As per Nicolas Williams -->
The key is that eavesdroppers cannot easily compute g^ir (mod p).
The initiator computes g^ir = (g^r)^i mod p, while the responder
computes g^ir = (g^i)^r mod p. The initiator knows i and the responder
knows r. The attacker doesn't know i, nor r, because those are not
sent.
The attacker cannot easily compute them from g^i mod p nor g^r mod p.
Nor can the attacker easily compute g^ir mod p from g^i and g^r mod p.
The relevant number theory topic is known as the "Computational
Diffie-Hellman Problem" (and the related Decisional Diffie-Hellman
Problem).
Syed Ajim -->
Attacker can know who is initiator , who is responder , by the First
IKE_INIT_SA Message , by Checking Responder Cookie Zero ,
Initiator will send --> g^I , in KE payload with DH Group no. in
IKE_SA_INIT Message
Responder will send --> g^R , in KE payload with DH Group no.
IKE_SA_INIT Message
So, in SKEYSEED = prf(Ni | Nr, g^ir), nothing is secret , if some attacker
can capture IKE packets.
So he can derive the Key also.
With Regards
Syed Ajim
****************************************************************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
****************************************************************************
________________________________
-----Original Message-----
From: Nicolas Williams [mailto:nicolas.willi...@oracle.com]
Sent: Monday, November 22, 2010 11:45 AM
To: Syed Ajim Hussain
Subject: Re: [IPsec] Generating Keying Material for the IKE_SA (IKEv2)
On Mon, Nov 22, 2010 at 11:25:26AM +0530, Syed Ajim Hussain wrote:
> If attacker using some tools capturing all the IKE Packets from
network,
> he can easily generates the Keys. Although attacker can not establish
a
> SA without proper configuration information, but still he can easily
get
> the Keys, and he will be able to decrypt all the IKE Encrypted and
> IPSEC Encrypted packets.
>
> Don't you think this is a big Security Risk? In IKEv1 Pre-shared key
> auth, PSK was taken as part of key
>
> Calculation with is a secret to generate Key and provides some level of
> Security.
>
> IKE Key generation process:
>
> SKEYSEED = prf(Ni | Nr, g^ir)
^^^^
The key is that eavesdroppers cannot easily compute g^ir (mod p).
The initiator computes g^ir = (g^r)^i mod p, while the responder
computes g^ir = (g^i)^r mod p. The initiator knows i and the responder
knows r. The attacker doesn't know i, nor r, because those are not
sent.
The attacker cannot easily compute them from g^i mod p nor g^r mod p.
Nor can the attacker easily compute g^ir mod p from g^i and g^r mod p.
The relevant number theory topic is known as the "Computational
Diffie-Hellman Problem" (and the related Decisional Diffie-Hellman
Problem).
Nico
--
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
