[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: attack on identity protection in IKE

To: pau@watson.ibm.com
Subject: Re: attack on identity protection in IKE
From: Derek Atkins <warlord@MIT.EDU>
Date: 24 Aug 1999 11:22:28 -0400
Cc: ipsec@lists.tislabs.com, jyzhou@krdl.org.sg
In-Reply-To: pau@watson.ibm.com's message of Tue, 24 Aug 1999 10:48:12 -0400
References: <9908241448.AA23914@secpwr.watson.ibm.com>
Sender: owner-ipsec@lists.tislabs.com

You can always see the IP address of the IKE hosts.  But that's ok.
The question is: can you see the identity of the authenticated entity
(be it a host identification or user indentification)?  The answer
is: no.  IKE isn't using raw RSA on the identity, that would be
stupid (and insecure, as you point out).  It would also lead to
traffic-analysis attacks, where the same identity would encrypt to
the same ciphertext.  PKCS solves both of these problems, as already
mentioned, by adding random padding to extend the actual message
out to the size of the RSA key.

-derek

pau@watson.ibm.com writes:

> > Date: Tue, 24 Aug 1999 11:25:59 +0800 (SGT)
> > From: Jianying Zhou <jyzhou@krdl.org.sg>
> > To: ipsec@lists.tislabs.com
> > Cc: Jianying Zhou <jyzhou@krdl.org.sg>
> > Subject: attack on identity protection in IKE
> > 
> > Identity protection is a feature of the main mode protocol. However,
> > an attack is possible for the main mode protocol using public key
> > encryption for authentication (when RSA is the encryption algorithm).
> > 
> > In that protocol, the peer's identity payload is encrypted with the
> > other party's public key. When the ID is only a 32-bit IP address,
> > it is easy to find the encrypted ID by the brute force attack.
> 
> Yes. But IP addess is exposed anyway. It is in the IP header.
> > 
> > The main mode protocol using revised mode of public key encryption
> > does not suffer from the attack.
> > 
> > Jianying
> > ---------------------------------------------------------------------
> > Dr. Jianying Zhou        | Tel:   +65-8742585
> > Kent Ridge Digital Labs  | Fax:   +65-7744990
> > 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> > Singapore 119613         | WWW:   http://www.krdl.org.sg
> > ---------------------------------------------------------------------
> > 
> > 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: attack on identity protection in IKE

From: Ari Huttunen <Ari.Huttunen@datafellows.com>

References:

Re: attack on identity protection in IKE

From: pau@watson.ibm.com

Prev by Date: Re: attack on identity protection in IKE
Next by Date: RE: Weak authentication in Xauth and IKE, CMC token enroll
Prev by thread: Re: attack on identity protection in IKE
Next by thread: Re: attack on identity protection in IKE
Index(es):
- Main
- Thread