[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XCASS security

To: pbaker@verisign.com
Subject: XCASS security
From: Ran Canetti <canetti@watson.ibm.com>
Date: Sat, 8 Dec 2001 00:42:30 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


Phill, I've taken a look at the XCASS protocol (the PDF file on the site 
you pointed to, printed August 15, 2001, page 12, Fig 4).

It seems that the protocol is susceptible to the following attack:
Assume that an attacker managed to obtain the secret DH exponent of the 
initiator in some ill-protected session. This means that the attacker has
the initiator's signature on some g^x, where the attacker knows x.
>From now on, the attacker can impersonate this poor initiator in the eyes 
of any prospective responder, basically until the end of time.
Is that true or am I confused?

(One can ofcourse argue about the likelyhood of the attacker obtaining such 
an x. I can imagine some settings where this is not so unlikey...)

I was trying to fix this without adding a flow or assuming that
the initiator knows the responder's ID ahead of time, but couldn't see how.

Ran

Prev by Date: RE: Son-of-IKE Performance
Next by Date: Re: Please save the pre-shared key mode
Prev by thread: Re: JFK algorithm choice
Next by thread: Some comments to draft-ietf-ipsec-ikev2-00.txt
Index(es):
- Main
- Thread