[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another pothole in ISAKMP/Oakley

To: canetti@watson.ibm.com, dharkins@cisco.com
Subject: Re: Another pothole in ISAKMP/Oakley
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 16 Apr 1997 20:42:35 +0300 (IDT)
Cc: carrel@ipsec.org, dpj@world.std.com, ho@earth.hpc.org, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>
>I'll agree that encryption mode is more secure but how is this attack made
>against signature mode (or pre-shared key for that matter)?
>
>  HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAp | IDii)
>  HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAp | IDii)
>
>This is signed in signature mode (and generated directly in pre-shared key
>mode). Since both exponentials are there how can any man-in-the-middle change
>them without each party being aware of that?
>
>  Dan.
>

Dan is correct. The inclusion of g^xr and g^xi in HASH solves the problem
in all the modes. This is no particular advantage of the encryption mode.
It is an advantage of having the same HASH in all modes and all include 
the exponents. Befoere doing that, draft-01 was susceptible to this problem.

Hugo

Prev by Date: Re: Another pothole in ISAKMP/Oakley
Next by Date: Re: A pothole in ISAKMP/Oakley
Prev by thread: Re: Another pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Main
- Thread