[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another pothole in ISAKMP/Oakley

To: dpj@xxxxxxxxxxxxx, ho@xxxxxxxxxxxxx
Subject: Re: Another pothole in ISAKMP/Oakley
From: Ran Canetti <canetti@xxxxxxxxxxxxxx>
Date: Wed, 16 Apr 1997 13:17:15 -0400
Cc: carrel@xxxxxxxxx, dharkins@xxxxxxxxx, ipsec@xxxxxxx
Sender: owner-ipsec@xxxxxxxxxx

> From: "David P. Jablon" <dpj@world.std.com>
> 
> A problem occurs when a man-in-the-middle forces each DH exponential into
> a small subgroup, by raising each number to the power of q.  Both
> legitimate parties
> will derive the same key K, but it will be confined to one of "t" possible
> values,
> making it easy for the middleman to guess it.
> 
> Alice->Mary:  g^Ra	Mary->Bob:  (g^Ra)^q
> Bob->Mary:  g^Rb	Mary->Alice:  (g^Rb)^q
> K = g^(Ra Rb q q)
> 
> Two papers published last year describe these attacks, this one in a paper by
> Wiener and vanOorschot, and a related attack relevant to authenticated-
> Diffie-Hellman in a paper of mine.  The solution is to have each party make
> sure
> that the derived key K is in the proper subgroup, or at least not confined
> to a
> small subgroup.
> 

Let me point out that such an attack is possible only against the signature
mode of ISAKMP/Oakley. In the encryption mode this doesn't work since 
the DH challenges are sent encrypted by the public key encryption algorithm
(eg, RSA). This is another example where the encryption mode is more
secure than the signature mode...

Ran Canetti

Follow-Ups:
- Re: Another pothole in ISAKMP/Oakley
  - From: Daniel Harkins

Prev by Date: Re: Another pothole in ISAKMP/Oakley
Next by Date: Re: Another pothole in ISAKMP/Oakley
Previous by thread: Predictable SPIs (was: Re: A pothole in ISAKMP/Oakley)
Next by thread: Re: Another pothole in ISAKMP/Oakley
Index(es):
- Date
- Thread