[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ID payload in wrong msg? (was RE: More questions on ID types)
[Bryan Gleeson wrote]
>
> I agree and see no reason why the ID values should be
> restricted to the 4 types listed in the ISAKMP appendix.
Derrell's latest posting clarifies the confusion on this
issue -- Phase I may use IDs other than those mentioned
in the ISAKMP draft if IPSEC DOI is used.
> I think there is another problem however. For the mandatory
> case of Authentication with Pre-Shared Key & Main Mode, it
> seems to me that the ID payload is in the "wrong" message.
> The pre-shared key needs to be accessed before the message
> with the ID payload can be decrypted. The spec says that the
[Other stuff deleted]
Is this really true? I was under the impression that the
key used for decryption is derived purely from the shared
secret (as in g^xy mod p) established by the key exchange
in messages 3 and 4 of main mode (i.e. the second messages
of the initiator and responder, respectively). This is
independent of the "shared secret" (say S) used for
authentication.
If my interpretation is correct, then carrying the ID payload
in messages 5 and 6 is ok and msg 5 is processed by the
responder as follows:
- responder decrypts the ID and HASH using the shared secret
(g^xy mod p) obtained from the key exchange in prior messages
- responder uses the ID data to lookup shared secret S associated
with the initiator's identity (the ID type could be of type
ID_USER_FQDN or opaque of type ID_KEY_ID i.e. key lookup need
not be based on the initiator's IP address)
- responder uses S to verify the HASH
regards,
vipul
p.s. This still leaves the possibility that identities are divulged to
a man-in-the-middle. However, this attacker would not be able to pass
the authentication checks made when main mode msgs 5 and 6
are processed.