[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: skelly@redcreek.com
Subject: Re: New XAUTH draft
From: Paul Koning <pkoning@xedia.com>
Date: Thu, 30 Sep 1999 16:53:52 -0400
Cc: ipsec@lists.tislabs.com
References: <29752A74B6C5D211A4920090273CA3DCCDE3AF@new-exc1.ctron.com><199909301612.JAA27379@Potassium.Network-Alchemy.COM><199909301803.OAA10419@tonga.xedia.com><37F3C4BB.CBC543CB@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:

> Hmmm... how about if I capture your session and mount an offline
> known-plaintext analysis using the following from the exchange:
>
>   IPSec Host                                              Edge Device
>   --------------                                    -----------------
>                          <-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
>   REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
>
> Now, I know your password, and I know the preshared key. I can
> impersonate you.

The XAUTH exchange is encrypted under the IKE SA key, right?  So no,
you can't do this because you don't know that key, unless you're in
the middle as Dan and Tamir suggested.  Listening isn't sufficient.

	paul

Follow-Ups:

Re: New XAUTH draft

From: "Scott G. Kelly" <skelly@redcreek.com>

References:

RE: New XAUTH draft

From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

Re: New XAUTH draft

From: Paul Koning <pkoning@xedia.com>

Re: New XAUTH draft

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: anti-replay protection without IKE
Next by Date: Re: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread