RE: Tero's draft

[Tero Kivinen <kivinen@ssh.fi>]

Andrew Krywaniuk writes:
> ... If the attacker can generate a new exchange that has the same hash as
> previous exchange then he can replay the signature from a previous exchange.
> The ability to add new pseudorandom data that contributes to HASH allows the
> attacker to test hash inputs until he gets a familiar output.

If the attacker is able to generate an input that will result to a
given hash output, then the hash algorithm is broken.

Pre-shared keys and rsa-encryption mode authentications are not
vulnerable at all with this attack, because they SKEYID used as a key
depends on the information that only the related parties can know, and
those SKEYID values are different for each exchange.

For the signature mode the SKEYID is not tied to the related parties,
but it is is tied to the Diffie-Hellman output. So only way the
attacker can get that information is doing active attack, and if he is
going to launch huge number of active attacks against one user, I
think it will be detected. 

> I haven't actually done any feasibilty calculations on this scenario based
> on cpu speeds, etc. Maybe the prf output is large enough to take this attack
> into consideration.

I don't think this kind of attack is feasible, but I can ask our
cryptographers to check it out. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

References:

• RE: Tero's draft
• From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

---

• Prev by Date: Fixing IKE Phase 1 Authentication HASH
• Next by Date: Re: Fixing IKE Phase 1 Authentication HASH
• Prev by thread: RE: Tero's draft
• Next by thread: RE: Tero's draft
• Index(es):
  • Main
  • Thread