[19446] in bugtraq
Nortel Networks response to Contivity Extranet switch security co
daemon@ATHENA.MIT.EDU (David Passamonte)
Wed Feb 28 22:39:24 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0A1CF.AED94270"
Message-ID: <F1ADFDB1C850D311BCE20008C79162A605F76EF0@zbl6c004.corpeast.baynetworks.com>
Date: Wed, 28 Feb 2001 13:44:53 -0800
Reply-To: David Passamonte <dpassamo@NORTELNETWORKS.COM>
From: David Passamonte <dpassamo@NORTELNETWORKS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0A1CF.AED94270
Content-Type: text/plain;
charset="iso-8859-1"
Bugtraq #
<8CB7F81A5D17D31197A60008C7EBE37103341C9B@helsrv01.vaisala.com>
Date Submitted: on Feb 26 2001 10:21:51
This note addresses security concerns raised around the use of
single DES(1DES) in IKE Phase 1 exchanges.
Response to: Nortel CES (3DES version) offers false sense of
security when using IPSec.
Point 1: The Nortel Networks Contivity Extranet switch provides
IPSec Triple DES (3DES) data encryption using IKE main mode and IKE
aggressive mode key exchange in accordance with IETF RFC 2409.
Point 2: The Phase 1 established ISAKMP SA key material is obtained
from the Phase 1 D-H key exchange. Any encrypted IKE messages exchanged over
the ISAKMP SA will use this key. i.e. phase 2 messages. Cracking the Phase 1
key does NOT expose phase 2 encrypted data.
Point 3: Phase 2 key material, which is obtained using the Phase I
SA, is also obtained from a D-H key exchange if Perfect Forward Secrecy(PFS)
is enabled. PFS is enabled by default for all versions of the Contivity
Extranet Switch.
Point 4: Phase 1 D-H group 2 support with 3DES is available in
V03_50.44. Nortel Networks recommends upgrading to this version of software
if there are concerns surrounding this issue.
As stated above, all versions of Contivity software have Perfect
Forward Secrecy (PFS) enabled by default. For situations where D-H group
1/DES IKE phase 1 exchanges are not deemed adequate the Nortel Networks
default value with PFS should be used in conjunction with frequent
re-keying. PFS initiates a IKE phase 2 QM exchange and performs a new D-H
exchange under the protection of an existing IKE SA to derive new keying
material independent of the original keying material generated in IKE phase
1.
At no time does the use of D-H group 1/DES imply that the IPSec data
channels are subject to attack based on the compromise of a single 56-bit
key as suggested. The relative cryptographic strength of a Group 1 D-H
exchange is much greater than that of 56-bit DES CBC. Therefore, with PFS
enabled, cracking of the 56-bit DES CBC key used to protect the IKE SA does
NOT compromise the 3DES CBC key material protecting the IPSec data channel.
While it is recognized 56-bit DES is not recommended by the cryptographic
community, measures can be taken with software pre-dating v02_62.x to extend
the privacy lifetime of data protected by IPSec 3DES. Taking the following
measures will extend the privacy lifetime of data far beyond the privacy
lifetime of 56-bit DES when brute force or plain-text attacks are employed.
* Use PFS
* Use IPSec w/ 3DES/SHA-1
* Re-key often
* Use RSA digital signatures
Nortel Networks has implemented Diffie-Hellman group 2 with 3DES for
IKE phase 1 in v03_50.44 and recommends upgrading to this version of
software if concerns exist surrounding this issue. It should be noted that
implementations of IKE that do NOT support Diffie-Hellman Group I exchanges
are not compliant with the current IPSec standard. It is for this reason
that the Contivity product continues to support these groups. The
administrator can always choose to disable these groups if so desired.
Important notes and details clarification:
* It was cited that the EAC will fall back to DES_CBC if the initial
IKE SA proposal cannot be negotiated for 3DES_CBC. This is ONLY true if
configured so by the administrator. IKE Phase 1 parameters may be configured
as follows:
3DES with DH group 2
DES with DH group 1
Both 3DES with DH group2 and DES with DH group1
If support of client software predating v02_62 (DES with DH group1)
is NOT desired select 3DES with DH group 2 ONLY.
The same applies for branch office connections when negotiating down
to DES_CBC is NOT desired.
* The example sited shows an aggressive mode IKE SA being negotiated
for branch office connections. The CES uses only IKE main mode for branch
office connections.
The comments regarding upgrades and configuring IPSec
settings states:
After upgrade you should check the IPSEC settings for
Profiles/Groups
and Profiles/Branch office. The setting is named "IKE Encryption and
Diffie-Hellman Group" and it can be set to 56-bit or to 128-bit
encryption. Unfortunately you have to upgrade all your Extranet
Access
Clients at once, because the setting is exclusive. You cannot have
both
56 and 128 bits encryption for IKE activated.
The "IKE Encryption and Diiffie-Hellman Group" field actually allows
for configuration of:
56-bit DES with Group1 (768-bit prime)
or
3DES with Group2 (1024-bit prime)
not 56-bit or 128-bit. As the author pointed out earlier, 3DES has a
168-bit effective key space.
In addition the CES uses an LDAP directory structure that allows
user centric profile configuration. If you want to use both 56-bit
DES clients (client software pre-dating v02_62) and DES/3DES Group1
and Group2 clients (client software v02_62 and higher) simply create a group
profile for each. You DO NOT have to upgrade all client software in the
field.
As always Nortel Networks Contivity team is committed to providing devices
of the highest quality and security. Peer review is a critical component of
the evolving security framework used today, and appreciates the interest
given in this area by others. The CES is currently certified in several
areas to FIPS certification criteria as follows:
CES is FIPS 140-1 level 2 certified, certificate #98
http://csrc.nist.gov/cryptval/140-1/1401val2000.htm
The CES implementation of SHA-1 is FIPS certified, certificate #31
http://csrc.nist.gov/cryptval/dss/dsaval.htm#SHAvals
The CES implementation of DES is FIPS certified, certificate #48
http://csrc.nist.gov/cryptval/des/desval.html
Nortel Networks considers this resolution to bugtraq #
<8CB7F81A5D17D31197A60008C7EBE37103341C9B@helsrv01.vaisala.com>
------_=_NextPart_001_01C0A1CF.AED94270
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.19">
<TITLE>Nortel Networks response to Contivity Extranet switch security =
concern </TITLE>
</HEAD>
<BODY>
<UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">Bugtraq #</FONT><FONT =
FACE=3D"Times New Roman"></FONT> <FONT FACE=3D"Times New =
Roman"><8CB7F81A5D17D31197A60008C7EBE37103341C9B@helsrv01.vaisala.com=
></FONT><FONT FACE=3D"Times New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">Date Submitted: =
on</FONT><FONT FACE=3D"Times New Roman"> Feb 26 2001 =
10:21:51</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New Roman">This note =
addresses security concerns raised around the use of single DES(1DES) =
in IKE Phase 1 exchanges.</FONT>
<BR><B><FONT SIZE=3D2 FACE=3D"Times New Roman">Response =
to:</FONT></B><FONT FACE=3D"Times New Roman"> </FONT><FONT SIZE=3D2 =
FACE=3D"Times New Roman">Nortel CES (3DES version) offers false sense =
of security when using IPSec.</FONT><FONT FACE=3D"Times New Roman"> =
</FONT>
</P>
<P><B><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New Roman">Point =
1:</FONT></B> <FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New =
Roman">The Nortel Networks Contivity Extranet switch provides IPSec =
Triple DES (3DES) data encryption using IKE main mode and IKE =
aggressive mode key exchange in accordance with IETF RFC 2409. =
</FONT></P>
<P><B><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New Roman">Point =
2:</FONT></B> <FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New =
Roman">The Phase 1 established ISAKMP SA key material is obtained from =
the Phase 1 D-H key exchange. Any encrypted IKE messages exchanged over =
the ISAKMP SA will use this key. i.e. phase 2 messages. Cracking the =
Phase 1 key does NOT expose phase 2 encrypted data. </FONT></P>
<P><B><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New Roman">Point =
3:</FONT></B> <FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New =
Roman">Phase 2 key material, which is obtained using the Phase I SA, is =
also obtained from a D-H key exchange if Perfect Forward Secrecy(PFS) =
is enabled. PFS is enabled by default for all versions of the Contivity =
Extranet Switch.</FONT></P>
<BR>
<P><B><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New Roman">Point =
4:</FONT></B> <FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Times New =
Roman">Phase 1 D-H group 2 support with 3DES is available in V03_50.44. =
Nortel Networks recommends upgrading to this version of software if =
there are concerns surrounding this issue.</FONT></P>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">As stated above, all =
versions of Contivity software have Perfect Forward Secrecy (PFS) =
enabled by default. For situations where D-H group 1/DES IKE phase 1 =
exchanges are not deemed adequate the Nortel Networks default value =
with PFS should be used in conjunction with frequent re-keying. PFS =
initiates a IKE phase 2 QM exchange and performs a new D-H exchange =
under the protection of an existing IKE SA to derive new keying =
material independent of the original keying material generated in IKE =
phase 1.<BR>
</FONT><BR>
<FONT SIZE=3D2 FACE=3D"Times New Roman">At no time does the use of D-H =
group 1/DES imply that the IPSec data channels are subject to attack =
based on the compromise of a single 56-bit key as suggested. The =
relative cryptographic strength of a Group 1 D-H exchange is much =
greater than that of 56-bit DES CBC. Therefore, with PFS enabled, =
cracking of the 56-bit DES CBC key used to protect the IKE SA does NOT =
compromise the 3DES CBC key material protecting the IPSec data channel. =
</FONT></P>
<BR>
</UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">While it is recognized =
56-bit DES is not recommended by the cryptographic community, measures =
can be taken with software pre-dating v02_62.x to extend the privacy =
lifetime of data protected by IPSec 3DES. Taking the following measures =
will extend the privacy lifetime of data far beyond the privacy =
lifetime of 56-bit DES when brute force or plain-text attacks are =
employed.</FONT></P>
<UL><UL>
<UL><LI><FONT SIZE=3D2 FACE=3D"Times New Roman">Use PFS</FONT><FONT =
FACE=3D"Times New Roman"> </FONT></LI>
<LI><FONT SIZE=3D2 FACE=3D"Times New Roman">Use IPSec w/ =
3DES/SHA-1</FONT><FONT FACE=3D"Times New Roman"> </FONT></LI>
<LI><FONT SIZE=3D2 FACE=3D"Times New Roman">Re-key often</FONT><FONT =
FACE=3D"Times New Roman"> </FONT></LI>
<LI><FONT SIZE=3D2 FACE=3D"Times New Roman">Use RSA digital =
signatures</FONT></LI>
</UL></UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">Nortel Networks has =
implemented Diffie-Hellman group 2 with 3DES for IKE phase 1 in =
v03_50.44 and recommends upgrading to this version of software if =
concerns exist surrounding this issue. It should be noted that =
implementations of IKE that do NOT support Diffie-Hellman Group I =
exchanges are not compliant with the current IPSec standard. It is for =
this reason that the Contivity product continues to support these =
groups. The administrator can always choose to disable these groups if =
so desired.<BR>
</FONT><BR>
<B></B><B><FONT SIZE=3D2 FACE=3D"Times New Roman">Important notes and =
details clarification:</FONT></B><FONT FACE=3D"Times New Roman"> =
</FONT>
<UL>
<UL><LI><FONT SIZE=3D2 FACE=3D"Times New Roman">It was cited that the =
EAC will fall back to DES_CBC if the initial IKE SA proposal cannot be =
negotiated for 3DES_CBC. This is ONLY true if configured so by the =
administrator. IKE Phase 1 parameters may be configured as =
follows:</FONT><FONT FACE=3D"Times New Roman"> </FONT></LI>
</UL></UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">3DES with DH group =
2</FONT><FONT FACE=3D"Times New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">DES with DH group =
1</FONT><FONT FACE=3D"Times New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">Both 3DES with DH group2 =
and DES with DH group1</FONT><FONT FACE=3D"Times New Roman"><BR>
<BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">If support of client =
software predating v02_62 (DES with DH group1) is NOT desired select =
3DES with DH group 2 ONLY.<BR>
</FONT><BR>
<FONT SIZE=3D2 FACE=3D"Times New Roman">The same applies for branch =
office connections when negotiating down to DES_CBC is NOT =
desired.</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<UL>
<UL><LI><FONT SIZE=3D2 FACE=3D"Times New Roman">The example sited shows =
an</FONT><B></B><B><FONT FACE=3D"Times New Roman"> </FONT><FONT =
SIZE=3D2 FACE=3D"Times New Roman">aggressive</FONT></B><FONT SIZE=3D2 =
FACE=3D"Times New Roman"> mode IKE SA being negotiated for branch =
office connections. The CES uses only IKE main mode for branch office =
connections.</FONT></LI>
</UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman"></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Times New Roman">The comments regarding =
upgrades and configuring IPSec settings states:</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
</UL>
<P><FONT SIZE=3D2 FACE=3D"Courier New">After upgrade you should check =
the IPSEC settings for Profiles/Groups</FONT><FONT FACE=3D"Times New =
Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Courier New">and Profiles/Branch office. =
The setting is named "IKE Encryption and</FONT><FONT FACE=3D"Times =
New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Courier New">Diffie-Hellman Group" =
and it can be set to 56-bit or to 128-bit</FONT><FONT FACE=3D"Times New =
Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Courier New">encryption. Unfortunately =
you have to upgrade all your Extranet Access</FONT><FONT FACE=3D"Times =
New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Courier New">Clients at once, because the =
setting is exclusive. You cannot have both</FONT><FONT FACE=3D"Times =
New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Courier New">56 and 128 bits encryption =
for IKE activated.</FONT><FONT FACE=3D"Times New Roman"><BR>
<BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">The "IKE Encryption =
and Diiffie-Hellman Group" field actually allows for configuration =
of:</FONT><FONT FACE=3D"Times New Roman"><BR>
<BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">56-bit DES with Group1 =
(768-bit prime)</FONT><FONT FACE=3D"Times New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">or</FONT><FONT =
FACE=3D"Times New Roman"><BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">3DES with Group2 =
(1024-bit prime)</FONT><FONT FACE=3D"Times New Roman"><BR>
<BR>
</FONT><FONT SIZE=3D2 FACE=3D"Times New Roman">not 56-bit or 128-bit. =
As the author pointed out earlier, 3DES has a 168-bit effective key =
space.<BR>
</FONT><BR>
<FONT SIZE=3D2 FACE=3D"Times New Roman">In addition the CES uses an =
LDAP directory structure that allows user centric profile =
configuration. If you want to use both 56-bit<BR>
</FONT><BR>
<FONT SIZE=3D2 FACE=3D"Times New Roman">DES clients (client software =
pre-dating v02_62) and DES/3DES Group1 and Group2 clients (client =
software v02_62 and higher) simply create a group profile for each. =
You<U></U></FONT><U><B> <FONT SIZE=3D2 FACE=3D"Times New Roman">DO =
NOT</FONT></B></U><B></B> <FONT SIZE=3D2 FACE=3D"Times New Roman">have =
to upgrade all client software in the field.<BR>
</FONT>
</UL>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">As always Nortel Networks =
Contivity team is committed to providing devices of the highest quality =
and security. Peer review is a critical component of the evolving =
security framework used today, and appreciates the interest given in =
this area by others. The CES is currently certified in several areas to =
FIPS certification criteria as follows:</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">CES is FIPS 140-1 level 2 =
certified, certificate #98</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://csrc.nist.gov/cryptval/140-1/1401val2000.htm" =
TARGET=3D"_blank">http://csrc.nist.gov/cryptval/140-1/1401val2000.htm</A=
></FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">The CES implementation =
of SHA-1 is FIPS certified, certificate #31</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://csrc.nist.gov/cryptval/dss/dsaval.htm#SHAvals" =
TARGET=3D"_blank">http://csrc.nist.gov/cryptval/dss/dsaval.htm#SHAvals</=
A></FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">The CES implementation =
of DES is FIPS certified, certificate #48</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://csrc.nist.gov/cryptval/des/desval.html" =
TARGET=3D"_blank">http://csrc.nist.gov/cryptval/des/desval.html</A></FON=
T>
</P>
<P><FONT SIZE=3D2 FACE=3D"Times New Roman">Nortel Networks considers =
this resolution to bugtraq #</FONT><FONT FACE=3D"Times New =
Roman"></FONT> <FONT FACE=3D"Times New =
Roman"><8CB7F81A5D17D31197A60008C7EBE37103341C9B@helsrv01.vaisala.com=
></FONT>=20
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0A1CF.AED94270--
