Project

General

Profile

Actions

Correction #12471

closed

AES-XCBC should not be recommended as PRF for IPsec

Added by Kev Kitchens about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The IPsec Configuration (https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure.html) and VPN Scaling (https://docs.netgate.com/pfsense/en/latest/vpn/performance.html) sections of the pfSense docs recommend using AES-XBC as the PRF when AES-GCM is in use and SHA-256 otherwise. It would be better to only recommend SHA-256

The motivation for supporting AES-XCBC in IKE was to allow constrained platforms to re-use their AES-CBC hardware accelerators. So, this recommendation would make sense when configuring legacy AES encryption as it is CBC-based, but makes less sense when using AES-GCM.

Also, using XCBC in IKEv2 (AES-GCM isn't supported in IKEv1) requires the initiator and responder nonces to be truncated to 64 bits when calculating SKEYSEED in order to match the 128-bit key size required by XCBC, reducing the entropy of SKEYSEED. This is not a restriction of any other PRF supported by IKEv2, including SHA-256.

Finally, it's worth noting that neither Microsoft nor Apple support AES-XCBC in their respective IKEv2 implementations (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125380(v=ws.10) and https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm)

Actions

Also available in: Atom PDF