[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weak authentication in Xauth and IKE
On Fri, 20 Aug 1999, John Pliam wrote:
> Jianying Zhou wrote:
>
> > The attack can only be applied to the aggressive mode, not the main mode.
> > In the main mode, digi, IDi and digr, IDr are encrypted with se (not
> > listed in your notation). Hence, the off-line directory attack to the
> > main mode is impossible.
>
> I disagree. I didn't mean to imply that the attack I presented
> for Aggressive Mode would apply verbatim to Main Mode, but
> rather mutatis mutandis (whatever that means :-). I'll give
> the painful details. Given my notation, Main Mode amounts to:
>
> 1). I -> R: (CKYi, SAi),
>
> 2). R -> I: (CKYr, SAr),
>
> 3). I -> R: (g^i, Ni),
>
> 4). R -> I: (g^r, Nr),
>
> 5). I -> R: {(IDi, digi)}_k,
>
> 6). R -> I: {(IDr, digr)}_k.
>
> Again digi would contain all we need for a dictionary attack if
> we could decrypt it. So the obvious thing to do is to actively
> force the secret used to encrypt digi to be common to I and
> adversary M. That is accomplished as follows:
>
> 1). I -> M -> R: (CKYi, SAi),
>
> 2). R -> M -> I: (CKYr, SAr),
>
> 3). I -> M -> R: (g^i, Ni),
>
> 4). R -> M: (g^r, Nr),
>
> 5). M -> I: (g^q, Nr),
> I computes:
> * shared secret g^iq,
> * sd = f(s, (g^iq, CKYi, CKYr, 0)),
> * sa = f(s, (sd, g^iq, CKYi, CKYr, 1)),
> * digi = f(s, (g^q, g^i, CKYi, CKYr, SAi, IDi)),
> * k = f(s, (sa, g^iq, CKYi, CKYr, 2)).
>
> 6). I -> R: {(IDi, digi)}_k,
>
> 7). M causes session failure through denial of service.
>
> After the adversary computes k (knowing everything) she decrypts
How does the adversary know everything to computer k ???
The initiator uses the pw shared with R (not M) to compute s
and derive k. Does the adversary know pw in advance?
> digi and again conducts an off-line dictionary attack. For all
> candidate passwords pw*, she computes:
>
> s* = f(pw*, (Ni, Nr)),
> and
> digi* = f(s*, (g^i, g^q, CKYi, CKYr, SAi, IDi)).
>
> If digi = digi*, then with high probability pw = pw*. The only
> difference is that we must now bring in part of the active
> attack early.
>
> Note: There is also a way to do this without being detected.
> If the active attack against Diffie-Hellman described in [HAC]
> is used during phase 1, the adversary can conduct an
> brute-force search for pw and k together...
>
> Cheers,
>
> John
>
>
>
Follow-Ups:
References: