Re: combining SA proposals in IKE [was: Some questions]

[FUKUMOTO Atsushi <fukumoto@isl.rdc.toshiba.co.jp>]

Daniel Harkins wrote in reply to "D. Hugh Redelmeier":
> > When testing our IKE daemon, I've noticed that the keying material is
> > often the same in both directions.  This strikes me as unfortunate (it
:
> The logic works just fine, it's your daemon that doesn't work. KEYMAT is
> dependant on the nonces as well as the SPI and protocol. If you're generating
> identical KEYMAT for each direction that means that not only are the SPIs
> identical, the nonces are too.

Well, I think you are missing something.  I too noticed it when I
experimented with isakmp-test.ssh.fi, since it was replying the same
SPI when it was configured as responder.   KEYMAT is generated as:
	KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b)
Both nonces are included in the hash input in same order, regardless
which direction the security association is.  This results in the same 
KEYMAT for both direction iff the responder chooses the same SPI.
And this choice is done solely by responder, although the initiator
may be able to reject it by Informational message or Delete message.

I think it may be able to be used in some form of replay attack, since
I can cut a data from one direction of packet and inject it into
different direction.  Replay protection doesn't work well since it's
different SA for different direction.


					FUKUMOTO Atsushi
					fukumoto@isl.rdc.toshiba.co.jp

---

Follow-Ups:

• Re: combining SA proposals in IKE [was: Some questions]
• From: Lewis McCarthy <lmccarth@cs.umass.edu>

References:

• Re: combining SA proposals in IKE [was: Some questions]
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: Policy question
• Next by Date: Re: combining SA proposals in IKE [was: Some questions]
• Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
• Index(es):
  • Main
  • Thread