<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.gmail-p1, li.gmail-p1, div.gmail-p1
        {mso-style-name:gmail-p1;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.gmail-apple-converted-space
        {mso-style-name:gmail-apple-converted-space;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi Sandesh<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The offline dictionary PSK attack isn’t something new (people have known about this since last millennia!).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In summary if you have a ‘strong’ PSK you’re safe.. But if you have an active MiTM as described in the paper then they can perform an offline brute force attack against your PSK assuming they have the computing power to find it.. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I wrote the following to help explain this..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>cheers<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Users <users-bounces@lists.strongswan.org> on behalf of Sandesh Sawant <sandesh.sawant@gmail.com><br><b>Date: </b>Monday, 3 September 2018 at 10:20<br><b>To: </b>"andreas.steffen@strongswan.org" <andreas.steffen@strongswan.org><br><b>Cc: </b>"users@lists.strongswan.org" <users@lists.strongswan.org><br><b>Subject: </b>Re: [strongSwan] (no subject)<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><a name="_MailOriginalBody"><span class=gmail-apple-converted-space><span style='font-family:Helvetica'>Hello Andreas,</span></span></a><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p> </o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span class=gmail-apple-converted-space><span style='font-family:Helvetica'>Thanks for confirming that strongSwan isn't vulnerable to the mentioned attack.</span></span></span><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p> </o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span class=gmail-apple-converted-space><span style='font-family:Helvetica'>However the report claims to have exploits for PSK and RSA signature based authentication also... Quoting from the report abstract: </span></span></span><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span class=gmail-apple-converted-space><span style='font-family:Helvetica'> "</span></span></span><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>encrypted nonces are used for authentication. Using this<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>exploit, we break these RSA encryption<span class=gmail-apple-converted-space>  </span>based modes,<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>and in addition break RSA signature<span class=gmail-apple-converted-space>  </span>based authentication<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>in both IKEv1 and IKEv2. Additionally, we describe<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>an offline dictionary attack against the PSK (Pre-Shared<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>Key) based IKE modes, thus covering all available authentication<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>mechanisms of IKE."<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p> </o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>Can you please confirm that strongSwan isn't vulnerable to the Bleichenbacher attack against IKEv2 signature based auth and offline dictionary attack mentioned for PSK based auth (irrespective of the PSK chosen by the user)?<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'><o:p> </o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>Thanks,<o:p></o:p></span></span></p><p class=gmail-p1 style='margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal'><span style='mso-bookmark:_MailOriginalBody'><span style='font-family:Helvetica'>Sandesh<o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'>On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <</span><a href="mailto:andreas.steffen@strongswan.org"><span style='mso-bookmark:_MailOriginalBody'>andreas.steffen@strongswan.org</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal><span style='mso-bookmark:_MailOriginalBody'>Hi Sandesh,<br><br>strongSwan is not vulnerable to the Bleichenbacher oracle attack<br>since we did not implement the RSA encryption authentication variant<br>for IKEv1.<br><br>Best regards<br><br>Andreas<br><br>On 31.08.2018 10:53, Sandesh Sawant wrote:<br>> Hi all,<br>> <br>> I came across below news about a paper enlisting attacks pertaining to<br>> IKE protocol, and want to know whether the latest version of trongSwan<br>> stack is vulnerable to the attacks mentioned in this<br>> paper: </span><a href="https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf" target="_blank"><span style='mso-bookmark:_MailOriginalBody'>https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>> References:<br>> </span><a href="https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/" target="_blank"><span style='mso-bookmark:_MailOriginalBody'>https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>> </span><a href="https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html" target="_blank"><span style='mso-bookmark:_MailOriginalBody'>https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>> <br>> Thanks,<br>> Sandesh<br><br>======================================================================<br>Andreas Steffen                         </span><a href="mailto:andreas.steffen@strongswan.org" target="_blank"><span style='mso-bookmark:_MailOriginalBody'>andreas.steffen@strongswan.org</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>strongSwan - the Open Source VPN Solution!          </span><a href="http://www.strongswan.org" target="_blank"><span style='mso-bookmark:_MailOriginalBody'>www.strongswan.org</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>Institute for Networked Solutions<br>HSR University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[INS-HSR]==<o:p></o:p></span></p></blockquote></div></div></div></body></html>