[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: attack on identity protection in IKE

To: Yael Dayan <yael@radguard.com>
Subject: Re: attack on identity protection in IKE
From: "Valery Smyslov" <svan@trustworks.com>
Date: Fri, 27 Aug 1999 16:46:08 +4
CC: ipsec@lists.tislabs.com, Ari Huttunen <Ari.Huttunen@datafellows.com>
Comments: Authenticated sender is <svan@ss10>
In-reply-to: <37C68118.88C63A5F@radguard.com>
Organization: TWS
Sender: owner-ipsec@lists.tislabs.com

On 27 Aug 99 at 15:14, Yael Dayan wrote:

> Valery Smyslov wrote:
> 
> > ... Preshared keys do protect, while digital signatures don't.
> >
> 
> Preshared keys don't either, but not because of an attack.
> The identity of the initiator  is it's IP address, otherwise, the responder will
> not know which preshared key to use to decrypt the fifth message.

It need not necessary be so. The problem of selecting a proper key is 
a different issue and, under some circumstances, can be solved by 
different means. Eventually, responder can try every key he has 
(trying to decrypt fifth message and to verify HASH_I) untill he 
finds the key. After that he gets IDii and can verify whether the key 
he used does really belongs to initiator. In this case IDii can be of 
any type and is not exposed to attacker. This is NOT a good approach 
due to its non-scalability, but it is quite allowable. Note also, 
that with group shared secret individual identity does not exposed 
also (in this case attacker may only learn that somebody from the 
group is participating, but not who exactly).

Regards,
Valera.

> > > Anybody capable of sending / receiving IP packets
> > > corresponding to the real responder will be able to
> > > get that identity. This does not apply to either
> > > encryption mode.
> >
> > Correct.
> >
> > > Ari
> >
> > Regards,
> > Valery Smyslov.
> >
> > >
> > > Derek Atkins wrote:
> > >
> > > > You can always see the IP address of the IKE hosts.  But that's ok.
> > > > The question is: can you see the identity of the authenticated entity
> > > > (be it a host identification or user indentification)?  The answer
> > > > is: no.  IKE isn't using raw RSA on the identity, that would be
> > > > stupid (and insecure, as you point out).  It would also lead to
> > > > traffic-analysis attacks, where the same identity would encrypt to
> > > > the same ciphertext.  PKCS solves both of these problems, as already
> > > > mentioned, by adding random padding to extend the actual message
> > > > out to the size of the RSA key.
> > > >
> > > > -derek
> > > >
> > > > pau@watson.ibm.com writes:
> > > >
> > > > > > Date: Tue, 24 Aug 1999 11:25:59 +0800 (SGT)
> > > > > > From: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > > > To: ipsec@lists.tislabs.com
> > > > > > Cc: Jianying Zhou <jyzhou@krdl.org.sg>
> > > > > > Subject: attack on identity protection in IKE
> > > > > >
> > > > > > Identity protection is a feature of the main mode protocol. However,
> > > > > > an attack is possible for the main mode protocol using public key
> > > > > > encryption for authentication (when RSA is the encryption algorithm).
> > > > > >
> > > > > > In that protocol, the peer's identity payload is encrypted with the
> > > > > > other party's public key. When the ID is only a 32-bit IP address,
> > > > > > it is easy to find the encrypted ID by the brute force attack.
> > > > >
> > > > > Yes. But IP addess is exposed anyway. It is in the IP header.
> > > > > >
> > > > > > The main mode protocol using revised mode of public key encryption
> > > > > > does not suffer from the attack.
> > > > > >
> > > > > > Jianying
> > > > > > ---------------------------------------------------------------------
> > > > > > Dr. Jianying Zhou        | Tel:   +65-8742585
> > > > > > Kent Ridge Digital Labs  | Fax:   +65-7744990
> > > > > > 21 Heng Mui Keng Terrace | Email: jyzhou@krdl.org.sg
> > > > > > Singapore 119613         | WWW:   http://www.krdl.org.sg
> > > > > > ---------------------------------------------------------------------
> > > > > >
> > > > > >
> > > >
> > > > --
> > > >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > >        Member, MIT Student Information Processing Board  (SIPB)
> > > >        URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
> > > >        warlord@MIT.EDU                        PGP key available
> > >
> > > --
> > > Ari Huttunen                   GSM: +358 40 5524634
> > > Senior Software Engineer       fax : +358 9 8599 xxxx
> > >
> > > Data Fellows Corporation       http://www.DataFellows.com
> > >
> > > F-Secure products: Integrated Solutions for Enterprise Security
> > >
> > >
> > >
> 
>

References:

Re: attack on identity protection in IKE

From: Yael Dayan <yael@radguard.com>

Prev by Date: Re: attack on identity protection in IKE
Next by Date: IPCOMP Questions
Prev by thread: Re: attack on identity protection in IKE
Next by thread: RE: Weak authentication in Xauth and IKE
Index(es):
- Main
- Thread