Re: suggestion for JFK

[dharkins@tibernian.com]

On Wed, 12 Dec 2001 13:02:17 MST you wrote
> 
>   As I understand Dan's suggestion, including the IP address means that the
> initiator can't bounce around to different IPs - I don't get what it buys tho
>ugh.

What it buys is a guarantee that there is only one case in which a token
would be valid but the encrypted data is garbage-- when message 3 was sent
by the same IP address which optained the token in message 2.

If the token is correct in message 3 then the responder does work. It would
be nice (to me at least) to know who is trying to make me do some work for
no reason. Right now all I know is that someone is doing this thing to me,
not who.

In addition, by not including the IP address in the hash calculation JFK
opens itself up to a varient of Simpson's "cookie jar" attack. What happens
is I send a JFK implementation X message 1's with different nonces and g^i's
and receive X valid tokens in response. Provided that message 1 and message
X obtained a token based on the same HKr (I'll know this if the signed g^r
is the same) I can then send X message 3's with bogus source IP addresses
and the responder will use up his CPU exponentiating to decrypt lots and
lots of garbage. And he has know idea where the person is who is doing this
to him.

I will now stop beating this horse since I am the only person who thinks
it is not dead yet.

  Dan.

---

Follow-Ups:

• RE: suggestion for JFK
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

• Re: suggestion for JFK
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: fragmentation
• Next by Date: Re: fragmentation
• Prev by thread: Re: suggestion for JFK
• Next by thread: RE: suggestion for JFK
• Index(es):
  • Main
  • Thread