RE: Possibility of replay attacks in manually keyed IPsec?

[Ben Nagy <bnagy () cpms com au>]

DISCLAIMER: I am not a crypto geek. I am probably a better example of the
maxim that "free advice is worth every penny". However, I derive personal
enjoyment from answering this kind of question. ;)

> -----Original Message-----
> From: Mikael Olsson [mailto:mikael.olsson () enternet se]
> Sent: Friday, 3 December 1999 6:24 PM
> To: firewall-wizards () nfr net
> Subject: Possibility of replay attacks in manually keyed IPsec?
> Hello,
>
> Quick question. I'm getting conflicting answers from different 
> people, so I decided I'd hand it over to you guys:
>
> Is IPsec vulnerable to replay attacks when IKE is configured
> to use pre-shared keys, rather than basing the SA negotiation 
> on certificates?

No.

You need to slog your way through RFC2049.[1] However, the gist is like
this:

Pre-shared keys are used for AUTHENTICATION. The key stuff actually used for
encryption in IPSec is really really algorithm specific. However, the basis
of this key stuff is always exchanged with an ephemeral Diffie-Hellman
exchange. If the keys were based on the choice of pre-shared key, everyone
would pick "S00per-S3cret" as their pre-share and entropy in the final key
would be reduced by orders of magnitude (cf. Microsoft's problem with
PPTPv2)[2]

As a filler for those who may be Diffie-Hellman challenged, Diffie Hellman
is a really cool method of exchanging a secret using public-key style
crypto. I won't bore you too much, but it turns out that two parties can
both generate random numbers independantly and then use public data to
perform a public-key style exchange. At the end of this exchange they both
share a secret. Maybe I don't get out enough, but I think that _rocks_.
However, if that's not cool enough for you, check out Diffie-Hellman public
groups 3 and 4 (in RFC2049) which are based on Elliptic Curves instead of
those clunky old fashioned Big Primes. Mmmm, curves.

DH by itself is easy to attack Person-in-the-Middle style - that's why we
also use some sort of authentication. For pre-shared keys the authentication
is based on IP address and the shared key. [3]

In short, IPSec with pre-shared keys is not preferred because the
authentication is weaker, it requires IP addresses for main mode exchange
and key management is an absolute bitch. However AFAIK the actual crypto is
just as strong.

> I'd imagine that if IPsec itself uses fixed encryption keys,
> it would be vulnerable to replay attacks, but this is not
> the case. Here, we only handle fixed keys to IKE, so the
> fixed keys only get used in the SA negotiation.

So, hopefully this is answered above...

> Thanks in advance,
> /Mike
>
> -- 
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
> Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
> Mobile: +46 (0)70 248 00 33
> WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Cheers,

[1] http://www.faqs.org/rfcs/rfc2409.html
[2] http://www.l0pht.com/advisories/pptpv2.pdf
[3] http://www.rsasecurity.com/rsalabs/faq/
[4] There is no four.

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520