> -----Original Message----- > From: Paul Wouters <[email protected]> > Sent: Tuesday, August 14, 2018 11:56 AM > To: Scott Fluhrer (sfluhrer) <[email protected]> > Cc: [email protected]; Valery Smyslov <[email protected]> > Subject: Re: [IPsec] Fwd: [Security] Cisco Patches Its Operating Systems > Against New IKE Crypto Attack > > On Tue, 14 Aug 2018, Scott Fluhrer (sfluhrer) wrote: > > >>> This is not a MITM attack, this is an impersonation attack. > >> > >> If it is not a MITM, then the original connection will establish. > > > > What original connection? Mallet (the attacker) claims to be Alice (a valid > node), and initiates to Bob. When Mallet needs to include Alice's signature > in > the exchange, he performs a Bleitchenbacher attack against the real Alice, to > compute what the signature needs to be. Then, Mallet uses that signature > to fool Bob into thinking he is talking to Alice. Since Alice never had any > idea > she was supposed to be talking to Bob, she'll never send any packets his > way... > > How does Mallet get both Bob and Alice to use the same IKE SPI's ? > > AUTH is computed over: > > InitiatorSignedOctets = RealMessage1 | NonceRData | MACedIDForI > GenIKEHDR = [ four octets 0 if using port 4500 ] | RealIKEHDR > RealIKEHDR = SPIi | SPIr | . . . | Length > RealMessage1 = RealIKEHDR | RestOfMessage1 > NonceRPayload = PayloadHeader | NonceRData > InitiatorIDPayload = PayloadHeader | RestOfInitIDPayload > RestOfInitIDPayload = IDType | RESERVED | InitIDData > MACedIDForI = prf(SK_pi, RestOfInitIDPayload) > > Note it contains SPIi and SPIr.
One of us is missing something. I believe that the attack under discussion was one where the attacker initiates the exchange with Bob, and follows the protocol faithfully with Bob (except where he gets the signature from). He needs to get the signature of the above InitiatorSignedOctets; he knows what the string 'InitiatorSignedOctets' is; the only thing he can't do easily is generating that signature. He doesn't try to fool Alice into generating that signature directly; as you point out, that would be difficult. Instead, what Bleichenbacher's attack does is allow him to compute what the signature would be, given an Oracle that will tell him whether a specific ciphertext will decrypt into a valid PKCS #1 padded plaintext (and making a large number of queries to the Oracle). That is what he uses the connection with Alice for, to act as that Oracle. It doesn't matter what SPI's he and Alice is using; the only thing he cares about in the Alice exchanges is whether certain carefully crafted RSA ciphertexts decrypt to plausible RSA plaintexts, or generate errors during decryption. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
