[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: identity-misbinding attack on SLA

To: IPsec WG <ipsec@lists.tislabs.com>
Subject: Re: identity-misbinding attack on SLA
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 31 Dec 2002 14:27:25 -0500
In-reply-to: Your message of "Tue, 31 Dec 2002 02:21:14 +0200." <Pine.GSO.4.21.0212310219390.25548-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Hugo" == Hugo Krawczyk <hugo@ee.technion.ac.il> writes:
    Hugo> This assumption holds in some scenarios but certainly not in all remote user
    Hugo> authentication cases. In many instances the client machine will not have the
    Hugo> server's certificate but will rather have to receive the cert from the
    Hugo> server itself (this cert is verified at the client on the basis of some 
    Hugo> verification PK and policy settings installed at the client).

  I dispute the claim that the public key of the server is not know to the
client. I would further dispute that this will be deployed along with a PKI
that would permit the client to even verify the server.

  Yes, in the general case it might be true, but I don't want to promote
legacy authentication for cross-enterprise use. Single-enterprise
only. Places big enough to have too many people to handle raw RSA keys
manually, yet not big enough to justify a PKI deployment. Those are the
places that "legacy" authentication will be used.
  
  The only situation where I could imagine not knowing the right *server*
certificate in a single enterprise situation is when there is some kind of
failover situation, or anycast-reachable gateway. I don't think either is in
scope.

  I won't speak on the validity of the attack described - just your assumptions.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPhHvnIqHRg3pndX9AQFIrAQAx3VRey8Fk7bNz6MMjz59XUjW4NVLs/XL
X9MyyWdgA1NmkyzieycGdQQ40LvbLgbe99kJ3KAtVMLpzAO53hYxMjRwGxkYr0Tx
2UdxmRtufv4VgjOuQJEJT43UjaF02etMnAvS6Ex+bg9KZxarTCZvCo5mzV+cjOox
Jc26MFRByO8=
=37XJ
-----END PGP SIGNATURE-----

References:
- identity-misbinding attack on SLA
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: No Subject
Next by Date: Re: Secure legacy authentication for IKEv2
Prev by thread: identity-misbinding attack on SLA
Next by thread: a change to the signature processing in IKEv2
Index(es):
- Date
- Thread