[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-ike-01.txt
Dr. Zhou has forwarded me the paper and I'll try to summarize:
The Initiator offers two transforms, T1 and T2 to the Responder
who chooses T2 and sends it back. This is intercepted by the
attacker and changed to be T1 before being forwarded on to the
Initiator. Now the Initiator thinks T1 was accepted and the
Responder thinks T2 was accepted. It's noted in the paper (and
was pointed out by Kivinen on the list) that the only difference
between the two can be the lifetime. The attacker has to send
back a transform that the Initiator sent in the first place
and if the difference between T1 and T2 is more than just the
lifetime the exchange will fail due to various errors (decryption
failed, authentication failed, etc).
The paper goes on to suggest changing SAi_b in the authenticating
hash calculation to SAr_b. But this will allow an attacker to modify
the Initiator's offers and remove certain offers-- for instance the
offer is [(3DES, group 5, etc) || (CAST, group 5, etc) || (DES, group 1,
etc)] and it becomes a single offer of [(DES, group 1, etc)].
The suggested change is flawed but if the working group thinks this
attack is serious we can include both SAi_b and SAr_b in the hash
calculations to prevent this.
Dan.
On Tue, 22 Jun 1999 17:27:25 +0800 you wrote
> There was a security flaw in RFC 2409.
>
> When SAi_b is used in HASH_I and HASH_R, an attack is possible so that
> at the end of Phase 1 negotiation, the SA being negotiated may not be
> authenticated. (The problem also exists in the new draft.)
>
> To avoid the attack, simply replace SAi_b with SAr_b. (The full paper
> is available by request.)
>
> Jianying
> ---------------------------------------------------------------------
> Dr. Jianying Zhou | Tel: +65-8742585
> Kent Ridge Digital Labs | Fax: +65-7744990
> 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> Singapore 119613 | WWW: http://homex.s1.net.sg/user/jyzhou/
> ---------------------------------------------------------------------
>
Follow-Ups:
References: