Re: VPN using aggressive mode

["Chris McNab" <chris.mcnab () trustmatta com>]

Hi,

On Fri, 2003-11-21 at 21:58, Ranjeet Shetye wrote:
> Irrespective of all this, ALL phase 1s are secure, and ALL phase 2s are
> secure. I would not worry about the cleartext transmission of the ID -
> it IS leakage of information and to be "worried" about from the
> standpoint of someone designing a protocol or an architecture, but its
> implications for a lay user are not so great.

This is incorrect.

Aggressive mode IKE, if used with a pre-shared key (PSK), is vulnerable to a
very serious remote attack. A _remote_ attacker can negotiate an aggressive
mode connection to UDP/500, even if he does not know the PSK, and the PSK
will be hashed (using MD5 or SHA1) and returned to him from the gateway.
This hash can then be cracked offline, and access to the VPN granted.

Michael Thumann put together a PDF documenting this attack step-by-step,
available from:

http://www.ernw.de/download/pskattack.pdf

Obviously, the way to prevent this is two-fold:

- Use digital certificates (or two-factor auth with hybrid mode IKE) instead
of pre-shared keys.
- Disable aggressive mode IKE support if you are using pre-shared keys.


Regards,

Chris

Chris McNab
Technical Director

Matta Consulting
18 Noel Street
London W1F 8GN

http://www.trustmatta.com


---------------------------------------------------------------------------
----------------------------------------------------------------------------