|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FCIP and iFCP Keying ProblemDavid, Could you please give us a short tutorial or reference explaining this weakness for us beginners in security? Many thanks, Bob Snively > > That's not acceptable because the result of combining > the two mandatory (MUST) mechanisms is vulnerable to a > man-in-the-middle attack. > ----- Message-ID: <277DD60FB639D511AC0400B0D068B71ECAD71A@CORPMX14> From: Black_David@emc.com To: ips@ece.cmu.edu Subject: FCIP and iFCP Keying Problem Date: Fri, 7 Sep 2001 13:33:58 -0700 Importance: high X-Priority: 1 X-Mailer: Internet Mail Service (5.5.2653.19) Both FCIP and iFCP intend to require: - IKE with pre-shared keys MUST implement - IKE with public-key based keys MAY implement - IKE Main Mode MUST implement - IKE Aggressive Mode MAY implement That's not acceptable because the result of combining the two mandatory (MUST) mechanisms is vulnerable to a man-in-the-middle attack. If IKE with pre-shared keys is "MUST implement" (which makes sense, as it's the simplest IKE authentication mechanism), then: - IKE Aggressive Mode needs to be "MUST implement" - Use of IKE Main Mode with pre-shared keys needs to be "SHOULD NOT use" or "MUST NOT use". Alternatively, if IKE Aggressive Mode remains "MAY implement", then: - IKE with signature authentication based on public keys needs to be "MUST implement" along with some certificate usage guidelines. - Pre-Shared keys needs to be "MAY implement" (can't be any stronger than the requirement for IKE Aggressive Mode). - Use of IKE Main Mode with pre-shared keys needs to be "SHOULD not use" or "MUST not use". Changing IKE to remove the Main Mode vulnerability with pre-shared keys is not a viable approach. Sorry, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Sat Sep 08 19:17:11 2001 6473 messages in chronological order |