[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RFC2409
> -----Original Message-----
> From: Hugo Krawczyk [mailto:hugo@ee.technion.ac.il]
> Sent: 11 June 1999 10:38
> To: Ivars Suba
> Cc: 'kivinen@iki.fi'; 'Hilarie Orman'; ipsec@lists.tislabs.com
> Subject: RE: RFC2409
>
>
> As pointed out already by Hilarie and Tero there is no
> attack here. When you exchange a key with a "cheater" C then you
> can not guarantee that the key is not known to other people
> as C can always tell his friends the value of the key...
>
> In this case, both I and R which are good guys end their protocols
> convinced that they talked to C (as it was the case). The
> only "problem"
> is that they don't know that there is a third party (R and I,
> respectively)
> that knows the key, but as said this is something C can always do (and
> with less effort).
>
> Hilarie mentioned the lack of "explicit confirmation" of the exchanged
> key. This is not needed here since the KEi values are fully
> authenticated.
> A party following the protocol will always know the key evn
> if it does not
> explicitly proves that to the other party (the proof is
> implicit in the
> security proof of the protocol).
>
> Hugo
First off, I agree there is no attack. PKI relies on trust. C has breached
trust. He may as well have just created a set of SA's with each party and
forwarded the information between the two pipes.
I think one of the more curious features of C's behaviour is that it doesn't
actually yield the shared keys to him! Given that he just forwards the
public KE between the parties, he won't actually be able to recreate the DH
shared secret. If DSA were being used then the first phase wouldn't
complete. As it is, they will be problems later, eg if AH is used...
Chris