[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ikev2-13 security consideration for knowing which credential to expect

To: <ipsec@lists.tislabs.com>
Subject: ikev2-13 security consideration for knowing which credential to expect
From: "William Dixon" <ietf-wd@v6security.com>
Date: Thu, 1 Apr 2004 21:31:01 -0500
Sender: owner-ipsec@lists.tislabs.com

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since this security "vulnerability" has widely affected IKEv1
implementations, IKEv2 should provide a solution or at least a
security consideration that provides guidance.

Regarding this observation:

http://www.securityfocus.org/bid/9208/info/ 

"The vulnerability lies in the fact that some implementations fail to
thoroughly verify the authenticity of client/server certificates.
Allegedly, affected implementations will verify only the Certificate
Authority, not the specific certificate owner. As a result, by
impersonating a server or client and sending another host a specially
formatted certificate with a trusted CA, an attacker may be capable
of using this attack to carry out man-in-the-middle attacks against a
session carried out between a legitimate client and server."

I believe they mean "trusted main-in-the-middle" attack, where the
attacker has a certificate which is trusted somewhere under the CA or
CA root, but is not in fact the expected machine/user certificate
which the IKE initiation or response should be using for the peers
expected to be negotiating.

Generally - the responder is faced with a difficult situation of
verifying in some automated way that the initiator should be using a
particular public/private key pair or perhaps certificate credential
(if cert contents matter to authorizations). Likewise, the initiator
is faced with a decision of what specific key or credential/identity
to expect from the responder.

With additional infrastructure, (the communication to which must be
equally secure as the properties which IKE seeks to achieve in using
this credential), this might be possible. But I don't see an easy way
to solve the problem, say for a server that may be contacted by any
client in the Internet.

Comments ?

Thanks,
Wm

V6 Security, Inc.
http://www.v6security.com



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQGzQZXeaysMUl8VcEQJkowCePsdSyWTyrZkBkDvl2OmlKosYTPoAnRc4
zgaE1nqxrnH5b1jJ/4MUfrf1
=KY/P
-----END PGP SIGNATURE-----

Prev by Date: RE: clarification on IKEv2 with EAP
Next by Date: RE: clarification on IKEv2 with EAP
Previous by thread: RE: Issue 83 will be withdrawn
Next by thread: ikev2-13 section 1.1.2 end-to-end diagram says "tunnel" add reference to RFC 1958, 2775, etc
Index(es):
- Date
- Thread