[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please kill preshared key.
Sounds like a good haker taget,
can you share with everyone which is this entity? :-)
--- David
----- Original Message -----
From: "Marcus D. Leech" <mleech@nortelnetworks.com>
To: "Jan Vilhuber" <vilhuber@cisco.com>
Cc: "Bill Sommerfeld" <sommerfeld@east.sun.com>; <ipsec@lists.tislabs.com>
Sent: Friday, December 07, 2001 11:20 AM
Subject: Re: Please kill preshared key.
> The current PSK methods in IKEv1 lead to some horrible, insecure hacks
> in real
> implementations/deployments.
>
> I know of at least one VPN/Road-Warrior implementation where the server
> uses
> PSK to authenticate itself to a client--but it uses the SAME PSK for
> every
> member of a "group", where groups are very large. This means that
> anyone in
> the group can pretend to be a server to any other member of the group.
> This wouldn't happen in a self-signed PK-style pre-share. The
> client adds the PK self-signed pre-share to their "trusted" list, and
> only the real server (possessor of the private key) can convince a
> client
> of its authenticity.
>
> If symmetric PSKs are kept, it had better be possible to do it right,
> and
> rather hard to do it wrong.
>
References: