[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Another pothole in ISAKMP/Oakley
>
>A problem occurs when a man-in-the-middle forces each DH exponential into
>a small subgroup, by raising each number to the power of q. Both
>legitimate parties
>will derive the same key K, but it will be confined to one of "t" possible
>values,
>making it easy for the middleman to guess it.
>
>Alice->Mary: g^Ra Mary->Bob: (g^Ra)^q
>Bob->Mary: g^Rb Mary->Alice: (g^Rb)^q
>K = g^(Ra Rb q q)
>
David,
If I understand correctly your point then it is NOT a problem
in isakmp-oakley.
There HASH_I and HASH_R are computed over the values of
g^xr and g^xr. Thus, a man in the middle cannot change them
without detection.
(This attack holded against earlier versions of the draft but not
after the later corrections)
Or am I missing something in your argument?
Hugo