[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anonymous IKE phase 1 -mode

To: Ari Huttunen <Ari.Huttunen@datafellows.com>
Subject: Re: Anonymous IKE phase 1 -mode
From: Tamir Zegman <zegman@checkpoint.com>
Date: Tue, 23 Nov 1999 09:55:27 +0200
CC: ipsec-list <ipsec@lists.tislabs.com>
Organization: Check Point
References: <383985D3.FFDE9765@DataFellows.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Ari,
See my comments below:

Ari Huttunen wrote:

> Somehow I have a feeling this idea will be shot dead, but
> I think there's some good to be had by it, so I'll give
> it a try...
>
> Basically the problem is that traditional Internet communications
> have been based on "authentication by IP addresses". This has
> one good quality (only) that I can think of: it is available to
> absolutely everyone in the Internet. IKE requires more, which
> means that it's not available to absolutely everyone. This in turn
> means that you can't encrypt your communications with that sort
> of a peer either. This in turn helps things like ECHELON.
>
> If there existed an IKE phase 1 mode that would not do any more
> authentication than what is provided by IP addresses, all Internet
> communications could become encrypted at once. This would make
> large scale Internet surveillance like ECHELON harder, because
> passive surveillance would no longer work, and active methods
> would be necessary.
>
> Now, I've created an IKE authentication method that was inspired
> by CRACK and SSH, and which works as follows:
>
>    Initiator                       Responder
>   -----------                     -----------
>    HDR, SAi, Ni
>                           --->
>                           <---     HDR, SAr, Nr
>    HDR, KEi, PKi, SIGi
>                           --->
>                           <---     HDR, KEr, PKr, SIGr
>
> (The signatures sign every field sent by that entity
> previously in the protocol as well as the source and
> destination IP addresses. PKx = Public Key of entity x.)
>

Signing IP addresses is NAT unfriendly.
If SIGi does not include Nr then Responder is opened to the following DoS
attack:
A and B perform this exchange.
C records the packets from A.
C then later replays these packets.

>
> This protocol has these properties:
> - After these messages I and R know they have a secure
>   channel to someone holding the private key corresponding
>   to the received public key. This someone is capable of sending
>   and receiving packets with the correct IP address.
> - Resistance to DoS attacks: The initiator has to perform a signature
>   calculation before the responder responds with KEr or SIGr.

Of course, the responder still needs to do signature verification.
Assuming you are using RSA, since the exponent is usually 3 or 65537 this
is not a problem.
However, a DoS attacker can simply select a different (larger) exponent.
So in order to protect herself from a DoS the responder needs to limit
the size of the initiator public key exponent.

>
> - Identity protection is provided. Even more protection
>   is possible by changing the IP address and the public key
>   in every session.
> - There's no protection against man-in-the-middle.
>

Yep.

>
> ps. If this idea is rejected by US persons, we can always raise
>     conspiracy theories... ;-)
>
> --
> Ari Huttunen                   phone: +358 9 859 900
> Senior Software Engineer       fax  : +358 9 8599 0452
>
> Data Fellows Corporation       http://www.DataFellows.com
>
> F-Secure products: Integrated Solutions for Enterprise Security

Tamir.

References:

Anonymous IKE phase 1 -mode

From: Ari Huttunen <Ari.Huttunen@datafellows.com>

Prev by Date: RE: Error recovery?
Next by Date: Re: Phase 1 Re-keying Implementation Identification
Prev by thread: Anonymous IKE phase 1 -mode
Next by thread: Re: Anonymous IKE phase 1 -mode
Index(es):
- Main
- Thread