Firewall Wizards mailing list archives
RE: Possibility of replay attacks in manually keyed IPsec?
From: Ben Nagy <bnagy () cpms com au>
Date: Mon, 6 Dec 1999 10:19:50 +1030
DISCLAIMER: I am not a crypto geek. I am probably a better example of the maxim that "free advice is worth every penny". However, I derive personal enjoyment from answering this kind of question. ;)
-----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () enternet se] Sent: Friday, 3 December 1999 6:24 PM To: firewall-wizards () nfr net Subject: Possibility of replay attacks in manually keyed IPsec? Hello, Quick question. I'm getting conflicting answers from different people, so I decided I'd hand it over to you guys: Is IPsec vulnerable to replay attacks when IKE is configured to use pre-shared keys, rather than basing the SA negotiation on certificates?
No. You need to slog your way through RFC2049.[1] However, the gist is like this: Pre-shared keys are used for AUTHENTICATION. The key stuff actually used for encryption in IPSec is really really algorithm specific. However, the basis of this key stuff is always exchanged with an ephemeral Diffie-Hellman exchange. If the keys were based on the choice of pre-shared key, everyone would pick "S00per-S3cret" as their pre-share and entropy in the final key would be reduced by orders of magnitude (cf. Microsoft's problem with PPTPv2)[2] As a filler for those who may be Diffie-Hellman challenged, Diffie Hellman is a really cool method of exchanging a secret using public-key style crypto. I won't bore you too much, but it turns out that two parties can both generate random numbers independantly and then use public data to perform a public-key style exchange. At the end of this exchange they both share a secret. Maybe I don't get out enough, but I think that _rocks_. However, if that's not cool enough for you, check out Diffie-Hellman public groups 3 and 4 (in RFC2049) which are based on Elliptic Curves instead of those clunky old fashioned Big Primes. Mmmm, curves. DH by itself is easy to attack Person-in-the-Middle style - that's why we also use some sort of authentication. For pre-shared keys the authentication is based on IP address and the shared key. [3] In short, IPSec with pre-shared keys is not preferred because the authentication is weaker, it requires IP addresses for main mode exchange and key management is an absolute bitch. However AFAIK the actual crypto is just as strong.
I'd imagine that if IPsec itself uses fixed encryption keys, it would be vulnerable to replay attacks, but this is not the case. Here, we only handle fixed keys to IKE, so the fixed keys only get used in the SA negotiation.
So, hopefully this is answered above...
Thanks in advance, /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Cheers, [1] http://www.faqs.org/rfcs/rfc2409.html [2] http://www.l0pht.com/advisories/pptpv2.pdf [3] http://www.rsasecurity.com/rsalabs/faq/ [4] There is no four. -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
Current thread:
- Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 03)
- Re: Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 05)
- Re: Possibility of replay attacks in manually keyed IPsec? Steve Goldhaber (Dec 05)
- Re: Possibility of replay attacks in manually keyed IPsec? Stefan Norberg (Dec 05)
- Re: Possibility of replay attacks in manually keyed IPsec? Chris Cappuccio (Dec 06)
- Re: Possibility of replay attacks in manually keyed IPsec? Rick Smith (Dec 06)
- Re: Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 07)
- <Possible follow-ups>
- RE: Possibility of replay attacks in manually keyed IPsec? Ben Nagy (Dec 05)