[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another pothole in ISAKMP/Oakley

To: dpj@world.std.com, ho@earth.hpc.org
Subject: Re: Another pothole in ISAKMP/Oakley
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 16 Apr 1997 19:39:16 +0300 (IDT)
Cc: carrel@ipsec.org, dharkins@cisco.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>
>A problem occurs when a man-in-the-middle forces each DH exponential into
>a small subgroup, by raising each number to the power of q.  Both
>legitimate parties
>will derive the same key K, but it will be confined to one of "t" possible
>values,
>making it easy for the middleman to guess it.
>
>Alice->Mary:  g^Ra	Mary->Bob:  (g^Ra)^q
>Bob->Mary:  g^Rb	Mary->Alice:  (g^Rb)^q
>K = g^(Ra Rb q q)
>

David,

If I understand correctly your point then it is NOT a problem 
in isakmp-oakley.
There HASH_I and HASH_R are computed over the values of
g^xr and g^xr. Thus, a man in the middle cannot change them
without detection.

(This attack holded against earlier versions of the draft but not
after the later corrections)

Or am I missing something in your argument?

Hugo

Prev by Date: Re: Another pothole in ISAKMP/Oakley
Next by Date: Re: Another pothole in ISAKMP/Oakley
Prev by thread: Re: Another pothole in ISAKMP/Oakley
Next by thread: Re: Another pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread