[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 and SIGMA

To: "'Hugo Krawczyk'" <hugo@ee.technion.ac.il>, "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: RE: IKEv2 and SIGMA
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Wed, 5 Dec 2001 17:49:41 -0500
Importance: Normal
In-Reply-To: <Pine.GSO.4.21.0111261322260.3536-100000@ee.technion.ac.il>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Hugo, you have talked about the importance of carefully choosing the inputs
to the authentication hash. I envision a situation where:

Responder chooses Nr = SIG_r(Ni, g^xi, IDr, ...)
Initiator creates AUTHi = SIG_i(Ni, g^xy, Nr, ...)

So now the initiator has been tricked into signing something which binds a
derivative of the responder's identity to the nonce and DH values from the
exchange. And the result is that the initiator can no longer repudiate the
exchange.

Is this the kind of attack you are talking about?

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:

RE: IKEv2 and SIGMA

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

RE: IKEv2 and SIGMA

From: Stephen Kent <kent@bbn.com>

Prev by Date: Son-of-IKE Performance
Next by Date: RE: IKEv2 and SIGMA
Prev by thread: Re: Son-of-IKE Performance
Next by thread: RE: IKEv2 and SIGMA
Index(es):
- Main
- Thread