[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft

To: ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
Subject: Re: New XAUTH draft
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 30 Sep 1999 21:04:18 -0400
In-reply-to: Your message of "Thu, 30 Sep 1999 22:08:42 +0200." <37F3C34A.A6CBD204@checkpoint.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Tamir" == Tamir Zegman <zegman@checkpoint.com> writes:
    Tamir> Actually I think I can give you such an attack.  Assume that paul
    Tamir> and Daniel have the same shared key to connect to Security Gateway
    Tamir> (SG).  Daniel can mount a simple man in the middle attack - When
    Tamir> Paul tries to connect to SG, Daniel spoofs the SG and

  No need for IPsec to do this attack.

  This attack was demonstrated years ago on multiple token authentication
systems used to "secure" telnet connections. This attack is inherent in
token authentication systems that only authenticates only the client to the
server, and not the server to the client.
  There are challenge/response systems (some can involve tokens) that do
not have this property that XAUTH could mediate.
  
  Dan, I have a question (even though I've been trying hard to delete every
message that says "XAUTH" or "Hybrid" in it), do *you* prefer hybrid to XAUTH?

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Follow-Ups:

Re: New XAUTH draft

From: Dan Harkins <dharkins@network-alchemy.com>

References:

Re: New XAUTH draft

From: Tamir Zegman <zegman@checkpoint.com>

Prev by Date: RE: New XAUTH draft
Next by Date: Re: anti-replay protection without IKE
Prev by thread: Re: New XAUTH draft
Next by thread: Re: New XAUTH draft
Index(es):
- Main
- Thread