[19021] in cryptography@c2.net mail archive
Re: "ISAKMP" flaws?
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Nov 30 10:23:33 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: kivinen@iki.fi, pgut001@cs.auckland.ac.nz
Cc: cryptography@metzdowd.com, paul.hoffman@vpnc.org,
smb@cs.columbia.edu
In-Reply-To: <17281.36888.186857.54507@fireball.kivinen.iki.fi>
Date: Tue, 22 Nov 2005 01:13:23 +1300
Tero Kivinen <kivinen@iki.fi> writes:
>If I understood correctly the tools they used now did generate specific hand-
>crafted packets having all kind of wierd error cases. When testing with the
>crypto protocols the problem is that you also need to do the actual crypto,
>key exchangement etc to be able to test things after the first packet.
The two that I'm aware of (the X.509 cert data generator that found ASN.1
parser faults and the SSH hello-packet generator) both just created vaguely
correct-looking PDUs that contained garbage data, so that a simple firewall
check would reject 99% of the packets before they even got to the real
processing. The SSH generator only sent the first packet, so it never got
past the first step of the SSH handshake. I'm not sure what the ISAKMP data
generator did.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
