Re: SonicWall IKE pre-shared key length bug and security concern

[Ben Nagy <ben.nagy () MARCONI COM AU>]

> -----Original Message-----
> From: Steven Griffin [mailto:sgriffin () BAYSTARCAPITAL COM]
> Sent: Wednesday, March 28, 2001 6:34 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: SonicWall IKE pre-shared key length bug and security concern
>
>
> I have recently found a bug in the latest firmware
> (6.0.0.0) of SonicWall's Tele2 and SOHO firewalls.
>
> Product details:
> http://www.sonicwall.com/products/tele/details.html
> http://www.sonicwall.com/products/soho/details.html
>
> Bug disovery:
> I was recently configuring the Tele2 and SOHO
> versions of these firewalls[...]
> During my configuration setup I noticed that I
> could not configure an IKE pre-shared key longer
> than 48 bytes.  [...]
[...]
> Security concern:
> Obviously the limitation of using only a  48 byte key
> as opposed to using a full 128 byte key degrades the
> overall security of the firewall.

The "pre-shared key" here is only used for authentication, and never used to
encrypt data. It _does_ play a small part in the IKE keying material, but
it's deeply unclear as to whether even very VERY weak pre-shared keys
materially affect the entropy in the resultant keying material.

In plain terms: 3DES is actually a 168-bit key. The "shared key" entered
when configuring ISAKMP has nothing to do with this key. In any case, 48
bytes is (usually) 384 bits.

The only risk to having a weak "shared key" is an authentication attack,
however a random typeable "key" of even 20-30 characters should have
"enough" entropy for most applications. 48 _bytes_ of pre-shared key is
massive. I don't think an implementation that chooses to cap the shared
secret at 48 characters can be considered "buggy". I'm surprised that
Sonicwall acknowledged it as such, and even more surprised that they're
rushing a fix.

> Workarounds:
> Do not use pre-shared keys. Use certificates, your
> own or from a third party CA, instead.

Good idea. However we're talking about strong authentication here, not
strong encryption.

> If you must use pre-shared keys:
>   Use only static gateway addresses if possible.
>   Use a different key for each gateway.
>   Turn on Perfect Forwared Secrecy.
>   Set your key expiration time to a shorter interval.

All good advice. One more thing - if you're using 3DES for your encryption
algorithm for IKE then you should probably not be using DH group 1, as in
your config. I'd personally use Group 2, but Elliptic Curve fans may differ.

[...]
> Disclaimer and closing:
> I must say that I am not a security expert and I do not
> claim to be one.  My opinions are my own.  Use my
> opinions and the information in this posting at your
> own risk.  My intention for posting this information is
> to inform the BugTraq community about a possible
> security concern.
>
> Steven Griffin
> sgriffin () baystarcapital com

This doesn't appear to be a bug. It's an implementation choice (and not even
a bad one, IMO). 3DES provides about 112 "bits worth" of security. 48 bytes
of pre-shared key provides much more than 112 "bits worth" of entropy with a
well-chosen key so it's not a weak link.

Regards,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304