[strongSwan] (no subject)

Sandesh Sawant sandesh.sawant at gmail.com
Mon Sep 3 11:20:27 CEST 2018 

Hello Andreas,


Thanks for confirming that strongSwan isn't vulnerable to the mentioned
attack.


However the report claims to have exploits for PSK and RSA signature based
authentication also... Quoting from the report abstract:

 "We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA

encrypted nonces are used for authentication. Using this

exploit, we break these RSA encryption  based modes,

and in addition break RSA signature  based authentication

in both IKEv1 and IKEv2. Additionally, we describe

an offline dictionary attack against the PSK (Pre-Shared

Key) based IKE modes, thus covering all available authentication

mechanisms of IKE."


Can you please confirm that strongSwan isn't vulnerable to the
Bleichenbacher attack against IKEv2 signature based auth and offline
dictionary attack mentioned for PSK based auth (irrespective of the PSK
chosen by the user)?


Thanks,

Sandesh

On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Sandesh,
>
> strongSwan is not vulnerable to the Bleichenbacher oracle attack
> since we did not implement the RSA encryption authentication variant
> for IKEv1.
>
> Best regards
>
> Andreas
>
> On 31.08.2018 10:53, Sandesh Sawant wrote:
> > Hi all,
> >
> > I came across below news about a paper enlisting attacks pertaining to
> > IKE protocol, and want to know whether the latest version of trongSwan
> > stack is vulnerable to the attacks mentioned in this
> > paper:
> https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
> > References:
> >
> https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
> >
> https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
> >
> > Thanks,
> > Sandesh
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180903/fb744b1b/attachment.html>

More information about the Users mailing list