[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:

To: Charlie Kaufman <charliek@xxxxxxxxxxxxx>
Subject: Re:
From: Jari Arkko <jari.arkko@xxxxxxxxxxx>
Date: Tue, 02 Dec 2003 16:38:14 +0200
Cc: IPsec WG <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

While non-key-generating EAP methods are explicitly discouraged, it is
likely people will use them and we should make the protection as good as
we can. The AUTH payloads have two purposes in the cryptographic

Right.

exchange: to authenticate the parties and to protect the first two
messages from modification. These functions could have been provided
independently, but they weren't.

The threat here is that a man-in-the-middle could trick IKE peers using
a non-key-generating EAP method to use weaker cryptographic algorithms
than the strongest that they both support. They would both have to be
willing to use the weaker cryptographic algorithms, and if the attacker
can break the weaker algorithms in real time (during the exchange) then
there is no way we can defend against it. So this is clearly a fringe
case. But we've engineered for much more fringe cases than this in the
past.

Indeed.

I can think of a number of ways of fixing this, but yours has the virtue
of minimizing word changes to the spec and lines of code to an
implementation. This is very late in the process to be making
cryptographic changes, but I feel like this one is worth doing.

I agree.

--Jari

References:
- [no subject]
  - From: owner-ipsec

Prev by Date: [no subject]
Next by Date: Re:
Previous by thread: [no subject]
Next by thread: Re: Possible problem in IKEv2?
Index(es):
- Date
- Thread