[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On a hybrid authentication mode for IKE



Dear friends,
I'd like to make a comment on 
draft-ietf-ipsec-isakmp-hybrid-auth-02.txt
(A Hybrid Authentication Mode for IKE).
In the 6th section, the document says that
protection against DoS is not provided.
My comment is that, since the Hybrid Authentication Mode
uses Signature Mode of IKE first,
a modified mode of it (draft-matsuura-sign-mode-00.txt)
would be a better solution.
The idea is the use of intermediate random fresh value
as an additional input to the HASH payload in the ack message
from the client; if the client (maybe a DoS attacker) does not
follow the protocol (i.e. skip the verification of the responder's
signature), he/she cannot produce the correct HASH, which is
efficiently (<-- hashing is inexpensive computation)
 detected by the responder.

Thanks,

---- **** ----
 Kanta MATSUURA, Ph.D.
  Lecturer
  3rd Department,
  Institute of Industrial Science, University of Tokyo,
  Roppongi 7-22-1, Minato-ku, Tokyo 106-8558, JAPAN
    Tel: +81-3-3402-6231 (ext. 2325)
    Fax: +81-3-3479-1736
    E-Mail: kanta@iis.u-tokyo.ac.jp
 



Follow-Ups: