[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-ike-01.txt

To: Jianying Zhou <jyzhou@krdl.org.sg>
Subject: Re: Comments on draft-ietf-ipsec-ike-01.txt
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Tue, 22 Jun 1999 18:54:50 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 22 Jun 1999 17:27:25 +0800." <Pine.GSO.4.02.9906221712330.14401-100000@arizona>
Sender: owner-ipsec@lists.tislabs.com

  Dr. Zhou has forwarded me the paper and I'll try to summarize:

      The Initiator offers two transforms, T1 and T2 to the Responder 
      who chooses T2 and sends it back. This is intercepted by the 
      attacker and changed to be T1 before being forwarded on to the 
      Initiator. Now the Initiator thinks T1 was accepted and the 
      Responder thinks T2 was accepted. It's noted in the paper (and 
      was pointed out by Kivinen on the list) that the only difference 
      between the two can be the lifetime. The attacker has to send
      back a transform that the Initiator sent in the first place
      and if the difference between T1 and T2 is more than just the
      lifetime the exchange will fail due to various errors (decryption
      failed, authentication failed, etc).

The paper goes on to suggest changing SAi_b in the authenticating
hash calculation to SAr_b. But this will allow an attacker to modify
the Initiator's offers and remove certain offers-- for instance the
offer is [(3DES, group 5, etc) || (CAST, group 5, etc) || (DES, group 1,
etc)] and it becomes a single offer of [(DES, group 1, etc)].

  The suggested change is flawed but if the working group thinks this
attack is serious we can include both SAi_b and SAr_b in the hash
calculations to prevent this.

  Dan.

On Tue, 22 Jun 1999 17:27:25 +0800 you wrote
> There was a security flaw in RFC 2409. 
> 
> When SAi_b is used in HASH_I and HASH_R, an attack is possible so that 
> at the end of Phase 1 negotiation, the SA being negotiated may not be
> authenticated. (The problem also exists in the new draft.)
> 
> To avoid the attack, simply replace SAi_b with SAr_b. (The full paper
> is available by request.)
> 
> Jianying
> ---------------------------------------------------------------------
> Dr. Jianying Zhou        | Tel:   +65-8742585
> Kent Ridge Digital Labs  | Fax:   +65-7744990
> 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> Singapore 119613         | WWW:   http://homex.s1.net.sg/user/jyzhou/
> ---------------------------------------------------------------------
>

Follow-Ups:

Re: Comments on draft-ietf-ipsec-ike-01.txt

From: "Valery Smyslov" <svan@trustworks.com>

Re: Comments on draft-ietf-ipsec-ike-01.txt

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

Re: Comments on draft-ietf-ipsec-ike-01.txt

From: Jianying Zhou <jyzhou@krdl.org.sg>

Prev by Date: Re: Comments on draft-ietf-ipsec-ike-01.txt
Next by Date: Re: Comments on draft-ietf-ipsec-ike-01.txt
Prev by thread: Re: Comments on draft-ietf-ipsec-ike-01.txt
Next by thread: Re: Comments on draft-ietf-ipsec-ike-01.txt
Index(es):
- Main
- Thread