1 / 5

IPSec/IKE Public Key Encryption Aggressive Mode vulnerability

IPSec/IKE Public Key Encryption Aggressive Mode vulnerability. Initiator Responder ----------- ----------- HDR, SA, [ HASH(1),] KEi, <IDi>Pubkey_r, <Ni>Pubkey_r ----->

hunter-blankenship
Download Presentation

IPSec/IKE Public Key Encryption Aggressive Mode vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec/IKE Public Key Encryption Aggressive Mode vulnerability Initiator Responder ----------- ----------- HDR, SA, [ HASH(1),] KEi, <IDi>Pubkey_r, <Ni>Pubkey_r -----> <----- HDR, SA, KEr, <IDr>PubKey_i, <Nr>PubKey_i, HASH_R HDR,HASH_I ----->

  2. IPSec/IKE Public Key Encryption Aggressive Mode vulnerability • “Chess Grandmaster” attack

  3. IPSec/IKE Public Key Encryption Aggressive Mode vulnerability Initiator Cheater Responder ----------- ----------- ----------- HDR, SA, KEi, <IDi>Pubkey_c, <Ni>Pubkey_c -----> HDR, SA, KEi, <IDc>Pubkey_r, <Ni>Pubkey_r -----> HDR, SA, KEr, <IDr>PubKey_c, <----- <Nr>PubKey_c, HASH_R HDR, SA, KEr, <IDc>Pubkey_i, <----- <Nr>Pubkey_i, HASH_C HDR,HASH_I -----> HDR, HASH_C ----->

  4. IPSec/IKE Public Key Encryption Aggressive Mode vulnerability • HASH_x=prf(SKEIDxc,KEx|KEc|CKY-X|CKY-Y|IDxc) HASH_C=prf(SKEIDir, Kei|Ker|CKY-I|CKY-R|IDir) prf=HMAC or Keyed MAC KEx=g^DHPrivKey_x x=i, r SKEIDir=prf(HASH(Ni|Nr), CKY-I|CKY-R) • If Cheater isn’t agreed with any side, attack will be stopped in Phase 2 • If Cheater is agreed with Initiator(cheater knows DHPrivKey_i), they can fake Responder • Attack is possible in Main and Aggressive Mode

  5. IPSec/IKE Public Key Encryption Aggressive Mode vulnerability • How to resolve problem? In protocol first and second message apply signature: 1. SIGNi(KEi) 2. SIGNr(KEr)

More Related