[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

suggestion for JFK

To: ipsec@lists.tislabs.com
Subject: suggestion for JFK
From: dharkins@tibernian.com
Date: Tue, 11 Dec 2001 14:49:04 -0800
Sender: owner-ipsec@lists.tislabs.com

  In JFK the responder sends, in message 2, a token (the HMAC{Hkr}(blah)
payload) back to the initiator which binds the initiator to a nonce he
supplied in message 1. The responder doesn't create any state though.
Someone could send a message 1 to obtain a valid token and then construct
several hundred bogus message 3's with the valid nonce and token forcing
the responder to exponentiate in an attempt to decrypt a garbage packet.
This would require no exponentiation or encryption on the part of the
attacker and none of the bogus packets need to be sourced from his IP
address.

  The responder should rate limit these messages, of course, and could
scan an input queue for the bad token to eliminate these bogus packets
before any serious work is done on them but there is no way to locate the
offender.

  If the IP address of the initiator that sent message 1 was included
in the token calculation-- i.e. HMAC{Hkr}(Ni, Nr, g^i, g^r, addr)-- it
would force such an attacker to reveal his IP address. I think this would
be a good thing.

  Dan.

Follow-Ups:

Re: suggestion for JFK

From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

Prev by Date: Re: compare-jfk-sigma.txt
Next by Date: Re: Son-of-IKE Performance
Prev by thread: Réf. : RE: Please save the pre-shared key mode
Next by thread: Re: suggestion for JFK
Index(es):
- Main
- Thread