[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] downgrade attacks on IKEv2
I have a question on the negotiation of the IKE_SA in IKEv2:
The SA proposals in the IKE_SA_INIT exchange are not integrity
protected, nor they are involved in the generation of the AUTH payload
in the IKE_AUTH exchange.
So how can the Responder be sure that the set of proposals that he
received from the Initiator is correct and how can the Initiator be sure
that he received the correct crypto suite that has been chosen by Responder?
Couldn't this be misused for a downgrade attack which allow a
man-in-the-middle attacker to force the usage of insecure (or less
secure) algorithms for the IKE_SA?
Computer Networks and Internet
Wilhelm Schickard Institute for Computer Science
University of Tuebingen, Germany
Phone: +49 7071 29-70576 / Fax: +49 7071 29-5220
Ipsec mailing list