[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed changes to ISAKMP/Oakley



Lewis McCarthy writes:
> ISAKMP specifies the length of each cookie (Sec 3.1), and presumably
> everyone can deduce the expected length of each public exponential
> from the group descriptor. This leaves SAp, IDii, and IDir.

I first concerned about the g^xi and g^xr, but I couldn't find any way
to attack them (even against code that doesn't chack that g^x < p). So
I started to think about the SAp and ID pairs too.

> (SAp_at_I | IDir_at_I) = (SAp | IDir). For authentication with 
> signatures or with a preshared key, the useful (to an attacker) choices 
> of different ISAKMP identities would seem to be very limited. The 
> attacker would not learn the agreed session key if this worked, but 
> perhaps could cause one or both legitimate parties to accept a mistaken
> identity for the peer. The correct SAp and the modified SAp_at_I would
> need to specify reasonably compatible sets of transforms, or the whole 
> conversation will fall apart.

I didn't have time to check if one can really do any real attacks
using this, but it gives me bad feelings that someone might someday
find attack to use this.

Adding the lengths to HASH now would make sure no one will find such
attack later. If someone finds such attack later modifying the
protocol will be much harder then...

> Now it would be interesting to see whether the SAp might be modified,  
> subject to the constraints above, so as to alter the group choice and
> thus cast the lengths of the public exponentials into doubt....
-- 
kivinen@iki.fi		              	     Work : +358-9-4354 3205
Magnus Enckellin kuja 9 K 19, 02610, Espoo   Home : +358-9-502 1573


References: