[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure legacy authentication for IKEv2
Bernard,
I don't believe so because the server is fully authenticated by the
client before the client needs to begin speaking the legacy
authentication protocol and there's no way that a client can be induced
to begin the legacy authentication without first authenticating the
server. If the server authentication fails after message two, the
client MUST immediately terminate the IKE exchange. (The client is
presumed to be configured either with a set of trusted public keys or
with a set of trusted root certificates.) You can't run just half of
the exchange.
For the binding attack (as I understand it) to be viable, an active
attacker would have to bring up the SLA IKE tunnel through message two
and then somehow induce someone to speak one of the legacy
authentication methods to it. But for that to happen, the attacker
would have to complete the first two messages with the intended victim
and in doing so, the client would learn that the attacker wasn't
trusted. (We were not concerned with trusted gateways impersonating
each other.)
So please say more...
Derrell
On Friday, December 20, 2002, at 03:48 PM, Bernard Aboba wrote:
> Isn't the current version of SLA vulnerable to the same attack? I
> don't see anywhere in the spec where a "binding" is carried out. In
> fact, this would not be possible with the methods you're supporting,
> because none of them generate keys.