Re: attack on identity protection in IKE

[Ari Huttunen <Ari.Huttunen@datafellows.com>]

Tell me if I'm wrong, but I don't think main mode with
either preshared keys or digital signatures protects the
identity of the initiator against an active attack.
Anybody capable of sending / receiving IP packets
corresponding to the real responder will be able to
get that identity. This does not apply to either
encryption mode.

Ari

Derek Atkins wrote:

> You can always see the IP address of the IKE hosts.  But that's ok.
> The question is: can you see the identity of the authenticated entity
> (be it a host identification or user indentification)?  The answer
> is: no.  IKE isn't using raw RSA on the identity, that would be
> stupid (and insecure, as you point out).  It would also lead to
> traffic-analysis attacks, where the same identity would encrypt to
> the same ciphertext.  PKCS solves both of these problems, as already
> mentioned, by adding random padding to extend the actual message
> out to the size of the RSA key.
>
> -derek
>
> pau@watson.ibm.com writes:
>
> > > Date: Tue, 24 Aug 1999 11:25:59 +0800 (SGT)
> > > From: Jianying Zhou <jyzhou@krdl.org.sg>
> > > To: ipsec@lists.tislabs.com
> > > Cc: Jianying Zhou <jyzhou@krdl.org.sg>
> > > Subject: attack on identity protection in IKE
> > >
> > > Identity protection is a feature of the main mode protocol. However,
> > > an attack is possible for the main mode protocol using public key
> > > encryption for authentication (when RSA is the encryption algorithm).
> > >
> > > In that protocol, the peer's identity payload is encrypted with the
> > > other party's public key. When the ID is only a 32-bit IP address,
> > > it is easy to find the encrypted ID by the brute force attack.
> >
> > Yes. But IP addess is exposed anyway. It is in the IP header.
> > >
> > > The main mode protocol using revised mode of public key encryption
> > > does not suffer from the attack.
> > >
> > > Jianying
> > > ---------------------------------------------------------------------
> > > Dr. Jianying Zhou        | Tel:   +65-8742585
> > > Kent Ridge Digital Labs  | Fax:   +65-7744990
> > > 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> > > Singapore 119613         | WWW:   http://www.krdl.org.sg
> > > ---------------------------------------------------------------------
> > >
> > >
>
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
>        warlord@MIT.EDU                        PGP key available

--
Ari Huttunen                   GSM: +358 40 5524634
Senior Software Engineer       fax : +358 9 8599 xxxx

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security

---

Follow-Ups:

• Re: attack on identity protection in IKE
• From: "Valery Smyslov" <svan@trustworks.com>

References:

• Re: attack on identity protection in IKE
• From: pau@watson.ibm.com
• Re: attack on identity protection in IKE
• From: Derek Atkins <warlord@MIT.EDU>

---

• Prev by Date: Re: inconsistencies in IKE specs
• Next by Date: (no subject)
• Prev by thread: Re: attack on identity protection in IKE
• Next by thread: Re: attack on identity protection in IKE
• Index(es):
  • Main
  • Thread