Firewall Wizards mailing list archives

Re: Possibility of replay attacks in manually keyed IPsec?

From: Steve Goldhaber <goldy () compatible com>
Date: Fri, 3 Dec 1999 14:31:37 -0700 (MST)

I think that the answer is no if your IPSec implementation has
replay-prevention (which it should). First, a bit of background:

IKE is designed to always produce unique keys. Keys generated by an IKE
negotiation should be strongly random because that is the way IKE is
designed. The strength (randomness) of the keys is *not* dependent on the
authentication mechanism (shared keys v.s. certificates). Every IKE
negotiation (or IPSec rekey negotiation) should produce completely new
keys.

I suspect that this is what you want to know, however, a replay attack is
a slightly different animal in the IPSec world. The idea is that I may be
able to cause havoc on your system by saving old packets and
retransmitting them at a later time. IPSec has a provision to avoid this
by not allowing previously seen packets into the system.

Now, there are many flaws which could compromise the security described
above. I will list a few that fall into the "implementation flaw"
category.

1) No replay prevention in the IPSec implementation.
2) Lousy random-number generation in the IKE implementation.
3) Failure to follow *all* the IKE rules in terms of generating fresh
information for each negotiation (e.g., cookies, nonces, DH private keys).

Steve Goldhaber                 goldy () compatible com
Compatible Systems Corp.        (303) 444-9532
http://www.compatible.com
--------------------------------------------------------
On Fri, 3 Dec 1999, Mikael Olsson wrote:

Date: Fri, 03 Dec 1999 08:53:48 +0100
From: Mikael Olsson <mikael.olsson () enternet se>
To: firewall-wizards () nfr net
Subject: Possibility of replay attacks in manually keyed IPsec?

Hello,

Quick question. I'm getting conflicting answers from different 
people, so I decided I'd hand it over to you guys:

Is IPsec vulnerable to replay attacks when IKE is configured
to use pre-shared keys, rather than basing the SA negotiation 
on certificates?

I'd imagine that if IPsec itself uses fixed encryption keys,
it would be vulnerable to replay attacks, but this is not
the case. Here, we only handle fixed keys to IKE, so the
fixed keys only get used in the SA negotiation.

(If there is a vulnerability, is this a flaw in the algorithm, 
or just in someone's imlementation of it?)

Thanks in advance,
/Mike

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ?RNSK?LDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Current thread:

Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 03)
- Re: Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 05)
- Re: Possibility of replay attacks in manually keyed IPsec? Steve Goldhaber (Dec 05)
- Re: Possibility of replay attacks in manually keyed IPsec? Stefan Norberg (Dec 05)
  - Re: Possibility of replay attacks in manually keyed IPsec? Chris Cappuccio (Dec 06)
- Re: Possibility of replay attacks in manually keyed IPsec? Rick Smith (Dec 06)
  - Re: Possibility of replay attacks in manually keyed IPsec? Mikael Olsson (Dec 07)
- <Possible follow-ups>
- RE: Possibility of replay attacks in manually keyed IPsec? Ben Nagy (Dec 05)