[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: having and eating cake? agressive mode with identity hiding
Radia Perlman - Boston Center for Networking wrote:
>
> After the IPsec meeting, some people mentioned to me that if we'd
> get rid of one mode, they'd prefer getting rid of main mode and
> keeping aggressive mode.
>
> As it turns out, in the paper from which the internet draft presented
> at the meeting was based:
> http://sec.femto.org/wetice-2001/papers/radia-paper.pdf
> it mentions that we can get identity hiding with the public signature key
> variant.
>
> It would be nice to have a single IKE protocol. Perhaps this slightly
> modified aggressive mode/identity hiding/public signature keys would
> be a good choice.
>
This protocol looks good on identity hiding point of view, but the
main 'practical' benefit of AM is that the identity is sent on
message one, allowing the responder to select the proper policy
based on reception of the first message.
Ari
> The basic idea is:
>
> message 1:
> Alice--->Bob
> g^a mod p
>
> message 2:
> Bob---->Alice
> g^b mod p, {"Bob", proof I'm Bob} encrypted with g^ab mod p
> ;the proof he's Bob consists of a signature on messages 1 and 2, e.g.
>
> message 3:
> Alice---->Bob
> {"Alice", proof I'm Alice}g^ab mod p
>
>
> I might want to add the OAKLEY-style trick where Bob can respond in message
> 2 with "I am going to want a stateless cookie, so try again, but this
> time send cookie c" That way if Bob isn't under attack, he can do the 3 message
> exchange, and if he is, he responds to cookie-less message 1's with a cookie,
> and responds to valid cookie-containing message 2's with the rest
> of the protocol.
>
> Radia
--
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise
References: