<div dir="ltr">Hi Graham,<div><br></div><div>Thanks for clarifying this further.</div><div><br></div><div>Best,</div><div>Sandesh<br><div class="gmail_quote"><div dir="ltr">On Mon, Sep 3, 2018 at 3:49 PM Graham Bartlett (grbartle) <<a href="mailto:grbartle@cisco.com">grbartle@cisco.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div class="m_-2961104568182698668WordSection1"><p class="MsoNormal">Hi Sandesh<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The offline dictionary PSK attack isn’t something new (people have known about this since last millennia!).<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">In summary if you have a ‘strong’ PSK you’re safe.. But if you have an active MiTM as described in the paper then they can perform an offline brute force attack against your PSK assuming they have the computing power to find it.. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I wrote the following to help explain this..<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><a href="https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/" target="_blank">https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/</a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">cheers<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.strongswan.org</a>> on behalf of Sandesh Sawant <<a href="mailto:sandesh.sawant@gmail.com" target="_blank">sandesh.sawant@gmail.com</a>><br><b>Date: </b>Monday, 3 September 2018 at 10:20<br><b>To: </b>"<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>" <<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>><br><b>Cc: </b>"<a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a>" <<a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a>><br><b>Subject: </b>Re: [strongSwan] (no subject)<u></u><u></u></span></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><a name="m_-2961104568182698668__MailOriginalBody"><span class="m_-2961104568182698668gmail-apple-converted-space"><span style="font-family:Helvetica">Hello Andreas,</span></span></a><span><span style="font-family:Helvetica"><u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica"><u></u> <u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span class="m_-2961104568182698668gmail-apple-converted-space"><span style="font-family:Helvetica">Thanks for confirming that strongSwan isn't vulnerable to the mentioned attack.</span></span></span><span><span style="font-family:Helvetica"><u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica"><u></u> <u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span class="m_-2961104568182698668gmail-apple-converted-space"><span style="font-family:Helvetica">However the report claims to have exploits for PSK and RSA signature based authentication also... Quoting from the report abstract: </span></span></span><span><span style="font-family:Helvetica"><u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span class="m_-2961104568182698668gmail-apple-converted-space"><span style="font-family:Helvetica"> "</span></span></span><span><span style="font-family:Helvetica">We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">encrypted nonces are used for authentication. Using this<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">exploit, we break these RSA encryption<span class="m_-2961104568182698668gmail-apple-converted-space">  </span>based modes,<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">and in addition break RSA signature<span class="m_-2961104568182698668gmail-apple-converted-space">  </span>based authentication<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">in both IKEv1 and IKEv2. Additionally, we describe<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">an offline dictionary attack against the PSK (Pre-Shared<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">Key) based IKE modes, thus covering all available authentication<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">mechanisms of IKE."<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica"><u></u> <u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">Can you please confirm that strongSwan isn't vulnerable to the Bleichenbacher attack against IKEv2 signature based auth and offline dictionary attack mentioned for PSK based auth (irrespective of the PSK chosen by the user)?<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica"><u></u> <u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">Thanks,<u></u><u></u></span></span></p><p class="m_-2961104568182698668gmail-p1" style="margin:0cm;margin-bottom:.0001pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal"><span><span style="font-family:Helvetica">Sandesh<u></u><u></u></span></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><div><div><p class="MsoNormal"><span>On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <</span><a href="mailto:andreas.steffen@strongswan.org" target="_blank"><span>andreas.steffen@strongswan.org</span><span></span></a><span>> wrote:<u></u><u></u></span></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><p class="MsoNormal"><span>Hi Sandesh,<br><br>strongSwan is not vulnerable to the Bleichenbacher oracle attack<br>since we did not implement the RSA encryption authentication variant<br>for IKEv1.<br><br>Best regards<br><br>Andreas<br><br>On 31.08.2018 10:53, Sandesh Sawant wrote:<br>> Hi all,<br>> <br>> I came across below news about a paper enlisting attacks pertaining to<br>> IKE protocol, and want to know whether the latest version of trongSwan<br>> stack is vulnerable to the attacks mentioned in this<br>> paper: </span><a href="https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf" target="_blank"><span>https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf</span><span></span></a><span><br>> References:<br>> </span><a href="https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/" target="_blank"><span>https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/</span><span></span></a><span><br>> </span><a href="https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html" target="_blank"><span>https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html</span><span></span></a><span><br>> <br>> Thanks,<br>> Sandesh<br><br>======================================================================<br>Andreas Steffen                         </span><a href="mailto:andreas.steffen@strongswan.org" target="_blank"><span>andreas.steffen@strongswan.org</span><span></span></a><span><br>strongSwan - the Open Source VPN Solution!          </span><a href="http://www.strongswan.org" target="_blank"><span>www.strongswan.org</span><span></span></a><span><br>Institute for Networked Solutions<br>HSR University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[INS-HSR]==<u></u><u></u></span></p></blockquote></div></div></div></div>
</blockquote></div></div></div>