[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RESEND: Thoughts on identity attacks

To: ipsec@lists.tislabs.com, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: RESEND: Thoughts on identity attacks
From: Sara Bitan <sarab@cs.Technion.AC.IL>
Date: Wed, 06 Feb 2002 11:39:17 +0200
References: <p05101430b884b2dc9049@[165.227.249.20]>
Sender: owner-ipsec@lists.tislabs.com

Hi Paul!
Two issues:
> If the parties in a negotiation are worried about an attack on their
> identities, they can use PKIX identities that will give the attacker
> little or no information about the real identities. This sometimes
> means that the CA that they mutually trust needs to issue
> certificates with identities other than the typical ones, but any
> reasonable CA system should be able to do this. Further, depending on
> the level of worry, the parties can get new certificates with new
> identities as often as they wish (or as often as their
> mutually-trusted CA can handle).
I don't think we should bind IKE's identiy protection properties into other
protocols (PKIX).
The only requirement from certificates in the context of IKE is binding
between an identity and a public key, and I think we should leave it this
way - and not rely on certificates to give us identity protection.
>
> Although IKEv1, IKEv2 draft 00, and LBJ expose the initiator's
> identity to an active attack, that attack seems unlikely to be
> common. The man-in-the-middle would have to be intermittent, and even
> then would raise suspicion every time the attack was successful.
> These solutions also solve the "original responder rekeys first"
> problem of JFK draft 00.

> Further, when talking to someone who hasn't
> investigated identity attacks, it is much easier to explain "no
> passive attacks" than it is to explain "a passive attack against one
> of the two parties is OK because the other party gets better
> protection".
>
I agree that it is easier to explain "no passive attacks", but as Radia said
in a previous mail - it is better to have the responder authenticate the
initiator before he sends its identity. Otherwise - responders will expose
their identities to anyone initiating an IKE exchange with them. This is not
a man-in-the-middle attack, and it is very easy to launch.
When you rekey, and you turn from a reponder to an initiator, this attack is
no longer relvant - because now an attacker that wants to expose your
identity will have to do the MIM attack.
As you said, this is the level of identity protection IKEv1 gives, and I
think new IKE should supply the same level: protection against passive
attacks to the initiator, and protection against active attacks to the
responder.

 Sara
>
> --Paul Hoffman, Director
> --VPN Consortium

References:
- RESEND: Thoughts on identity attacks
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Interoperability test for AES.
Next by Date: RE: Interoperability test for AES
Prev by thread: Re: RESEND: Thoughts on identity attacks
Next by thread: RE: RESEND: Thoughts on identity attacks
Index(es):
- Date
- Thread