> -----Original Message----- > From: IPsec <[email protected]> On Behalf Of Paul Wouters > Sent: Tuesday, August 14, 2018 10:48 AM > To: Valery Smyslov <[email protected]> > Cc: [email protected] > Subject: Re: [IPsec] Fwd: [Security] Cisco Patches Its Operating Systems > Against New IKE Crypto Attack > > On Tue, 14 Aug 2018, Valery Smyslov wrote: > > > after reading the paper I still don’t understand why authors mentioned > IKEv2 there. > > > > Their example attack in Section 4.4 on (allegedly) IKEv2 in fact uses > > secondary responder > > > > supporting IKEv1 Public Key Encryption mode, without which the attack > > is impossible (as far as > > > > I understand). So, in my opinion, the authors are at least not > > accurate in claiming > > > > that IKEv2 itself is susceptible. Or am I missing something? > > I agree. I got limited information before publication (only about the weak PSK > parts, not the RSA parts) and also voiced concerns about their > IKEv2 claims.
Their argument is 'if you use the same RSA key for IKEv1 PKE authentication, *and* IKEv2 authentication, then you can use the Bleichenbacher Oracle within IKEv1 to attack a current IKEv2 exchange' (see section 4.4 of the paper). > > While in IKEv1 you have an oracle when the message can be decrypted only > with the right PSK, in IKEv2 there is no such oracle, and you can only do this > online and check for a response or failure on sending a packet. > > For the RSA case, it does depend on (Revised or not) Public Key Encryption > mode instead of (RSA or ECDSA) Digital Signatures and the authors do state > that IKEv2 is only 'vulnerable' if the RSA key is shared between > IKEv1 and IKEv2. > > They also do some number games about how many packets you need to > send and how fast, and I found their description confusing. I think they > change SPI (cookies) and so these would be "new" exchanges so this has to > be the DH component, but even if you break DH in IKEv2,you haven't broken > the AUTH payload This is not a MITM attack, this is an impersonation attack. > (or done anything to determine the PSK?). Actually, the Bleichenbacher part of the paper is addressing signature authentication (certificates). They do mention an off-line dictionary attack against PSK's, however that's just a cite of previous work. > And we all have rate-limits in place so getting even 50,000 packets (and thus > 50,000 half-open SA's) tested before a connection is aborted is not really > feasable (although I guess it was for the vendors mentioned?) If the IKEv1 exchanges error out, and hence are closed, they wouldn’t count as half-open; that would make the attack more feasible. I don't know how real IKEv1 implementations deal with it... > > And finally, this is all about RSA v1.5 and does not work with RSA-PSS which > is > used when using RFC 7427 ? Actually, going to an alternate RSA signature method doesn't protect you; it's the public key encryption in IKEv1 that is what's critical for the attack (and that you use the same RSA keys for both). > > Paul > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
