[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: attack on identity protection in IKE



On 26 Aug 99 at 10:34, Ari Huttunen wrote:

> Tell me if I'm wrong, but I don't think main mode with
> either preshared keys or digital signatures protects the
> identity of the initiator against an active attack.

Preshared keys do protect, while digital signatures don't.

> Anybody capable of sending / receiving IP packets
> corresponding to the real responder will be able to
> get that identity. This does not apply to either
> encryption mode.

Correct.

> Ari

Regards,
Valery Smyslov.

> 
> Derek Atkins wrote:
> 
> > You can always see the IP address of the IKE hosts.  But that's ok.
> > The question is: can you see the identity of the authenticated entity
> > (be it a host identification or user indentification)?  The answer
> > is: no.  IKE isn't using raw RSA on the identity, that would be
> > stupid (and insecure, as you point out).  It would also lead to
> > traffic-analysis attacks, where the same identity would encrypt to
> > the same ciphertext.  PKCS solves both of these problems, as already
> > mentioned, by adding random padding to extend the actual message
> > out to the size of the RSA key.
> >
> > -derek
> >
> > pau@watson.ibm.com writes:
> >
> > > > Date: Tue, 24 Aug 1999 11:25:59 +0800 (SGT)
> > > > From: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > To: ipsec@lists.tislabs.com
> > > > Cc: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > Subject: attack on identity protection in IKE
> > > >
> > > > Identity protection is a feature of the main mode protocol. However,
> > > > an attack is possible for the main mode protocol using public key
> > > > encryption for authentication (when RSA is the encryption algorithm).
> > > >
> > > > In that protocol, the peer's identity payload is encrypted with the
> > > > other party's public key. When the ID is only a 32-bit IP address,
> > > > it is easy to find the encrypted ID by the brute force attack.
> > >
> > > Yes. But IP addess is exposed anyway. It is in the IP header.
> > > >
> > > > The main mode protocol using revised mode of public key encryption
> > > > does not suffer from the attack.
> > > >
> > > > Jianying
> > > > ---------------------------------------------------------------------
> > > > Dr. Jianying Zhou        | Tel:   +65-8742585
> > > > Kent Ridge Digital Labs  | Fax:   +65-7744990
> > > > 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> > > > Singapore 119613         | WWW:   http://www.krdl.org.sg
> > > > ---------------------------------------------------------------------
> > > >
> > > >
> >
> > --
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
> >        warlord@MIT.EDU                        PGP key available
> 
> --
> Ari Huttunen                   GSM: +358 40 5524634
> Senior Software Engineer       fax : +358 9 8599 xxxx
> 
> Data Fellows Corporation       http://www.DataFellows.com
> 
> F-Secure products: Integrated Solutions for Enterprise Security
> 
> 
> 


Follow-Ups: References: