[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The remaining IKEv2 issues



Michael Thomas wrote:
> Sorry if I've lamely missed this, but can somebody
> in a nutshell describe the attack here? I'm not
> quite groking what's being discussed here...

The problem is any type of compound authentication, where
there's one outer and one inner authentication that are not
tied together cryptographically. This problem was first found for
an IETF protocol called PIC, which tried to use EAP to
generate certs for IKE. But it applies to any compound
authentication, such as TLS + HTTP Digest, EAP within EAP,
etc. The "kg EAP method" comes from the ability of newer
EAP authentication methods to produce keys, and the
keys enable you to make the cryptographic binding.

Here's the attack: Lets assume you have the FOO method
to authenticate, a perfect method in all respects. Then
you have the BAR protocol which has the capability to
use FOO inside itself. BAR is also perfect.
Now, you go to Alice, user of FOO (who hasn't perhaps
even heard of BAR). You pretend to be her peer and
ask her to authenticate using FOO. She does so, and you
tunnel all authentication packets via BAR to Bob,
who supports FOO-over-BAR. In the end, Alice believes she
authenticated to Bob, and Bob believes he authenticated
to Alice. In reality the other end of BAR is not Alice,
its the attacker. The attacker then proceeds to do
whatever he can with that fact. In the case of IKEv2,
he'd be able to send and receive packets to Bob as Alice.

The conditions of the attack are

(1) Same credentials used for multiple purposes
(2) No cryptographic binding between the authentications

--Jari