On Tue, 14 Aug 2018, Scott Fluhrer (sfluhrer) wrote:
This is not a MITM attack, this is an impersonation attack.
If it is not a MITM, then the original connection will establish.
What original connection? Mallet (the attacker) claims to be Alice (a valid
node), and initiates to Bob. When Mallet needs to include Alice's signature in
the exchange, he performs a Bleitchenbacher attack against the real Alice, to
compute what the signature needs to be. Then, Mallet uses that signature to
fool Bob into thinking he is talking to Alice. Since Alice never had any idea
she was supposed to be talking to Bob, she'll never send any packets his way...
How does Mallet get both Bob and Alice to use the same IKE SPI's ?
AUTH is computed over:
InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI
GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR
RealIKEHDR = SPIi | SPIr | . . . | Length
RealMessage1 = RealIKEHDR | RestOfMessage1
NonceRPayload = PayloadHeader | NonceRData
InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload
RestOfInitIDPayload = IDType | RESERVED | InitIDData
MACedIDForI = prf(SK_pi, RestOfInitIDPayload)
Note it contains SPIi and SPIr.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
