[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Another pothole in ISAKMP/Oakley
Ran Cannetti wrote:
> > From: "David P. Jablon" <dpj@world.std.com>
> >
> > A problem occurs when a man-in-the-middle forces each DH exponential into
> > a small subgroup, by raising each number to the power of q. Both
> > legitimate parties
> > will derive the same key K, but it will be confined to one of "t" possible
> > values,
> > making it easy for the middleman to guess it.
> >
> > Alice->Mary: g^Ra Mary->Bob: (g^Ra)^q
> > Bob->Mary: g^Rb Mary->Alice: (g^Rb)^q
> > K = g^(Ra Rb q q)
>
> Let me point out that such an attack is possible only against the signature
> mode of ISAKMP/Oakley. In the encryption mode this doesn't work since
> the DH challenges are sent encrypted by the public key encryption algorithm
> (eg, RSA). This is another example where the encryption mode is more
> secure than the signature mode...
I'll agree that encryption mode is more secure but how is this attack made
against signature mode (or pre-shared key for that matter)?
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAp | IDii)
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAp | IDii)
This is signed in signature mode (and generated directly in pre-shared key
mode). Since both exponentials are there how can any man-in-the-middle change
them without each party being aware of that?
Dan.
References: