[32842] in bugtraq
Re: Insecure IKE Implementations Clarification
daemon@ATHENA.MIT.EDU (Jun-ichiro itojun Hagino)
Sat Dec 13 17:42:57 2003
To: tls@rek.tjls.com
Cc: fw@deneb.enyo.de, aadams@securityfocus.com, bugtraq@securityfocus.com
In-Reply-To: Your message of "Fri, 12 Dec 2003 17:11:26 -0500"
<20031212221126.GA27078@rek.tjls.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20031213220000.C8628A5@coconut.itojun.org>
Date: Sun, 14 Dec 2003 07:00:00 +0900 (JST)
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
> On Fri, Dec 12, 2003 at 11:00:31PM +0100, Florian Weimer wrote:
> > Thor Lancelot Simon wrote:
> >
> > > For what it's worth, the possibility of this general type of attack was
> > > repeatedly discussed in the IPsec working group and is a major reason
> > > why XAUTH was abandoned. The particular password-stealing attack that I
> > > describe as been widely discussed among IKE implementors for at least two
> > > years; other implementors probably independently noticed it at least as
> > > early as I did, which was three years ago.
> >
> > And we have technology deployed that solves exactly the same problem in
> > a reasonable way: SSH.
>
> Yes and no. SSH is not, by itself, a network-layer encryption solution,
> and there are many applications where that's really desirable. The other
> issue is, of course, that SSH's model for authenticating host identities
> is, itself, a mess: in this day and age, it is not acceptable to just
> punt on the problem of first contact and pretend that users will reasonably
> exchange key fingerprints offline. The widespread success of sniffing
> and MITM attacks on the SSH protocol -- all due to users not doing what
> the protocol, by omitting any means of using a hierarchy or web to validate
> host keys, requires them to do -- should be proof enough of this.
there are efforts; draft-ietf-secsh-dns-05.txt.
itojun
