[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Unique MIDs



Yes you should delay generating g^xy until it is actually needed but as a
responder you need to generate g^xr for QM2.  This involves big number
exponentiation and modulo arithemetic which definitely isn't cheap.  There
is also the overhead of decrypting QM1 and encrypting QM2 and retransmitting
QM2 until the retry counter expires but these operations are probably not
all that significant.  As I stated in a subsequent mailing, memory
constrained systems may feel that the cost of this operation is cheaper than
consuming memory to store MIDs to avoid this operation.

-dave

-----Original Message-----
From: Dan Harkins [mailto:dharkins@cips.nokia.com]
Sent: Thursday, July 13, 2000 9:10 PM
To: Mason, David
Cc: IPsec List
Subject: Re: Unique MIDs 


On Thu, 13 Jul 2000 12:14:42 PDT you wrote
> > Replaying an old Initiator-to-Responder message (#1) back to the
> > Responder will result in the Responder sending an unexpected message #2
> > back to the Initiator which will fail the hash check
> 
> If the responder allows the initiator to use non-unique message IDs then
> this opens up a DoS avenue especially if PFS was used.

So then don't generate the KEYMAT until you receive message #3. 

Where is this security hole?

  Dan.