RE: IKEv2 and SIGMA

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

correct. 

Even though the initiator, IDi, could still claim that this Nr was sent to 
him in a convesation with some other party ID' that was colluding with
IDr to frame I. Anyway, the point is that there needs to be a real
malicious action from the responder to try to leave some provable
(to third parties) traces of the conversation. A regular run does not
leave any. (And as I said somewhere, if you want better protection than
this you should go back to something like the enc mode of IKE :)

In contrast, JFK (following the ISO protocol) leaves an explicit
undeniable and transferable proof in each exchange.

Hugo

On Wed, 5 Dec 2001, Andrew Krywaniuk wrote:

> Hugo, you have talked about the importance of carefully choosing the inputs
> to the authentication hash. I envision a situation where:
> 
> Responder chooses Nr = SIG_r(Ni, g^xi, IDr, ...)
> Initiator creates AUTHi = SIG_i(Ni, g^xy, Nr, ...)
> 
> So now the initiator has been tricked into signing something which binds a
> derivative of the responder's identity to the nonce and DH values from the
> exchange. And the result is that the initiator can no longer repudiate the
> exchange.
> 
> Is this the kind of attack you are talking about?
> 
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
> 
> 
>

---

References:

• RE: IKEv2 and SIGMA
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: RE: IKEv2 and SIGMA
• Next by Date: Re: compare-jfk-sigma.txt
• Prev by thread: RE: IKEv2 and SIGMA
• Next by thread: RE: IKEv2 and SIGMA
• Index(es):
  • Main
  • Thread