Hi Jun,
 
the attacker cannot (and does not) change authentication information sent by
R. Thus, the initiator X would
think that it established an SA with Y (and that would match its policy),
but the responder Y would think that it established SA with A
(assuming the Y's policy allows both X and A to connect to it).
 
Regards,
Valery.
 
First, there is a stronger variant not described in -00 that doesn't require
compromising either of the victim peers. This attack is described in the
original thread [1] and we have also added a description of the draft [2].
To mount the attack, rather than compromise the victim initiator, the
attacker can be any initiator that the victim responder is configured to
speak to. The key observation is that the downgrade happens before the
initiator identifies itself to the peer. This means the attacker can simply
authenticate itself with its own signing key. We refer to this as an
"identity misbinding" attack in the draft.
 
[HJ] so there are 3 parties: X (initiator), Y (responder) and A (attacker),
R is configured to speak both X and A, but I would expect X is configured to
speak only to Y, for example X typically would check received certificate's
SAN or subject to see if it matches the Y's FQDN, so if A can't forge Y's
certificate, wouldn't X just fail the setup after checking received
certificate? 
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org

Reply via email to