If they are able to do attacks against SHA-1 without chosen-prefix in
the beginning, then it does not matter where the cookie is.
Right.
If they
cannot do that, then their attack does not work as long as either SPIi
and SPIr is random.
I mean if they can do attack even when the SPIs are random, then they
can also do the attack when the cookie is in the end, as only thing
they need to change durign the exchange is to change the g^x with
g^x' so they can just then force the hash to be same where the
HASH(SA_INIT(SAi | g^x | ni | infoi | ck(C1)) ==
HASH(SA_INIT(SAi | g^x' | ni | infoi | ck(C2))
where C1 and C2 are just selected so that they make hash same even
when the SPIi and SPIr, and g^x are different...
Note, that the attacker must do that online and g^x is unpredictable
(in addition to SPIi). If finding a collision depends on the amount
of unpredictable data, then moving ck to the end would help. If not - it won't.
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
