Re: Another pothole in ISAKMP/Oakley

[Daniel Harkins <dharkins@cisco.com>]

Ran Cannetti wrote:
> > From: "David P. Jablon" <dpj@world.std.com>
> > 
> > A problem occurs when a man-in-the-middle forces each DH exponential into
> > a small subgroup, by raising each number to the power of q.  Both
> > legitimate parties
> > will derive the same key K, but it will be confined to one of "t" possible
> > values,
> > making it easy for the middleman to guess it.
> > 
> > Alice->Mary:  g^Ra	Mary->Bob:  (g^Ra)^q
> > Bob->Mary:  g^Rb	Mary->Alice:  (g^Rb)^q
> > K = g^(Ra Rb q q)
> 
> Let me point out that such an attack is possible only against the signature
> mode of ISAKMP/Oakley. In the encryption mode this doesn't work since 
> the DH challenges are sent encrypted by the public key encryption algorithm
> (eg, RSA). This is another example where the encryption mode is more
> secure than the signature mode...

I'll agree that encryption mode is more secure but how is this attack made
against signature mode (or pre-shared key for that matter)?

  HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAp | IDii)
  HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAp | IDii)

This is signed in signature mode (and generated directly in pre-shared key
mode). Since both exponentials are there how can any man-in-the-middle change
them without each party being aware of that?

  Dan.

---

References:

• Re: Another pothole in ISAKMP/Oakley
• From: Ran Canetti <canetti@watson.ibm.com>

---

• Prev by Date: Re: Another pothole in ISAKMP/Oakley
• Next by Date: Re: Another pothole in ISAKMP/Oakley
• Prev by thread: Re: Another pothole in ISAKMP/Oakley
• Next by thread: Re: Another pothole in ISAKMP/Oakley
• Index(es):
  • Main
  • Thread