[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC2409

To: "Hugo Krawczyk" <hugo@ee.technion.ac.il>
Subject: Re: RFC2409
From: "Valery Smyslov" <svan@trustworks.com>
Date: Sun, 13 Jun 1999 21:41:50 +0400
Cc: "Ivars Suba" <IvarsS@bank.lv>, <ipsec@lists.tislabs.com>
References: <Pine.SOL.3.93.990613161312.10568E-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

On Sunday, June 13, Hugo Krawczyk wrote:

> > Does this situation differ from one when we have 2 "legitimate" 
> > ISAKMP SA (one from Grandmaster#1 to Cheater and the other from 
> > Cheater to Grandmaster#2) and Cheater just plays the same pipe role? 
> > 
> > Valery Smyslov.
> 
> I think we all agree that there is no real attack here.
> On the other hand, the situation is NOT equivalent to 
> what you describe above. If C would only be relaying messages
> between I and R then I would end thinking he exchanged the key 
> with R, and R will thing she exchanged a key with I.
> In the scenario described by Ivars they both think they exchanged a key 
> with C which is the correct belief. The fact that C does not
> know the key is C's problem (a cheater can always exchange a DH key
> using an exponent g^x for which C does not know x, it's his problem).
> 
> Hugo

Hugo, thanks for clarification. I understand the difference between
the scenario described by Ivars and just relaying all messages
between I and R by C. I meant slightly different situation - when C has 
normal SAs with I and R and just forwards information between the two.
You've already answered this question in your previous message to the list,
thanks. List just works very slowly (at least in my case) - 
I've got my own message back from the list in 19 hours after it was sent -
that's why your answer has appeared there before my question.

But it seems to me that there is a small difference between Ivars's scenario and
a simple case when C just tells his secret to somebody else. The difference is that
in Ivars's scenario C has no ability to know what I and R are talking
about after the first phase complete (assuming he continues "blind" forwarding
messages to and fro). I don't know whether this is a "flaw", it looks more
like a "feature", in fact, like three-party protocol when
I and R don't know who are they really talking to (both think they are
talking to C), and C does know it, but unable to get know what I and R are 
talking about. Am I missing something?

Valery.

References:

RE: RFC2409

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: RE: RFC2409
Next by Date: Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
Prev by thread: RE: RFC2409
Next by thread: RE: RFC2409
Index(es):
- Main
- Thread