RE: IKEv2 and SIGMA

[Stephen Kent <kent@bbn.com>]

At 5:49 PM -0500 12/5/01, Andrew Krywaniuk wrote:
>Hugo, you have talked about the importance of carefully choosing the inputs
>to the authentication hash. I envision a situation where:
>
>Responder chooses Nr = SIG_r(Ni, g^xi, IDr, ...)
>Initiator creates AUTHi = SIG_i(Ni, g^xy, Nr, ...)
>
>So now the initiator has been tricked into signing something which binds a
>derivative of the responder's identity to the nonce and DH values from the
>exchange. And the result is that the initiator can no longer repudiate the
>exchange.
>
>Is this the kind of attack you are talking about?
>
>Andrew
>-------------------------------------------
>There are no rules, only regulations. Luckily,
>history has shown that with time, hard work,
>and lots of love, anyone can be a technocrat.

Excuse me for this belated comment, as I am still working my way 
through the 1K+ messages that arrived last week while I was away on 
vacation.

I think the term "repudiate" may be inappropriate in this context. 
IPsec does not offer NR as a security service for the traffic sent on 
an SA, so the opportunity to offer NR with regard to an IKE exchange 
may not be all that important. Is there general agreement that NR is 
a concern here?

Steve

---

Follow-Ups:

• RE: IKEv2 and SIGMA
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
• RE: IKEv2 and SIGMA
• From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

• RE: IKEv2 and SIGMA
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: Re: compare-jfk-sigma.txt
• Next by Date: Re: Re: Some comments to draft-ietf-ipsec-ikev2-00.txt
• Prev by thread: RE: IKEv2 and SIGMA
• Next by thread: RE: IKEv2 and SIGMA
• Index(es):
  • Main
  • Thread