[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weak authentication in Xauth and IKE
Jianying Zhou wrote:
> The attack can only be applied to the aggressive mode, not the main mode.
> In the main mode, digi, IDi and digr, IDr are encrypted with se (not
> listed in your notation). Hence, the off-line directory attack to the
> main mode is impossible.
I disagree. I didn't mean to imply that the attack I presented
for Aggressive Mode would apply verbatim to Main Mode, but
rather mutatis mutandis (whatever that means :-). I'll give
the painful details. Given my notation, Main Mode amounts to:
1). I -> R: (CKYi, SAi),
2). R -> I: (CKYr, SAr),
3). I -> R: (g^i, Ni),
4). R -> I: (g^r, Nr),
5). I -> R: {(IDi, digi)}_k,
6). R -> I: {(IDr, digr)}_k.
Again digi would contain all we need for a dictionary attack if
we could decrypt it. So the obvious thing to do is to actively
force the secret used to encrypt digi to be common to I and
adversary M. That is accomplished as follows:
1). I -> M -> R: (CKYi, SAi),
2). R -> M -> I: (CKYr, SAr),
3). I -> M -> R: (g^i, Ni),
4). R -> M: (g^r, Nr),
5). M -> I: (g^q, Nr),
I computes:
* shared secret g^iq,
* sd = f(s, (g^iq, CKYi, CKYr, 0)),
* sa = f(s, (sd, g^iq, CKYi, CKYr, 1)),
* digi = f(s, (g^q, g^i, CKYi, CKYr, SAi, IDi)),
* k = f(s, (sa, g^iq, CKYi, CKYr, 2)).
6). I -> R: {(IDi, digi)}_k,
7). M causes session failure through denial of service.
After the adversary computes k (knowing everything) she decrypts
digi and again conducts an off-line dictionary attack. For all
candidate passwords pw*, she computes:
s* = f(pw*, (Ni, Nr)),
and
digi* = f(s*, (g^i, g^q, CKYi, CKYr, SAi, IDi)).
If digi = digi*, then with high probability pw = pw*. The only
difference is that we must now bring in part of the active
attack early.
Note: There is also a way to do this without being detected.
If the active attack against Diffie-Hellman described in [HAC]
is used during phase 1, the adversary can conduct an
brute-force search for pw and k together...
Cheers,
John
Follow-Ups:
References: