Paul Wouters writes:
> I agree. I got limited information before publication (only about the
> weak PSK parts, not the RSA parts) and also voiced concerns about their
> IKEv2 claims.
>
> While in IKEv1 you have an oracle when the message can be decrypted only
> with the right PSK, in IKEv2 there is no such oracle, and you can only
> do this online and check for a response or failure on sending a packet.
Not true.
In IKEv2 you can do active attack to do offline dictionary attack.
When Alice is trying to connect Bob, the Mallery will take those
packets and respond to them, without forwarding anything to Bob. When
Alice will send her IKE_AUTH payload, you can decrypt it as you were
party in the IKE_SA_INIT, i.e., you know the Diffie-Hellman secrets.
Then you simply calculate the InitiatorSignedOctets (you know
everything needed there), and do
for every "Shared Secret" in dictionary
calculate prf( prf(Shared Secret, "Key Pad for IKEv2"),
<InitiatorSignedOctets>)
if that matches the AUTH payload Alice send you know the Shared Secret
You can do that offline without any problems. That is why RFC7296 says
the Shared Secret needs to be secure, deriving it from weak password
etc is not secure (this is mentioned several times in RFC7296).
Because this is known fact we did create Secure Password Framework
RFC6467 to allow us to make secure password methods for IKEv2. From
the Introduction:
The IPsecME working group was chartered to provide for IKEv2
([RFC5996]) a symmetric secure password authentication protocol that
supports the use of low-entropy shared secrets, and to protect
against off-line dictionary attacks without requiring the use of
certificates or the Extensible Authentication Protocol (EAP).
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
