[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is JFK DOS proof when PFS is required?

To: "'ipsec@lists.tislabs.com '" <ipsec@lists.tislabs.com>
Subject: Is JFK DOS proof when PFS is required?
From: Michael Choung Shieh <mshieh@netscreen.com>
Date: Mon, 18 Mar 2002 08:34:01 -0800
Sender: owner-ipsec@lists.tislabs.com


The second message of JFKi and JFKr requires DH operation:
JFKi:
Message 2, R->I:  Ni, Nr, g^r, GRPINFOr, IDr,
                     SIG{r}(g^r, GRPINFOr), HMAC{HKr}(Ni, Nr, g^i, g^r)
JKTr:
Message 2, R->I:  Ni, Nr, g^r, GRPINFOr, HMAC{HKr}(Ni, Nr, g^r)


Although the authors lessen the fact by introducing "forward secrecy
interval".  However, when PFS is required, the responder will need to
generate g^r (and SIG() in JFKi) for every ike message 1 from any sources
thus subject to DOS attack.

Without PFS, once the DH is compromised, multiple tunnels across multiple
peers are compromised, since Ni and Nr are sent in clear.  This will be a
major problem when implementing the protocol.

Michael Shieh

Prev by Date: Re: 10 years and no ubiquitous security
Next by Date: Re: 10 years and no ubiquitous security
Prev by thread: Re: RFC 2521
Next by thread: Bake-Off Results from Espoo
Index(es):
- Date
- Thread