Bugtraq mailing list archives
Re: SonicWall IKE pre-shared key length bug and security concern
From: Ben Nagy <ben.nagy () MARCONI COM AU>
Date: Wed, 28 Mar 2001 17:24:47 +0930
-----Original Message----- From: Steven Griffin [mailto:sgriffin () BAYSTARCAPITAL COM] Sent: Wednesday, March 28, 2001 6:34 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: SonicWall IKE pre-shared key length bug and security concern I have recently found a bug in the latest firmware (6.0.0.0) of SonicWall's Tele2 and SOHO firewalls. Product details: http://www.sonicwall.com/products/tele/details.html http://www.sonicwall.com/products/soho/details.html Bug disovery: I was recently configuring the Tele2 and SOHO versions of these firewalls[...] During my configuration setup I noticed that I could not configure an IKE pre-shared key longer than 48 bytes. [...]
[...]
Security concern: Obviously the limitation of using only a 48 byte key as opposed to using a full 128 byte key degrades the overall security of the firewall.
The "pre-shared key" here is only used for authentication, and never used to encrypt data. It _does_ play a small part in the IKE keying material, but it's deeply unclear as to whether even very VERY weak pre-shared keys materially affect the entropy in the resultant keying material. In plain terms: 3DES is actually a 168-bit key. The "shared key" entered when configuring ISAKMP has nothing to do with this key. In any case, 48 bytes is (usually) 384 bits. The only risk to having a weak "shared key" is an authentication attack, however a random typeable "key" of even 20-30 characters should have "enough" entropy for most applications. 48 _bytes_ of pre-shared key is massive. I don't think an implementation that chooses to cap the shared secret at 48 characters can be considered "buggy". I'm surprised that Sonicwall acknowledged it as such, and even more surprised that they're rushing a fix.
Workarounds: Do not use pre-shared keys. Use certificates, your own or from a third party CA, instead.
Good idea. However we're talking about strong authentication here, not strong encryption.
If you must use pre-shared keys: Use only static gateway addresses if possible. Use a different key for each gateway. Turn on Perfect Forwared Secrecy. Set your key expiration time to a shorter interval.
All good advice. One more thing - if you're using 3DES for your encryption algorithm for IKE then you should probably not be using DH group 1, as in your config. I'd personally use Group 2, but Elliptic Curve fans may differ. [...]
Disclaimer and closing: I must say that I am not a security expert and I do not claim to be one. My opinions are my own. Use my opinions and the information in this posting at your own risk. My intention for posting this information is to inform the BugTraq community about a possible security concern. Steven Griffin sgriffin () baystarcapital com
This doesn't appear to be a bug. It's an implementation choice (and not even a bad one, IMO). 3DES provides about 112 "bits worth" of security. 48 bytes of pre-shared key provides much more than 112 "bits worth" of entropy with a well-chosen key so it's not a weak link. Regards, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
Current thread:
- SonicWall IKE pre-shared key length bug and security concern Steven Griffin (Mar 27)
- <Possible follow-ups>
- Re: SonicWall IKE pre-shared key length bug and security concern Ben Nagy (Mar 28)