[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A fix for main mode with preshared keys

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: RE: A fix for main mode with preshared keys
From: Jianying Zhou <jyzhou@krdl.org.sg>
Date: Wed, 8 Dec 1999 10:56:02 +0800 (SGT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDFFFD1C0@exchange>
Sender: owner-ipsec@lists.tislabs.com

An additional payload HASH(1) = hash(IDii | Ni) could be sent in Step 3
of Main Mode with pre-shared key to support remore access as well as
identity protection. The responder can use HASH(1) to select pre-shared
key.

Of course, this may affect the protocol performance since the responder
need to re-compute HASH(1) from its (ID, pre-shared key) database to find
the matched entry. But the performance bottleneck of a VPN is at IPsec
rather than at IKE.

Jianying


On Tue, 7 Dec 1999, Andrew Krywaniuk wrote:

> >   For those of you who are concerned about massive evesdropping on the
> > Internet and tracking of opaque blobs ("dfnmtynioghora was in Grozny
> > on Tuesday and Khartoum on Thursday, it _must_ Osama Bin 
> > Laden! Next time
> > you see that ID_KEY_ID go get him.") the value can change with each 
> > authentication by hashing with some exchange specific 
> > information like 
> > the nonces:
> > 
> > 	 ID_KEY_ID[x+1] = hash(ID_KEY_ID[x] | Ni | Nr)
> > 	 where ID_KEY_ID[0] = the initial seeded value
> > 
> > Once you sucessfully authenticate using ID_KEY_ID[x] update 
> > the pre-shared
> > key database so the existing pre-shared key (and hidden 
> > "real" identity)
> > will not be associated with ID_KEY_ID[x+1].
> 
> So what you are suggesting is essentially a second pre-shared key (the iv
> for the ID_KEY_ID). And this must always be synchronized between the peers,
> so if one peer crashes and has to restore his HD from backups or if the
> negotiation is aborted between the transmission and reception of packets N
> and N+1 (for some N), then they must manually resynchronize.
> 
> I thought IKE was a stateless protocol. :-)
> 
> Is it really that hard to not make SKEYID_e dependent on the shared secret?
> It can still be used to derive SKEYID_d. I know you said you were concerned
> about changing the keymat generation technique for an established protocol,
> but isn't it the general derivation technique that requires analysis and not
> the specific definition of SKEYID_e as prf(SKEYID, SKEYID_a | g^xy | CKY-I |
> CKY-R | 2).
> 
> Andrew
> _______________________________________________
>  Beauty without truth is insubstantial.
>  Truth without beauty is unbearable.
>

Follow-Ups:

RE: A fix for main mode with preshared keys

From: francisco_corella@hp.com

References:

RE: A fix for main mode with preshared keys

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: Re: Heartbeats (was RE: keepalives)
Next by Date: Re: Heartbeats (was RE: keepalives)
Prev by thread: RE: A fix for main mode with preshared keys
Next by thread: RE: A fix for main mode with preshared keys
Index(es):
- Main
- Thread