[strongSwan] Implications of Weak DH / Logjam on IPSec
Gerd v. Egidy
lists at egidy.de
Thu May 21 11:59:59 CEST 2015
Hi,
you are probably aware of the recent Weak DH / Logjam attack on Diffie-Hellman,
see:
https://weakdh.org/
https://weakdh.org/imperfect-forward-secrecy.pdf
They focus mainly on TLS, but their paper
"Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"
also discusses implications on IPSec in chapter 4.2 on page 8.
They don't describe all IPSec scenarios in detail, so I'd like someone with a
deeper knowledge of IPSec and cryptography to check if I understand it
correctly.
Let's assume IKEv1 Main Mode and an attacker who is able to pre-compute an
attack on DH Group 2 / MODP1024. If you are using PSK, the attacker now only
needs to know or crack the PSK to gain the session keys and he is able to
decrypt the traffic. So the attacker can reduce the security of Main Mode to
that of Aggressive Mode in the end.
What happens if you use RSA keys instead of PSK? I guess the attacker now also
needs to crack them before he can get at the session keys, correct?
Does the use of PFS for phase 2 / IPSec anyhow weaken the overall security of
the connection compared to using phase 2 without PFS?
Thanks for your help.
Kind regards,
Gerd
More information about the Users
mailing list