[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: dharkins@network-alchemy.com
Subject: Re: New XAUTH draft
From: Paul Koning <pkoning@xedia.com>
Date: Thu, 30 Sep 1999 16:40:14 -0400
Cc: Stephen.Waters@cabletron.com, ipsec@lists.tislabs.com
References: <199909301926.PAA10520@tonga.xedia.com><199909301946.MAA27884@Potassium.Network-Alchemy.COM>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Dan" == Dan Harkins <dharkins@Network-Alchemy.COM> writes:

 Dan> On Thu, 30 Sep 1999 15:26:51 EDT you wrote
 >> Man in the middle attack?
 >> 
 >> The man in the middle has to be a member of the set authenticated
 >> by the preshared key, right?  Otherwise you can't mount that
 >> attack because main mode doesn't let joe random user do a man in
 >> the middle attack against it.

 Dan> Well your question to me was:

 Dan> "Say that you and I are both using XAUTH to authenticate with a
 Dan> central site, using a preshared key common to the three of us.
 Dan> Can you demonstrate an attack that allows you to impersonate me,
 Dan> resulting in IPSec SAs to your box that appear to be bound to my
 Dan> identity?  If so, then I would agree to your assertion."

 Dan> So yea, the man-in-the-middle has to be a member of the set
 Dan> because that was what your question was. Do you agree with my
 Dan> assertion or not?

Ok, I guess I do, to a limited extent.  See below.

 >> So now the question becomes: for applications where XAUTH would be
 >> considered, can you partition the set of clients into subsets such
 >> that the members of a particular subset are trusted not to be
 >> interested in mounting man in the middle attacks for impersonating
 >> other members of that same subset?
 >> 
 >> If yes, then each subset can share a preshared key.  (If no, then
 >> and only then is your argument against group shared keys valid for
 >> that particular application.)

 Dan> Stop moving that bar!

Am I moving the bar?  I don't think so.  I'm trying to clarify where
the bar is.

You use terms like "unauthenticated", and "man in the middle" without
any qualification -- which suggests that the protocol under discussion 
is wide open to the entire world.  Of course it isn't, and just how
far from wide open is what I'm trying to figure out.  You could have
spelled it out up front, but you didn't do that.

So let me see now if I have correctly identified the location of the
bar.

XAUTH is subject to attack:

1. only by parties that know the preshared key being used,

2. only via active man in the middle attack, not by passive attack or
by active attack not in the middle.

Is that right?

If so, then yes I would agree that this constitutes an attack on the
system.  But I don't agree that it is a sufficiently serious threat to 
condemn the entire concept, as you have been doing.  I believe (and I
think a number of others do) that there are valid applications where
XAUTH has value and this particular threat is not a significant
concern. 

So perhaps the next question is: is there consensus that this threat
is so serious that XAUTH has no meaningful applicability in the real
world?  If so, then of course the draft can't proceed.  But if the
consensus is that there are enough real world applications that can
live with this threat, then the draft can and should proceed as it
stands.

	paul

Follow-Ups:

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Re: New XAUTH draft

From: Paul Koning <pkoning@xedia.com>

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: anti-replay protection without IKE
Next by Date: Re: anti-replay protection without IKE
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread