[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Man in the middle attack (draft-kaufman-ipsec-improveike-00.txt)?

To: ipsec@lists.tislabs.com, kballou@quarrytech.com
Subject: Re: Man in the middle attack (draft-kaufman-ipsec-improveike-00.txt)?
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Mon, 16 Jul 2001 13:42:26 -0400 (EDT)
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

Yes. A man-in-the-middle can discover Alice's identity. He can't
finish the protocol, as you pointed out, so the only thing he can
do is discover Alice's identity.

There's no way around this with just using a pre-shared secret between
Alice and Bob. Our suggested revised protocol is stronger than
the current one. In the current one, Alice's identity is exposed even
to a passive attacker...in the main mode, her identity has to be her
IP address, which is in the IP header. In aggressive mode, it's sent
unencrypted. In the suggested revised protocol, Alice's identity is
hidden from passive attackers, but an active attacker will be able
to find her identity, but will not be able to do anything more that
just discover who is attempt to connect to Bob.

If you really want to hide Alice's identity from an active attacker and
use a pre-shared Alice-Bob key, I can think of two complication-inducing
methods (and I don't like complication-inducing things).

1) have an additional secret key that Bob shares with all legitimate
Bob-clients. This was similar to what we had at Digital where there
was a single building-wide secret that we needed in order to dial into the
terminal server, and then a personal password after that. Each month
all employees were told the new building-wide secret. Applying
this technique to IKE, messages
5 and 6 could be encrypted in a function of the group secret, so only
an active attacker that knew the group secret could discover Alice's
identity.

2) Bob could have a public key, and Alice could send her identity
encrypted with his public key.

But I'd recommend just living with the fact that an active attacker will
be able to discover Alice's identity.

Radia


	From: kballou@quarrytech.com
	To: ipsec@lists.tislabs.com
	Subject: Man in the middle attack 
(draft-kaufman-ipsec-improveike-00.txt)?
	MIME-Version: 1.0
	
	I'm sure I've missed something.
	
	In section 7 (main mode with pre-shared keys), isn't
	Alice's identity susceptible to a man-in-the-middle
	attack?
	
	Could Mallory impersonate Bob for the first two pairs
	of messages, use the Diffie-Hellman key to learn Alice's
	identity, and then not finish the protocol?  (Of course,
	since Mallory doesn't know the pre-shared secret, he
	can't fix up the third message to relay it to Bob even
	with knowledge of Alice's identity.)
	
						- Ken

Prev by Date: Re: I-D ACTION:draft-kaufman-ipsec-improveike-00.txt
Next by Date: application of security policy to fragments
Prev by thread: Man in the middle attack (draft-kaufman-ipsec-improveike-00.txt)?
Next by thread: application of security policy to fragments
Index(es):
- Main
- Thread