[strongSwan] (no subject)

Andreas Steffen andreas.steffen at strongswan.org
Tue Sep 4 08:24:22 CEST 2018 

Hi Sandesh,

RSA signature-based authentication can only be broken if the
same RSA key is being used as for RSA encryption-based authentication
and this RSA key is broken applying the Bleichenbacher oracle to
RSA encryption-based authentication.

Since strongSwan does not implement RSA encryption, the RSA key cannot
be determined using the Bleichenbacher oracle and therefore IKEv1 and
IKEv2 RSA signatures cannot be compromised.

It has always been known that IKEv1 and IKEv2 PSK-based authentication
can be broken with an offline attack if the PSK is too weak. This is why
we recommend EAP-based user authentication with IKEv2 where the server
must authenticate itself first

PSKs with 128 bit cryptographic strength or more cannot be broken.

Best regards

Andreas

On 03.09.2018 11:20, Sandesh Sawant wrote:
> Hello Andreas,
> 
> 
> Thanks for confirming that strongSwan isn't vulnerable to the mentioned
> attack.
> 
> 
> However the report claims to have exploits for PSK and RSA signature
> based authentication also... Quoting from the report abstract: 
> 
>  "We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA
> 
> encrypted nonces are used for authentication. Using this
> 
> exploit, we break these RSA encryption  based modes,
> 
> and in addition break RSA signature  based authentication
> 
> in both IKEv1 and IKEv2. Additionally, we describe
> 
> an offline dictionary attack against the PSK (Pre-Shared
> 
> Key) based IKE modes, thus covering all available authentication
> 
> mechanisms of IKE."
> 
> 
> Can you please confirm that strongSwan isn't vulnerable to the
> Bleichenbacher attack against IKEv2 signature based auth and offline
> dictionary attack mentioned for PSK based auth (irrespective of the PSK
> chosen by the user)?
> 
> 
> Thanks,
> 
> Sandesh
> 
> 
> On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hi Sandesh,
> 
>     strongSwan is not vulnerable to the Bleichenbacher oracle attack
>     since we did not implement the RSA encryption authentication variant
>     for IKEv1.
> 
>     Best regards
> 
>     Andreas
> 
>     On 31.08.2018 10:53, Sandesh Sawant wrote:
>     > Hi all,
>     >
>     > I came across below news about a paper enlisting attacks pertaining to
>     > IKE protocol, and want to know whether the latest version of trongSwan
>     > stack is vulnerable to the attacks mentioned in this
>     >
>     paper: https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
>     > References:
>     >
>     https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
>     >
>     https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
>     >
>     > Thanks,
>     > Sandesh
> 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

More information about the Users mailing list