[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Weak authentication in Xauth and IKE

To: Jianying Zhou <jyzhou@krdl.org.sg>
Subject: Re: Weak authentication in Xauth and IKE
From: John Pliam <pliam@ima.umn.edu>
Date: Fri, 20 Aug 1999 04:01:47 +0000
CC: ipsec@lists.tislabs.com
References: <Pine.GSO.4.02.9908201019170.11491-100000@arizona>
Sender: owner-ipsec@lists.tislabs.com

Jianying Zhou wrote:

> The attack can only be applied to the aggressive mode, not the main mode.
> In the main mode, digi, IDi and digr, IDr are encrypted with se (not
> listed in your notation). Hence, the off-line directory attack to the
> main mode is impossible.

I disagree.  I didn't mean to imply that the attack I presented
for Aggressive Mode would apply verbatim to Main Mode, but
rather mutatis mutandis (whatever that means :-).  I'll give
the painful details.  Given my notation, Main Mode amounts to:

        1). I -> R: (CKYi, SAi),

        2). R -> I: (CKYr, SAr),

        3). I -> R: (g^i, Ni),

        4). R -> I: (g^r, Nr),

        5). I -> R: {(IDi, digi)}_k,

        6). R -> I: {(IDr, digr)}_k.

Again digi would contain all we need for a dictionary attack if
we could decrypt it.  So the obvious thing to do is to actively
force the secret used to encrypt digi to be common to I and
adversary M.  That is accomplished as follows:

        1). I -> M -> R: (CKYi, SAi),

        2). R -> M -> I: (CKYr, SAr),

        3). I -> M -> R: (g^i, Ni),

        4). R -> M: (g^r, Nr),

        5). M -> I: (g^q, Nr),
            I computes:
              * shared secret g^iq,
              * sd = f(s, (g^iq, CKYi, CKYr, 0)),
              * sa = f(s, (sd, g^iq, CKYi, CKYr, 1)),
              * digi = f(s, (g^q, g^i, CKYi, CKYr, SAi, IDi)),
              * k = f(s, (sa, g^iq, CKYi, CKYr, 2)).

        6). I -> R: {(IDi, digi)}_k,

        7). M causes session failure through denial of service.

After the adversary computes k (knowing everything) she decrypts
digi and again conducts an off-line dictionary attack.  For all
candidate passwords pw*, she computes:

        s* = f(pw*, (Ni, Nr)),
and
        digi* = f(s*, (g^i, g^q, CKYi, CKYr, SAi, IDi)).

If digi = digi*, then with high probability pw = pw*.  The only
difference is that we must now bring in part of the active
attack early.

Note:  There is also a way to do this without being detected.
If the active attack against Diffie-Hellman described in [HAC]
is used during phase 1, the adversary can conduct an
brute-force search for pw and k together...

Cheers,

John

Follow-Ups:

Re: Weak authentication in Xauth and IKE

From: Jianying Zhou <jyzhou@krdl.org.sg>

References:

Re: Weak authentication in Xauth and IKE

From: Jianying Zhou <jyzhou@krdl.org.sg>

Prev by Date: Re: Weak authentication in Xauth and IKE
Next by Date: Re: Weak authentication in Xauth and IKE
Prev by thread: Re: Weak authentication in Xauth and IKE
Next by thread: Re: Weak authentication in Xauth and IKE
Index(es):
- Main
- Thread