[strongSwan] Implications of Weak DH / Logjam on IPSec

Gerd v. Egidy lists at egidy.de
Thu May 21 11:59:59 CEST 2015


Hi,

you are probably aware of the recent Weak DH / Logjam attack on Diffie-Hellman, 
see:

https://weakdh.org/
https://weakdh.org/imperfect-forward-secrecy.pdf

They focus mainly on TLS, but their paper
"Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"
also discusses implications on IPSec in chapter 4.2 on page 8. 

They don't describe all IPSec scenarios in detail, so I'd like someone with a 
deeper knowledge of IPSec and cryptography to check if I understand it 
correctly.

Let's assume IKEv1 Main Mode and an attacker who is able to pre-compute an 
attack on DH Group 2 / MODP1024. If you are using PSK, the attacker now only 
needs to know or crack the PSK to gain the session keys and he is able to 
decrypt the traffic. So the attacker can reduce the security of Main Mode to 
that of Aggressive Mode in the end.

What happens if you use RSA keys instead of PSK? I guess the attacker now also 
needs to crack them before he can get at the session keys, correct?

Does the use of PFS for phase 2 / IPSec anyhow weaken the overall security of 
the connection compared to using phase 2 without PFS?

Thanks for your help.

Kind regards,

Gerd


More information about the Users mailing list