IKEv2 post-quantum pre-shared keys (PPK)

Quantum computers pose a potential challenge to current cryptographic algorithms, such as those used in IKEv2 VPN. Current algorithms are considered to be very robust, but the challenge is that an attacker can record encrypted data today and decrypt it using quantum computers in the future.

The RFC 8784 "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security" offers a way to resist quantum computers when passwords (PSKs) are used. The extension works by "mixing" the standard IKEv2 password key (PSK) with another key in the form of a Post-quantum Preshared Key (PPK) to increase resistance.

Existing IKEv2 PSK tunnels can easily be supplemented with PPKs. The PPK is independent of the existing PSK.

LCOS supports manual configuration of PPKs. Automatic procedures for changing PPKs are not supported.

Table VPN > IKEv2/IPSec > Authentication





PPK ID
Enter the name of the PPK-ID (Post-quantum Preshared Keys as per RFC 8784) from the table of PPKs.

Table VPN > IKEv2/IPSec > Extended settings > Authentication > Identities





PPK ID
Enter the name of the PPK-ID (Post-quantum Preshared Keys as per RFC 8784) from the table of PPKs.

Table VPN > IKEv2/IPSec > Extended settings > Authentication > PPKs





PPK-ID
Set a unique name for this entry. The input format can be a string or hexadecimal number (identified by a leading 0x).
PPK
Enter the post-quantum preshared key here as a character string or hexadecimal number (identified by a leading 0x).
Required
If the use of PPKs is configured as required, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted.

RADIUS attributes

Corresponding RADIUS attributes are also supported:

ID Name Meaning
LANCOM 33 LCS-IKEv2-PPK Specifies the post-quantum preshared key as a string or hexadecimal number (identified by a leading 0x).
LANCOM 34 LCS-IKEv2-PPK-MANDATORY Specifies whether the use of the passed post-quantum preshared key (PPK) is required. If yes, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted.
LANCOM 33 LCS-IKEv2-PPK Specifies the post-quantum preshared key as a string or hexadecimal number (identified by a leading 0x).
LANCOM 34 LCS-IKEv2-PPK-MANDATORY Specifies whether the use of the passed post-quantum preshared key (PPK) is required. If yes, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo