Bugtraq mailing list archives
Nortel Networks response to Contivity Extranet switch security co ncern
From: David Passamonte <dpassamo () NORTELNETWORKS COM>
Date: Wed, 28 Feb 2001 13:44:53 -0800
Bugtraq # <8CB7F81A5D17D31197A60008C7EBE37103341C9B () helsrv01 vaisala com> Date Submitted: on Feb 26 2001 10:21:51 This note addresses security concerns raised around the use of single DES(1DES) in IKE Phase 1 exchanges. Response to: Nortel CES (3DES version) offers false sense of security when using IPSec. Point 1: The Nortel Networks Contivity Extranet switch provides IPSec Triple DES (3DES) data encryption using IKE main mode and IKE aggressive mode key exchange in accordance with IETF RFC 2409. Point 2: The Phase 1 established ISAKMP SA key material is obtained from the Phase 1 D-H key exchange. Any encrypted IKE messages exchanged over the ISAKMP SA will use this key. i.e. phase 2 messages. Cracking the Phase 1 key does NOT expose phase 2 encrypted data. Point 3: Phase 2 key material, which is obtained using the Phase I SA, is also obtained from a D-H key exchange if Perfect Forward Secrecy(PFS) is enabled. PFS is enabled by default for all versions of the Contivity Extranet Switch. Point 4: Phase 1 D-H group 2 support with 3DES is available in V03_50.44. Nortel Networks recommends upgrading to this version of software if there are concerns surrounding this issue. As stated above, all versions of Contivity software have Perfect Forward Secrecy (PFS) enabled by default. For situations where D-H group 1/DES IKE phase 1 exchanges are not deemed adequate the Nortel Networks default value with PFS should be used in conjunction with frequent re-keying. PFS initiates a IKE phase 2 QM exchange and performs a new D-H exchange under the protection of an existing IKE SA to derive new keying material independent of the original keying material generated in IKE phase 1. At no time does the use of D-H group 1/DES imply that the IPSec data channels are subject to attack based on the compromise of a single 56-bit key as suggested. The relative cryptographic strength of a Group 1 D-H exchange is much greater than that of 56-bit DES CBC. Therefore, with PFS enabled, cracking of the 56-bit DES CBC key used to protect the IKE SA does NOT compromise the 3DES CBC key material protecting the IPSec data channel. While it is recognized 56-bit DES is not recommended by the cryptographic community, measures can be taken with software pre-dating v02_62.x to extend the privacy lifetime of data protected by IPSec 3DES. Taking the following measures will extend the privacy lifetime of data far beyond the privacy lifetime of 56-bit DES when brute force or plain-text attacks are employed. * Use PFS * Use IPSec w/ 3DES/SHA-1 * Re-key often * Use RSA digital signatures Nortel Networks has implemented Diffie-Hellman group 2 with 3DES for IKE phase 1 in v03_50.44 and recommends upgrading to this version of software if concerns exist surrounding this issue. It should be noted that implementations of IKE that do NOT support Diffie-Hellman Group I exchanges are not compliant with the current IPSec standard. It is for this reason that the Contivity product continues to support these groups. The administrator can always choose to disable these groups if so desired. Important notes and details clarification: * It was cited that the EAC will fall back to DES_CBC if the initial IKE SA proposal cannot be negotiated for 3DES_CBC. This is ONLY true if configured so by the administrator. IKE Phase 1 parameters may be configured as follows: 3DES with DH group 2 DES with DH group 1 Both 3DES with DH group2 and DES with DH group1 If support of client software predating v02_62 (DES with DH group1) is NOT desired select 3DES with DH group 2 ONLY. The same applies for branch office connections when negotiating down to DES_CBC is NOT desired. * The example sited shows an aggressive mode IKE SA being negotiated for branch office connections. The CES uses only IKE main mode for branch office connections. The comments regarding upgrades and configuring IPSec settings states: After upgrade you should check the IPSEC settings for Profiles/Groups and Profiles/Branch office. The setting is named "IKE Encryption and Diffie-Hellman Group" and it can be set to 56-bit or to 128-bit encryption. Unfortunately you have to upgrade all your Extranet Access Clients at once, because the setting is exclusive. You cannot have both 56 and 128 bits encryption for IKE activated. The "IKE Encryption and Diiffie-Hellman Group" field actually allows for configuration of: 56-bit DES with Group1 (768-bit prime) or 3DES with Group2 (1024-bit prime) not 56-bit or 128-bit. As the author pointed out earlier, 3DES has a 168-bit effective key space. In addition the CES uses an LDAP directory structure that allows user centric profile configuration. If you want to use both 56-bit DES clients (client software pre-dating v02_62) and DES/3DES Group1 and Group2 clients (client software v02_62 and higher) simply create a group profile for each. You DO NOT have to upgrade all client software in the field. As always Nortel Networks Contivity team is committed to providing devices of the highest quality and security. Peer review is a critical component of the evolving security framework used today, and appreciates the interest given in this area by others. The CES is currently certified in several areas to FIPS certification criteria as follows: CES is FIPS 140-1 level 2 certified, certificate #98 http://csrc.nist.gov/cryptval/140-1/1401val2000.htm The CES implementation of SHA-1 is FIPS certified, certificate #31 http://csrc.nist.gov/cryptval/dss/dsaval.htm#SHAvals The CES implementation of DES is FIPS certified, certificate #48 http://csrc.nist.gov/cryptval/des/desval.html Nortel Networks considers this resolution to bugtraq # <8CB7F81A5D17D31197A60008C7EBE37103341C9B () helsrv01 vaisala com>
Current thread:
- Nortel Networks response to Contivity Extranet switch security co ncern David Passamonte (Feb 28)