[Swan] xauthby=alwaysok discussion
Philippe Vouters
philippe.vouters at laposte.net
Fri Mar 8 00:12:09 EET 2013
Paul,
Thank you so much for this clarification.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 07/03/2013 22:59, Paul Wouters a écrit :
> On Thu, 7 Mar 2013, Philippe Vouters wrote:
>
>> Something looks incorrect in your answer. One should not be able to
>> get a user credentials even if in the same Wifi zone as the user
>> credentials should be part of encrypted data whose encryption
>> algorithm is negotiated between the two peers. As per my experience
>> with IPSec, I have so far been unable to read my own credentials
>> using Wireshark on the PC where I run the Shrew VPN client
>
> Yes, but that is encrypted by a DiffieHellman Key Exchange. But you do
> not know for sure _who_ you established that DH session with, until you
> have completed authentication. To see that illustrated, see:
>
> http://arvindtm.com/2008/06/understanding-ipsecike-phase-1.html
>
> (although their description of DH is not entirely correct)
>
> DH gives you privacy from eavesdroppers, but not identification. So if
> my laptop answers on behalf of the remove gateway, your VPN client will
> setup DH to me, no one but you and me know what is send over this
> connection. If you then authenticate me with PSK (which we both happen
> to know), then you cannot tell me apart from the real gateway. If we
> used RSA, I would not be able to proof to you I have the private key
> that belongs to the public key/cert of the gateway. And you would abort
> the connection before sending me your XAUTH credentials.
>
>
> Paul
>
>
More information about the Swan
mailing list