Multi-Authentication in IKEv2 with Post-quantum Security

Cryptographically-relevant quantum computers (CRQC) pose a threat to data securely protected by current standards. In particular, the so-called harvest-now-and-decrypt-later (HNDL) attack is considered an imminent threat. To mitigate this threat against the Internet Key Exchange Protocol Version 2 (IKEv2) , multiple key exchanges in the IKEv2 were introduced to achieve post-quantum (PQ) security. To enable post-quantum security for the authentication in IKEv2, "Announcing Supported Authentication Methods in the Internet Key Exchange Protocol Version 2 (IKEv2)" specifies a new Notify type, called the SUPPORTED_AUTH_METHODS, which allows two peers to indicate the list of supported authentication methods while establishing IKEv2 SA. One purpose of is to support post-quantum signature algorithms for authentication in IKEv2, as further discribed by the following drafts. "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) using PQC" specifies how NIST PQ digital algorithms ML-DSA and SLH-DSA can be used in IKEv2 by indicating the supported signature algorithms via exchanging the Notify SIGNATURE_HASH_ALGORITHMS, defined in . Similarly, "IKEv2 Support of ML-DSA", specifies how ML-DSA can be run in IKEv2, by indicating the supported signature algorithms via exchanging the SUPPORTED_AUTH_METHODS Notify, defined in . On the other hand, "Post-Quantum Traditional (PQ/T) Hybrid PKI Authentication in the Internet Key Exchange Version 2 (IKEv2)" specifies how to run general hybrid PQ/T digital algorithms in IKEv2 via introducing some extensions in the SUPPORTED_AUTH_METHODS Notify. For all of those Internet standard drafts, the correponding public certificates and signatures for the involved siganture algorithms are exchanged via the INTERMEDIATE Exchange, defined in . However, except authentication by composite signatures is specified in where the corresponding certificates can be a composite certificate or dual certificates, all others are single method authentication. As discussed in and , hybrid is a more conservative approach to the migration from traditional algrotihms to post-quantum (PQ) algorithms. Moreover, there a number of different authentication methods now, including Shared Key Message Integrity Code (2), Generic Secure Password Authentication Method (12), several specific signature algorithms (3, 9, 10, 11), general Digital Signature (14), and newly proposed KEM based authentication (16, TBD) . Motivated by the fact that there is a need of hybrid authentication, this draft specifies a general authentication mechanism in the Internet Key Exchange Protocol Version 2 (IKEv2) , called Multi-Authentication. Namely, two peers can negotiate two or more authentication methods to authenticate each other. The authentication methods selected do not necessarily belong to the same category. For example, two peers may select a traditional signature and a PQ signature (like ML-DSA ), or MAC based authentication and a PQ signature. This mechanism is achieved by adding a new value (17, TBD) in the "IKEv2 Authentication Method" registry , maintained by IANA. To run Multi-Authentication, two peers send the SUPPORTED_AUTH_METHODS Notify, defined in , to negotiate two or more authentication methods for authenticaion in IKEv2. Finally, using the authentication methods selected, not necessarily the same algoithm in two directions, the peers SHALL authenticate the IKE data to each other, according to the specfication in . Actually, it is noticed that specifies a mechanism called Multiple Authentication Exchange to run two or more authenticaiton in IKEv2. This mechanism is realized via two types of notification. Firstly, two peers run MULTIPLE_AUTH_SUPPORTED notification in the IKE_SA_INIT response (responder) and the first IKE_AUTH request (initiator) to indicate that they are willing to run a second authentication. After that, they exchange ANOTHER_AUTH_FOLLOWS notification in any IKE_AUTH message to complete the second authentication. However, is not supported for post-quantum security at all.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Multiple Authentication in the IKEv2

Challenges Here are the main challenging reasons for why a general PQ secure solution is hard for the authentication in the IKEv2:

For the key exchange in IKEv2, the algorithm selected SHALL be the same for both peers. Different from this, two peers in the IKEv2 authentication MAY select different authentication methods to authenticate itself to the other.
Authentication negotiation or indication in the IKEv2 is done via notifications, as shown in and , not via normal message payloads in the IKE_SA_INIT or IKE_Auth, as the IKE key exchange does.
However, in the IKE authentication, each peers has more info or requirement to transfer: which authentication methods itself supports, which authentication methods it prefers to authenticate itself to the other peer, and which authentication methods it prefers that the other peer SHOULD select to be authenticated. All of this may be covered by a term like "authentication policy", from both peers.
Even the peers select the authentication methods both sides satisfied according to their preference, these methods may still fail for use, as there is still one more issue, certificates! Namely, the trust anchor of one peer may be not trusted by the other peer, when digital signature algorithms are selected for authentication in the IKEv2.

Basic Ideas of the Solution Proposed The basic idea proposed in this document is to mimic the addtional key exchange (ADDKE) proposed in . Namely, when one peer A (the sender) sends SUPPORTED_AUTH_METHODS Notify payload to announce what the authentication methods it supports, this payload also tansfers the info which methods it expects the other peer B SHALL select for authentication. This is done by assigning different authentication methods into a few authentication sets, and the other peer B MUST select one of the methods in each authentication set. More importantly, the feedback from the othe peer B (the replier) is intentionally constructed as the followings to transfer the replier's authentication policy to the sender A.

1 authentication set: This means that B agrees to use this set for bidirectional authentication. Namely, this implies that both A and B MUST use these methods in the authentication set to authenticate itself to the other. If this set is empty, it means that B does not support any authentication method in each set. If this set contains one or a number of NULL Authentication (13), it means that NULL Authentication (13) is a valid answer for one or a number of A's enquiring authentication sets.
2 authentication sets: This means that B SHALL use the first authentication set to authenticate itself to A, and A SHALL use the 2nd set to authenticate itstelf to B. In case the 2nd set is empty or just contains NULL Authentication (13), it means that B SHALL NOT require A to authenticate itself to B.
3 or more authentication sets: Similar as the above, the first set is for B to authenticate itself to A, the 2nd set MUST be empty that means B cannot select a set of methods from all methods A has sent, such that this set also satisfies B's authentication policy how A SHOULD authenticate itself to B. Therefore, after this empty set, all sets remaining are for expressing what B's authentication policy for A.

For example, if A sends ten methods (a1, a2, ..., a10) via 3 authentication sets, say (a2, a1, a3), (a4, a8, a9), and (a5, a6, a10, a7), according to A's preference. Then, if B sends back (a1, a4, a7), this implicitly means that both A and B SHALL use a1, a4, and a7 to authenticate itself to the other peer. Or, if B sends back two authentication sets, (a1, a4, a7) and (a2, a7), it means that B SHALL use a1, a4, and a7 to authenticate itself to A, and A SHOULD use a2 and a7 to authenticate itself to B. Finally, in another case, if B sends back 4 sets, (a1, a4, a7), () (empty set), (a1, a3, a8), and (a11, a12), it means that B SHALL use a1, a4, and a7 to authenticate itself to A, and that B is asking A selects 2 methods from set 3 and 4 so that A SHALL authenticate itself to B, though by now B is not sure if A does support either a11 or a12. If one execution of the above procedures cannot achieve the authentication policy for either of the two peers, they MAY abort the procedure or restart by any of the two peers as the sender to initate this authentication method negotiation. For flexibility, authentication methods in sets are not supposed to exclusively belonging to only one set, though this may be true in most cases. The reason is that selecting the same method from two different sets does not make much sense for enhacing security, unless this method is NULL Authentication (13) for adding flexibility.

By following , two communicating peers send each other the Notify Message Type SUPPORTED_AUTH_METHODS to negotiate which authentication method(s) will be used to authenticate one of them to the other. Bascially, each of the authentication methods proposed can be any one registered in the "IKEv2 Authentication Method" registry under "Internet Key Exchange Version 2 (IKEv2) Parameters" , maintained by IANA. To run Multiple Authentication, this document adds the value 17 (TBD) for "Multi-Authentication" in the "IKEv2 Authentication Method" registry ().

After the initiator starts the IKE_SA_INIT exchange as usual, the responder sents the notify SUPPORTED_AUTH_METHODS with value of 17 (TBD) to indicate that the responder wants to run Multiple Authentication with respect to several Authentication sets of authentication methods, which the responder supports. Each of these Authentication set will be listed in the SUPPORTED_AUTH_METHODS Notify Payload (), ordered by the responder's preference. After the initiator receives SUPPORTED_AUTH_METHODS via several Authentication sets from the reponder, it will try to prepare the best anwser, i.e, one set, or two sets, or three sets, according to this specification given the above. Table 1 below shows how two peers use the SUPPORTED_AUTH_METHODS notification to run Multiple Authentication for the above example, where the responder's intial authentication sets are (a2, a1, a3), (a4, a8, a9), and (a5, a6, a10, a7), while the initiator sends back two authentication sets (a1, a4, a7) and (a2, a7) as its feedback. In the protocol below, the IKE_INTERMEDIATE exchange MAY be used to faciliate the hybrid key exchange in the IKEv2 as specified in , and to transfer PQ certifates between the responder and the intitator for completing Multiple authentication. KEi, Ni, N(INTERMEDIATE_EXCHANGE_SUPPORTED), .. <--- HDR(IKE_SA_INIT), SAr1(.. ADDKE*..), [CERTRQ,] KEr, Nr, N(INTERMEDIATE_EXCHANGE_SUPPORTED), .. N(SUPPORTED_AUTH_METHODS(17((a2a1a3),(a4a8a9),(a5a6a10a7)))).. ... (IKE_INTERMEDIATE for ADDKE) ... HDR(IKE_AUTH), SK{IDi, [CERT,] [CERTRQ,] [IDr,] AUTH, SAi2, TSi, TSr, N(SUPPORTED_AUTH_METHODS(17(TBD)(a1a4a7),(a2a7)))} ---> ... (IKE_INTERMEDIATE for [CERT,]) ... <--- HDR(IKE_AUTH), SK{IDr, [CERT,] AUTH, SAr2, TSi, TSr} ... (IKE_INTERMEDIATE for [CERT,]) ... Fig. 1 An Example of Multi-Authentication between Two Peers ]]> If the resulting SUPPORTED_AUTH_METHODS notification with list of authentication methods is too long such that IP fragmentation of the IKE_SA_INIT response may happen, the responder MAY choose to send empty SUPPORTED_AUTH_METHODS notification in the IKE_SA_INIT exchange response. Then, the responder and the intiatior can send each other the SUPPORTED_AUTH_METHODS notification with list of authentication methods they support by using the IKE_INTERMEDIATE exchange, as desribed in Section 3.1 of . [EDNOTE: More examples may be provided later.]

For easy reference, the SUPPORTED_AUTH_METHODS Notify payload format is shown in the following, as specified in Section 3.2 of . Correspondigly, here, Protocol ID field MUST be set to 0, the SPI Size MUST be set to 0 (meaning there is no SPI field), and the Notify Message Type MUST be set to 16443. Payload Format for Multi-Authentication is defined in Fig. 3, which is treated as part of the Supported Auth Methods Announcements shown in Fig. 2. Namely, for this part, a number (M) of Authentication Groups of authentication methods are listed, as desribed below.

Length: Length of the whole blob of the announcement in octets; must be greater than 5.
Multi-Auth: The value of "Multi-Authentication", which is supposed to be 17 (TBD).
#Auth Group: The number of Authentication Groups listed in this announcement.
#Auth Meth: The number of Authentication Methods in a given authentication group.
Reserved: One byte reserved for future use.
Auth Method: The value of one announced authentication method in a given authentication group.
Cert Link: Links this announcement with a particular CA, which issued the public certificate for the Auth Method identified in AlgorithmIdentifiers below; see Section 3.2.2 of for detail. If this Auth Method is not related certificate, this info MUST be ignored.
AlgID Len: Length of each authentication method algorithm ID, that is identified in AlgorithmIdentifier below, in octets.
AlgorithmIdentifier: One ore more variable-length ASN.1 objects that are encoded using Distinguished Encoding Rules (DER) to identify one specific Authentication Method algorithm.

Once two authentication sets have been negotiated, the corresponding authentication methods will be use to the IKE data for completing authentication, according to . In the above example for Fig. 2, a1, a4, and a7 will be used to run multiple authentication from B to A, and a2 and a7 will be used to multi-authentication from A to B. Once all those authentication methods are correctly verified by one side, then this directional authentication is successful. 5) | Multi-Auth | #Auth Groups | #Auth Meth 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Auth Meth 1.1 | Cert Link 1.1 | AlgID Len 1.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ AlgorithmIdentifier 1.1 ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Meth 1.2 | Cert Link 1.2 | AlgID Len 1.2 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ AlgorithmIdentifier 1.2 ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ... ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Meth 1.N | Cert Link 1.N | AlgID Len 1.N | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ AlgorithmIdentifier 1.N ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | #Auth Meth 2 | Reserved | Auth Meth 2.1 | Cert Link 2.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AlgID Len 2.1 | | +-+-+-+-+-+-+-+-+ | ~ AlgorithmIdentifier 2.1 ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ... ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | #Auth Meth M | Reserved | Auth Meth M.1 | Cert Link M.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AlgID Len M.1 | | +-+-+-+-+-+-+-+-+ | ~ AlgorithmIdentifier M.1 ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ... ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fig.3 Payload Format for Multi-Authentication Announcement ]]> [EDNOTE: More examples may be provided later.]

Multi-authentication is a combination of multiple component authentication methods. So, its seucrity relies on the security of the security of each component. By requiring multi-authentication is successful if and only if each component authentication is successful, multi-authentication is secure at least one of the component authentication method, with regarding to either traditional or traditional and quantum attacks. At the time of writing, there are no other security issues which may need to be considered.

This document adds a new type in the "IKEv2 Authentication Method" registry under "Internet Key Exchange Version 2 (IKEv2) Parameters" , maintained by IANA: .

To be added later.