[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible problem in IKEv2?

To: <ipsec@lists.tislabs.com>
Subject: Possible problem in IKEv2?
From: Pasi.Eronen@nokia.com
Date: Fri, 31 Oct 2003 11:49:58 +0200
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcOflFhkn62JH09oTWaVIAAE8m9cMA==
Thread-Topic: Possible problem in IKEv2?

Hi,

When using a non-key-generating EAP method, the initiator never
generates any AUTH payloads. In this case, KEi/Ni are authenticated
implicitly (by the ability to provide correct EAP Responses
that are protected with SK_ai). However, it seems the client's 
AUTH payload has a second purpose as well: to provide integrity 
protection for the first message. 

If the initiator never generates an AUTH payload, is there anything 
that prevents an attacker from, e.g., removing some proposals 
from SAi1? (Or modifying some other payloads than KEi/Ni in the 
first message?)

(Or have I missed some detail of this?)

If this is indeed the case, I think the easiest solution would be 
to always include the AUTH payloads; if the EAP method does not 
generate keys, use some known fixed string (such as a single zero 
octet) as the key. Since the AUTH payload is protected by SK_ai, 
this should ensure that the first message was not modified (by 
someone who doesn't know the initiator's private DH value).

Best regards,
Pasi

Prev by Date: Re: question about draft-ietf-ipsec-nat-t-ike-07
Next by Date: Re: 2401bis Issue # 89 -- Remove the selector "name"
Prev by thread: Re: question about draft-ietf-ipsec-nat-t-ike-07
Next by thread: Fwd: Certicom IP Rights
Index(es):
- Date
- Thread