Dan,There are at least two ways that I can think of, to make this more
I think there is some wording missing in the security considerations
I am referring to vulnerabilities to denial of service attacks.
The gateway is required to answer with KE and SIG prior to any knowledge
of who the initiator is. (The SIG cannot be prepared ahead of time.).
An attacker only needs to know the gateway's address to launch an attack
that requires very little effort on his behalf.
We can use these to improve DoS resitance by making the client
first prove that it can receive IP packets and to give the gateway
the public key (and prove possession of the private key) before
the gateway gives KEr or SIG1. Something along the lines below.
HDR, SAi, Ni
[, CERTREQ] --->
<--- HDR, SAr, [CERT, ] Nr
HDR, KEi, PK, SIG0 --->
<--- HDR, KEr, SIG1
HDR*, CHRE --->
<--- HDR*, < SIG2 | CHRE >
HDR*, < SIG3 | CHRE > --->
Here SIG0 is something suitable that proves possession of the private
If this is a DoS attack, the source IP address and/or the PK is put to a black
list and denied access in the future. There are several (minor?) disadvantages too.
I'll leave it to the authors if this is worth it or not.
Another matter is that I believe SIG2 could be replaced by a hash. Since
the gateway has already signed KEr, which specifies the encrypting channel,
which is in turn used to transport the hash, this should be secure? This
could also be usable for SIG3 if SIG0 is added as suggested in this mail.
Incidentally, this modified exchange looks somewhat like base mode..
BTW, there's an interesting paper by Pekka Nikander and Tuomas Aura
about stateless connections that makes protocols more resistant to DoS
attacks ( http://www.tcm.hut.fi/~pnr/publications/ICICS-97.ps ). The idea
of my previous DoS secured base mode mails is from here.
Ari Huttunen phone: +358 9 859 900
Senior Software Engineer fax : +358 9 8599 0452
Data Fellows Corporation http://www.DataFellows.com
F-Secure products: Integrated Solutions for Enterprise Security