[Cryptography] best practices considered bad term
Paul Wouters
paul at cypherpunks.ca
Sun Feb 1 21:11:35 EST 2015
On Sun, 1 Feb 2015, Watson Ladd wrote:
> The NSA is exploiting IKE v1 Aggressive mode with PSK.
Actually, we might think they can, but we have no proof as
far as I know. If you know more, I would be very interested.
We know that they take copies of all IKE traffic for their backend
processing and we know that they have an API that you can ask for
PSKs for a certain IKE peer. We don't know how they would have gained
those PSKs. I can think of three things:
1) They obtain(ed) the PSK via router compromise (so nothing to do with IKE,
or aggressive mode or PSK specifically)
2) Peers might use modp768 which is too weak (possible modp1024 being
weak too but that would cost a lot for a very low return - better
to attack long term 1024 bit keys instead of ephemeral DH sessions
that last between 1-8 hours)
3) They observed the unencrypted ID of Aggressive Mode, and running a
brute force on the PSK against one or both peers. This would be pretty
visible in the logs of both peers if the PSK is not "test" or "secret".
Note that for 3) you could do MITM against IKEv2 or IKEv1 Main Mode as
well to obtain the ID - your IKE session will fail but you'll get some
ID out of it when it is presented to you. Possibly also a sha1 of the CA
DN. So this is also not _really_ Aggressive Mode specific _unless_ the
attacker does not want to perform an active attack.
1) and 2) also have nothing to do specifically with IKE version of
Aggressive Mode (other than that IKEv2 would surely not allow modp768)
Paul
More information about the cryptography
mailing list