[Swan-dev] [IPsec] Fwd: [Security] Cisco Patches Its Operating Systems Against New IKE Crypto Attack (fwd)

Paul Wouters paul at nohats.ca
Tue Aug 14 14:53:17 UTC 2018 


---------- Forwarded message ----------
Date: Tue, 14 Aug 2018 10:48:13
From: Paul Wouters <paul at nohats.ca>
Cc: ipsec at ietf.org
To: Valery Smyslov <smyslov.ietf at gmail.com>
Subject: Re: [IPsec] Fwd: [Security] Cisco Patches Its Operating Systems Against
      New IKE Crypto Attack

On Tue, 14 Aug 2018, Valery Smyslov wrote:

>  after reading the paper I still don’t understand why authors mentioned IKEv2
>  there.
>
>  Their example attack in Section 4.4 on (allegedly) IKEv2 in fact uses
>  secondary responder
>
>  supporting IKEv1 Public Key Encryption mode, without which the attack is
>  impossible (as far as
>
>  I understand). So, in my opinion, the authors are at least not accurate in
>  claiming
>
>  that IKEv2 itself is susceptible. Or am I missing something?

I agree. I got limited information before publication (only about the
weak PSK parts, not the RSA parts) and also voiced concerns about their
IKEv2 claims.

While in IKEv1 you have an oracle when the message can be decrypted only
with the right PSK, in IKEv2 there is no such oracle, and you can only
do this online and check for a response or failure on sending a packet.

For the RSA case, it does depend on (Revised or not) Public Key Encryption
mode instead of (RSA or ECDSA) Digital Signatures and the authors do
state that IKEv2 is only 'vulnerable' if the RSA key is shared between
IKEv1 and IKEv2.

They also do some number games about how many packets you need to send
and how fast, and I found their description confusing. I think they
change SPI (cookies) and so these would be "new" exchanges so this has
to be the DH component, but even if you break DH in IKEv2, you haven't
broken the AUTH payload (or done anything to determine the PSK?).
And we all have rate-limits in place so getting even 50,000 packets
(and thus 50,000 half-open SA's) tested before a connection is aborted
is not really feasable (although I guess it was for the vendors mentioned?)

And finally, this is all about RSA v1.5 and does not work with RSA-PSS
which is used when using RFC 7427 ?

Paul

_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

More information about the Swan-dev mailing list