SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: FCIP and iFCP Keying Problem



    Filling in a couple of missing pieces here:
    
    - See Section 4.4 of draft-aboba-ips-iscsi-security-00.txt
    	for more details on the man-in-the-middle vulnerability.
    	That vulnerability is based on the use of group pre-shared
    	keys.  
    - My strong language below is based in part on an 
    	assumption that banning group pre-shared keys is
    	unworkable in practice.  Key management is a pain,
    	and use of group pre-shared keys simplifies it, even
    	though it has some security costs.
    
    Questioning the latter assumption is reasonable, but I'll
    point out that group pre-shared (vs. per session pre-shared)
    keys are a fact of life in current IPsec deployment/management,
    and even turn up in the absence of dynamic IP address
    assignment.  The reason the text in my previous message
    just said "pre-shared keys" rather than "group pre-shared keys"
    is that there may be no way for a participant in an IKE
    session to know whether the pre-shared key was shared only
    among the two endpoints of the session or with other parties.
    
    Thanks,
    --David
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Friday, September 07, 2001 4:34 PM
    > To: ips@ece.cmu.edu
    > Subject: FCIP and iFCP Keying Problem
    > Importance: High
    > 
    > 
    > Both FCIP and iFCP intend to require:
    > 
    > 	- IKE with pre-shared keys MUST implement
    > 	- IKE with public-key based keys MAY implement
    > 	- IKE Main Mode MUST implement
    > 	- IKE Aggressive Mode MAY implement
    > 
    > That's not acceptable because the result of combining
    > the two mandatory (MUST) mechanisms is vulnerable to a
    > man-in-the-middle attack.
    > 
    > If IKE with pre-shared keys is "MUST implement" (which
    > makes sense, as it's the simplest IKE authentication
    > mechanism), then:
    > 	- IKE Aggressive Mode needs to be "MUST implement"
    > 	- Use of IKE Main Mode with pre-shared keys needs
    > 		to be "SHOULD NOT use" or "MUST NOT use".
    > Alternatively, if IKE Aggressive Mode remains "MAY implement",
    > then:
    > 	- IKE with signature authentication based on public
    > 		keys needs to be "MUST implement" along with
    > 		some certificate usage guidelines.
    > 	- Pre-Shared keys needs to be "MAY implement" (can't
    > 		be any stronger than the requirement for
    > 		IKE Aggressive Mode).
    > 	- Use of IKE Main Mode with pre-shared keys needs
    > 		to be "SHOULD not use" or "MUST not use".
    > 
    > Changing IKE to remove the Main Mode vulnerability
    > with pre-shared keys is not a viable approach.
    > 
    > Sorry,
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Fri Sep 07 19:17:10 2001
6452 messages in chronological order