[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weak authentication in Xauth and IKE
On Fri, 20 Aug 1999, John Pliam wrote:
> Jianying Zhou wrote:
>
> How does the adversary know everything to computer k ???
> The initiator uses the pw shared with R (not M) to compute s
> and derive k. Does the adversary know pw in advance?
Ha ... very good point! Thanks. :-)
I need to be more careful here... Consider the same eavesdropping
attack:
1). I -> M -> R: (CKYi, SAi),
2). R -> M -> I: (CKYr, SAr),
3). I -> M -> R: (g^i, Ni),
4). R -> M: (g^r, Nr),
5). M -> I: (g^q, Nr),
I computes:
* shared secret g^iq,
* sd = f(s, (g^iq, CKYi, CKYr, 0)),
* sa = f(s, (sd, g^iq, CKYi, CKYr, 1)),
* digi = f(s, (g^q, g^i, CKYi, CKYr, SAi, IDi)),
* k = f(s, (sa, g^iq, CKYi, CKYr, 2)).
6). I -> R: {(IDi, digi)}_k,
Now, we must modify the dictionary computations, using trial keys k*
computed from trial passwords pw*.
For each pw* in Dict do
s* = f(pw*, (Ni, Nr)).
sd* = f(s*, (g^iq, CKYi, CKYr, 0)).
sa* = f(s*, (sd*, g^iq, CKYi, CKYr, 1)).
k* = f(s*, (sa*, g^iq, CKYi, CKYr, 2)).
decrypt with k* to obtain IDi and digi.
digi* = f(s*, (g^q, g^i, CKYi, CKYr, SAi, IDi)).
if digi == digi* then
return pw*
endif
done
I still claim that if digi = digi*, then with high probability
pw = pw*.
The point is that the work factor is much less that you might
expect.
Nice Catch.
John Pliam
pliam@ima.umn.edu
http://www.ima.umn.edu/~pliam
References: