[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] downgrade attacks on IKEv2

Hi all,

I have a question on the negotiation of the IKE_SA in IKEv2:

The SA proposals in the IKE_SA_INIT exchange are not integrity protected, nor they are involved in the generation of the AUTH payload in the IKE_AUTH exchange.

So how can the Responder be sure that the set of proposals that he received from the Initiator is correct and how can the Initiator be sure that he received the correct crypto suite that has been chosen by Responder?

Couldn't this be misused for a downgrade attack which allow a man-in-the-middle attacker to force the usage of insecure (or less secure) algorithms for the IKE_SA?

Ali Fessi
Computer Networks and Internet
Wilhelm Schickard Institute for Computer Science
University of Tuebingen, Germany
Phone: +49 7071 29-70576 / Fax: +49 7071 29-5220
EMail: ali.fessi@xxxxxxxxxxxxxxxx
Web: http://net.informatik.uni-tuebingen.de/~fessi/

Ipsec mailing list