private key |
| 17 | 1 | Andreas Steffen | 05[CFG] added vici connection: home |
| 18 | 1 | Andreas Steffen | systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. |
| 19 | 1 | Andreas Steffen | </pre> |
| 20 | 1 | Andreas Steffen | |
| 21 | 1 | Andreas Steffen | Initiating an IPsec connection: |
| 22 | 1 | Andreas Steffen | <pre> |
| 23 | 1 | Andreas Steffen | 09[CFG] vici initiate CHILD_SA 'home' |
| 24 | 1 | Andreas Steffen | 14[IKE] initiating IKE_SA home[1] to 192.168.0.1 |
| 25 | 1 | Andreas Steffen | 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(IKE_INT_SUP) V ] |
| 26 | 1 | Andreas Steffen | 14[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (276 bytes) |
| 27 | 1 | Andreas Steffen | 10[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (309 bytes) |
| 28 | 1 | Andreas Steffen | 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(IKE_INT_SUP) N(MULT_AUTH) V ] |
| 29 | 1 | Andreas Steffen | 10[IKE] received strongSwan vendor ID |
| 30 | 1 | Andreas Steffen | 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE_FRODO_SHAKE_L5 |
| 31 | 1 | Andreas Steffen | 10[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA" |
| 32 | 1 | Andreas Steffen | </pre> |
| 33 | 1 | Andreas Steffen | <pre> |
| 34 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ KE ] |
| 35 | 1 | Andreas Steffen | 10[ENC] splitting IKE message (21600 bytes) into 16 fragments |
| 36 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(1/16) ] |
| 37 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(2/16) ] |
| 38 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(3/16) ] |
| 39 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(4/16) ] |
| 40 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(5/16) ] |
| 41 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(6/16) ] |
| 42 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(7/16) ] |
| 43 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(8/16) ] |
| 44 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(9/16) ] |
| 45 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(10/16) ] |
| 46 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(11/16) ] |
| 47 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(12/16) ] |
| 48 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(13/16) ] |
| 49 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(14/16) ] |
| 50 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(15/16) ] |
| 51 | 1 | Andreas Steffen | 10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(16/16) ] |
| 52 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 53 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 54 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 55 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 56 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 57 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 58 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 59 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 60 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 61 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 62 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 63 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 64 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 65 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 66 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 67 | 1 | Andreas Steffen | 10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (740 bytes) |
| 68 | 1 | Andreas Steffen | </pre> |
| 69 | 1 | Andreas Steffen | <pre> |
| 70 | 1 | Andreas Steffen | 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 71 | 1 | Andreas Steffen | 11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(1/16) ] |
| 72 | 1 | Andreas Steffen | 11[ENC] received fragment #1 of 16, waiting for complete IKE message |
| 73 | 1 | Andreas Steffen | 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 74 | 1 | Andreas Steffen | 05[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(2/16) ] |
| 75 | 1 | Andreas Steffen | 05[ENC] received fragment #2 of 16, waiting for complete IKE message |
| 76 | 1 | Andreas Steffen | 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 77 | 1 | Andreas Steffen | 15[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(3/16) ] |
| 78 | 1 | Andreas Steffen | 15[ENC] received fragment #3 of 16, waiting for complete IKE message |
| 79 | 1 | Andreas Steffen | 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 80 | 1 | Andreas Steffen | 16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(4/16) ] |
| 81 | 1 | Andreas Steffen | 16[ENC] received fragment #4 of 16, waiting for complete IKE message |
| 82 | 1 | Andreas Steffen | 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 83 | 1 | Andreas Steffen | 13[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(5/16) ] |
| 84 | 1 | Andreas Steffen | 13[ENC] received fragment #5 of 16, waiting for complete IKE message |
| 85 | 1 | Andreas Steffen | 07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 86 | 1 | Andreas Steffen | 07[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(6/16) ] |
| 87 | 1 | Andreas Steffen | 07[ENC] received fragment #6 of 16, waiting for complete IKE message |
| 88 | 1 | Andreas Steffen | 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 89 | 1 | Andreas Steffen | 12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(7/16) ] |
| 90 | 1 | Andreas Steffen | 12[ENC] received fragment #7 of 16, waiting for complete IKE message |
| 91 | 1 | Andreas Steffen | 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 92 | 1 | Andreas Steffen | 12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(8/16) ] |
| 93 | 1 | Andreas Steffen | 12[ENC] received fragment #8 of 16, waiting for complete IKE message |
| 94 | 1 | Andreas Steffen | 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 95 | 1 | Andreas Steffen | 05[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(9/16) ] |
| 96 | 1 | Andreas Steffen | 05[ENC] received fragment #9 of 16, waiting for complete IKE message |
| 97 | 1 | Andreas Steffen | 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 98 | 1 | Andreas Steffen | 11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(10/16) ] |
| 99 | 1 | Andreas Steffen | 11[ENC] received fragment #10 of 16, waiting for complete IKE message |
| 100 | 1 | Andreas Steffen | 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 101 | 1 | Andreas Steffen | 14[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(11/16) ] |
| 102 | 1 | Andreas Steffen | 14[ENC] received fragment #11 of 16, waiting for complete IKE message |
| 103 | 1 | Andreas Steffen | 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 104 | 1 | Andreas Steffen | 12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(12/16) ] |
| 105 | 1 | Andreas Steffen | 12[ENC] received fragment #12 of 16, waiting for complete IKE message |
| 106 | 1 | Andreas Steffen | 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 107 | 1 | Andreas Steffen | 16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(13/16) ] |
| 108 | 1 | Andreas Steffen | 16[ENC] received fragment #13 of 16, waiting for complete IKE message |
| 109 | 1 | Andreas Steffen | 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 110 | 1 | Andreas Steffen | 11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(14/16) ] |
| 111 | 1 | Andreas Steffen | 11[ENC] received fragment #14 of 16, waiting for complete IKE message |
| 112 | 1 | Andreas Steffen | 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 113 | 1 | Andreas Steffen | 16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(15/16) ] |
| 114 | 1 | Andreas Steffen | 16[ENC] received fragment #15 of 16, waiting for complete IKE message |
| 115 | 1 | Andreas Steffen | 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (852 bytes) |
| 116 | 1 | Andreas Steffen | 12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(16/16) ] |
| 117 | 1 | Andreas Steffen | 12[ENC] received fragment #16 of 16, reassembled fragmented IKE message (21712 bytes) |
| 118 | 1 | Andreas Steffen | 12[ENC] parsed IKE_INTERMEDIATE response 1 [ KE ] |
| 119 | 1 | Andreas Steffen | </pre> |
| 120 | 1 | Andreas Steffen | <pre> |
| 121 | 1 | Andreas Steffen | 12[IKE] sending cert request for "C=CH, O=sltrongSwan Project, CN=strongSwan Root CA" |
| 122 | 1 | Andreas Steffen | 12[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful |
| 123 | 1 | Andreas Steffen | 12[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org" |
| 124 | 1 | Andreas Steffen | 12[IKE] establishing CHILD_SA home{1} |
| 125 | 1 | Andreas Steffen | 12[ENC] generating IKE_AUTH request 2 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] |
| 126 | 1 | Andreas Steffen | 12[ENC] splitting IKE message (1904 bytes) into 2 fragments |
| 127 | 1 | Andreas Steffen | 12[ENC] generating IKE_AUTH request 2 [ EF(1/2) ] |
| 128 | 1 | Andreas Steffen | 12[ENC] generating IKE_AUTH request 2 [ EF(2/2) ] |
| 129 | 1 | Andreas Steffen | 12[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) |
| 130 | 1 | Andreas Steffen | 12[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (516 bytes) |
| 131 | 1 | Andreas Steffen | 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) |
| 132 | 1 | Andreas Steffen | 10[ENC] parsed IKE_AUTH response 2 [ EF(1/2) ] |
| 133 | 1 | Andreas Steffen | 10[ENC] received fragment #1 of 2, waiting for complete IKE message |
| 134 | 1 | Andreas Steffen | 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (436 bytes) |
| 135 | 1 | Andreas Steffen | 10[ENC] parsed IKE_AUTH response 2 [ EF(2/2) ] |
| 136 | 1 | Andreas Steffen | 10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1824 bytes) |
| 137 | 1 | Andreas Steffen | 10[ENC] parsed IKE_AUTH response 2 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] |
| 138 | 1 | Andreas Steffen | 10[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org" |
| 139 | 1 | Andreas Steffen | 10[CFG] using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" |
| 140 | 1 | Andreas Steffen | 10[CFG] using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" |
| 141 | 1 | Andreas Steffen | 10[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org" |
| 142 | 1 | Andreas Steffen | 10[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... |
| 143 | 1 | Andreas Steffen | 10[CFG] using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" |
| 144 | 1 | Andreas Steffen | 10[CFG] crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" |
| 145 | 1 | Andreas Steffen | 10[CFG] crl is valid: until Aug 19 11:00:05 2020 |
| 146 | 1 | Andreas Steffen | 10[CFG] certificate status is good |
| 147 | 1 | Andreas Steffen | 10[CFG] reached self-signed root ca with a path length of 0 |
| 148 | 1 | Andreas Steffen | 10[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful |
| 149 | 1 | Andreas Steffen | 10[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] |
| 150 | 1 | Andreas Steffen | 10[IKE] scheduling rekeying in 13171s |
| 151 | 1 | Andreas Steffen | 10[IKE] maximum IKE_SA lifetime 14611s |
| 152 | 1 | Andreas Steffen | 10[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ |
| 153 | 1 | Andreas Steffen | 10[IKE] CHILD_SA home{1} established with SPIs c7e7575e_i c3ff255a_o and TS 192.168.0.100/32 === 10.1.0.0/16 |
| 154 | 1 | Andreas Steffen | 10[IKE] peer supports MOBIKE |
| 155 | 1 | Andreas Steffen | </pre> |
| 156 | 1 | Andreas Steffen | <pre> |
| 157 | 1 | Andreas Steffen | 14[CFG] vici terminate IKE_SA 'home' |
| 158 | 1 | Andreas Steffen | 06[IKE] deleting IKE_SA home[1] between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org] |
| 159 | 1 | Andreas Steffen | 06[IKE] sending DELETE for IKE_SA home[1] |
| 160 | 1 | Andreas Steffen | 06[ENC] generating INFORMATIONAL request 3 [ D ] |
| 161 | 1 | Andreas Steffen | 06[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes) |
| 162 | 1 | Andreas Steffen | 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes) |
| 163 | 1 | Andreas Steffen | 16[ENC] parsed INFORMATIONAL response 3 [ ] |
| 164 | 1 | Andreas Steffen | 16[IKE] IKE_SA deleted |
| 165 | 1 | Andreas Steffen | 00[DMN] SIGTERM received, shutting down |
| 166 | 1 | Andreas Steffen | systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using swanctl... |
| 167 | 1 | Andreas Steffen | systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. |
| 168 | 1 | Andreas Steffen | </pre> |