[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: attack on identity protection in IKE
Valery Smyslov wrote:
> ... Preshared keys do protect, while digital signatures don't.
>
Preshared keys don't either, but not because of an attack.
The identity of the initiator is it's IP address, otherwise, the responder will
not know which preshared key to use to decrypt the fifth message.
>
> > Anybody capable of sending / receiving IP packets
> > corresponding to the real responder will be able to
> > get that identity. This does not apply to either
> > encryption mode.
>
> Correct.
>
> > Ari
>
> Regards,
> Valery Smyslov.
>
> >
> > Derek Atkins wrote:
> >
> > > You can always see the IP address of the IKE hosts. But that's ok.
> > > The question is: can you see the identity of the authenticated entity
> > > (be it a host identification or user indentification)? The answer
> > > is: no. IKE isn't using raw RSA on the identity, that would be
> > > stupid (and insecure, as you point out). It would also lead to
> > > traffic-analysis attacks, where the same identity would encrypt to
> > > the same ciphertext. PKCS solves both of these problems, as already
> > > mentioned, by adding random padding to extend the actual message
> > > out to the size of the RSA key.
> > >
> > > -derek
> > >
> > > pau@watson.ibm.com writes:
> > >
> > > > > Date: Tue, 24 Aug 1999 11:25:59 +0800 (SGT)
> > > > > From: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > > To: ipsec@lists.tislabs.com
> > > > > Cc: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > > Subject: attack on identity protection in IKE
> > > > >
> > > > > Identity protection is a feature of the main mode protocol. However,
> > > > > an attack is possible for the main mode protocol using public key
> > > > > encryption for authentication (when RSA is the encryption algorithm).
> > > > >
> > > > > In that protocol, the peer's identity payload is encrypted with the
> > > > > other party's public key. When the ID is only a 32-bit IP address,
> > > > > it is easy to find the encrypted ID by the brute force attack.
> > > >
> > > > Yes. But IP addess is exposed anyway. It is in the IP header.
> > > > >
> > > > > The main mode protocol using revised mode of public key encryption
> > > > > does not suffer from the attack.
> > > > >
> > > > > Jianying
> > > > > ---------------------------------------------------------------------
> > > > > Dr. Jianying Zhou | Tel: +65-8742585
> > > > > Kent Ridge Digital Labs | Fax: +65-7744990
> > > > > 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> > > > > Singapore 119613 | WWW: http://www.krdl.org.sg
> > > > > ---------------------------------------------------------------------
> > > > >
> > > > >
> > >
> > > --
> > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > Member, MIT Student Information Processing Board (SIPB)
> > > URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> > > warlord@MIT.EDU PGP key available
> >
> > --
> > Ari Huttunen GSM: +358 40 5524634
> > Senior Software Engineer fax : +358 9 8599 xxxx
> >
> > Data Fellows Corporation http://www.DataFellows.com
> >
> > F-Secure products: Integrated Solutions for Enterprise Security
> >
> >
> >
Follow-Ups:
References: