[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Weak authentication in Xauth and IKE

To: John Pliam <pliam@ima.umn.edu>
Subject: Re: Weak authentication in Xauth and IKE
From: Jianying Zhou <jyzhou@krdl.org.sg>
Date: Fri, 20 Aug 1999 12:41:58 +0800 (SGT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <37BCD32A.3B3A9F2@ima.umn.edu>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 20 Aug 1999, John Pliam wrote:

> Jianying Zhou wrote:
> 
> > The attack can only be applied to the aggressive mode, not the main mode.
> > In the main mode, digi, IDi and digr, IDr are encrypted with se (not
> > listed in your notation). Hence, the off-line directory attack to the
> > main mode is impossible.
> 
> I disagree.  I didn't mean to imply that the attack I presented
> for Aggressive Mode would apply verbatim to Main Mode, but
> rather mutatis mutandis (whatever that means :-).  I'll give
> the painful details.  Given my notation, Main Mode amounts to:
> 
>         1). I -> R: (CKYi, SAi),
> 
>         2). R -> I: (CKYr, SAr),
> 
>         3). I -> R: (g^i, Ni),
> 
>         4). R -> I: (g^r, Nr),
> 
>         5). I -> R: {(IDi, digi)}_k,
> 
>         6). R -> I: {(IDr, digr)}_k.
> 
> Again digi would contain all we need for a dictionary attack if
> we could decrypt it.  So the obvious thing to do is to actively
> force the secret used to encrypt digi to be common to I and
> adversary M.  That is accomplished as follows:
> 
>         1). I -> M -> R: (CKYi, SAi),
> 
>         2). R -> M -> I: (CKYr, SAr),
> 
>         3). I -> M -> R: (g^i, Ni),
> 
>         4). R -> M: (g^r, Nr),
> 
>         5). M -> I: (g^q, Nr),
>             I computes:
>               * shared secret g^iq,
>               * sd = f(s, (g^iq, CKYi, CKYr, 0)),
>               * sa = f(s, (sd, g^iq, CKYi, CKYr, 1)),
>               * digi = f(s, (g^q, g^i, CKYi, CKYr, SAi, IDi)),
>               * k = f(s, (sa, g^iq, CKYi, CKYr, 2)).
> 
>         6). I -> R: {(IDi, digi)}_k,
> 
>         7). M causes session failure through denial of service.
> 
> After the adversary computes k (knowing everything) she decrypts


How does the adversary know everything to computer k ???
The initiator uses the pw shared with R (not M) to compute s
and derive k. Does the adversary know pw in advance?


> digi and again conducts an off-line dictionary attack.  For all
> candidate passwords pw*, she computes:
> 
>         s* = f(pw*, (Ni, Nr)),
> and
>         digi* = f(s*, (g^i, g^q, CKYi, CKYr, SAi, IDi)).
> 
> If digi = digi*, then with high probability pw = pw*.  The only
> difference is that we must now bring in part of the active
> attack early.
> 
> Note:  There is also a way to do this without being detected.
> If the active attack against Diffie-Hellman described in [HAC]
> is used during phase 1, the adversary can conduct an
> brute-force search for pw and k together...
> 
> Cheers,
> 
> John
> 
> 
>

Follow-Ups:

Re: Weak authentication in Xauth and IKE

From: John Pliam <pliam@ima.umn.edu>

Re: Weak authentication in Xauth and IKE

From: Jan Vilhuber <vilhuber@cisco.com>

References:

Re: Weak authentication in Xauth and IKE

From: John Pliam <pliam@ima.umn.edu>

Prev by Date: Re: Weak authentication in Xauth and IKE
Next by Date: Re: Non-IP type Client IDs
Prev by thread: Re: Weak authentication in Xauth and IKE
Next by thread: Re: Weak authentication in Xauth and IKE
Index(es):
- Main
- Thread