Re: [IPsec] New method to resist replay attack in ikev2

"ramaswamy" <ramaswamy.bm@globaledgesoft.com> Tue, 20 September 2011 07:10 UTC

Return-Path: <ramaswamy.bm@globaledgesoft.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA8F21F8A67 for <ipsec@ietfa.amsl.com>; Tue, 20 Sep 2011 00:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.592
X-Spam-Level:
X-Spam-Status: No, score=-0.592 tagged_above=-999 required=5 tests=[AWL=0.558, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NN0CQLbQF4EE for <ipsec@ietfa.amsl.com>; Tue, 20 Sep 2011 00:10:40 -0700 (PDT)
Received: from gesmail.globaledgesoft.com (gesmail.globaledgesoft.com [119.82.106.22]) by ietfa.amsl.com (Postfix) with ESMTP id 0452621F8A64 for <ipsec@ietf.org>; Tue, 20 Sep 2011 00:10:37 -0700 (PDT)
Received: from RamaswamySM (ramaswamy_sm.globaledgesoft.com [172.16.8.54]) by gesmail.globaledgesoft.com (Postfix) with ESMTP id 8B7025882C2; Tue, 20 Sep 2011 12:45:54 +0530 (IST)
From: ramaswamy <ramaswamy.bm@globaledgesoft.com>
To: 'Tero Kivinen' <kivinen@iki.fi>
References: <20013.29623.491247.654466@fireball.kivinen.iki.fi> <B97B134FACB2024DB45F524AB0A7B7F203ED2B05@XMB-BGL-419.cisco.com> <90AEF529-7273-4695-BA31-4F221A4ACF45@checkpoint.com> <4E2EA248.70708@gmail.com> <B97B134FACB2024DB45F524AB0A7B7F203ED2CEA@XMB-BGL-419.cisco.com> <A2354B6A9F807641B21EEABD666ECEEA0130A752@XMB-BGL-416.cisco.com> <EE0C2F9E065E634B84FC3BE36CF8A4B2079C046C@xmb-sjc-23e.amer.cisco.com> <A2354B6A9F807641B21EEABD666ECEEA0130A7D8@XMB-BGL-416.cisco.com> <008901cc63b8$e5c9c640$b15d52c0$@bm@globaledgesoft.com> <20060.43306.157789.942917@fireball.kivinen.iki.fi> <00e301cc76d8$44b0e940$ce12bbc0$@bm@globaledgesoft.com> <20087.57900.897702.835641@fireball.kivinen.iki.fi>
In-Reply-To: <20087.57900.897702.835641@fireball.kivinen.iki.fi>
Date: Tue, 20 Sep 2011 12:42:45 +0530
Message-ID: <00a901cc7764$b1da4b10$158ee130$@bm>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
thread-index: Acx3Lw/ZXwa4JV2PQYSqB5taTHlj8gALYVdA
Content-Language: en-us
Cc: ipsec@ietf.org, ipsec-tools-devel@lists.sourceforge.net, ipsec-tools-users@lists.sourceforge.net, ikev2-devel@lists.sourceforge.net
Subject: Re: [IPsec] New method to resist replay attack in ikev2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 07:10:41 -0000

Please see my comments inline.

Best Regards ,
Ram

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of
Tero Kivinen
Sent: Tuesday, September 20, 2011 6:16 AM
To: ramaswamy
Cc: ipsec@ietf.org; ipsec-tools-devel@lists.sourceforge.net;
ipsec-tools-users@lists.sourceforge.net; ikev2-devel@lists.sourceforge.net
Subject: Re: [IPsec] New method to resist replay attack in ikev2

ramaswamy writes:
> Thanks for the response, I agree with your comments, I think we can use
> certificates to avoid man in the middle attacks and error message flooding
> in the INIT phase only, as certificates are signed by trusted certificate
> authorities authenticity is ensured.
> 
> If certificates are used in INIT message exchanges [mutual
authentication],
> we can effectively avoid afore said attacks as it avoids huge computation
of
> IKE-keys before the client OR server is authenticated.

RSA operations are already huge computation. There is no big
difference whether you do RSA or Diffie-Hellman.

>>>>>>>>>>> [Ram] I agree with you, but we have certificate verification
done at AUTH phase, our suggestion is the same can be moved to initial phase
of ikev2 exchanges and this will ensure authenticity before IKEv2-KEYS[seven
keys] are generated.
As IKE users are already authenticated there is no need of CERT message
exchanges in AUTH phase and also which in turn will help to avoid man in the
middle attacks and error message flooding at IKEv2-INIT level only.
And also it will avoid unnecessary computation of ikev2-keys[seven keys:
which involves huge computation] at server end  due to INIT-REQESTS sent by
attackers. 
>>>>>>>>>>>>>>>>>>>>>>>>>>>

> To avoid Replay attacks:
> By using RSA private key of certificate to encrypt the nonce (Ni) in
> INIT_REQUEST message we can avoid replay attacks, at the receiving end,
> first certificate is verified using root CA and nonce is decrypted using
> public key of the received certificate which ensures that sender holds the
> valid private key of the certificate and not an attacker.  By using nonce
we
> can avoid Replay attacks[Packets can be rejected if the same nonce is
> received within a particular session].

So you plan to store that nonce forever, and always verify that the
nonce is not used before? That would be extremely expensive way to
solve the replay attack.	

>>>>>>>>>>> [Ram] I agree that storing nonce forever is not an best solution
to solve replay attacks, but our suggestion is to store the nonce from
particular client for particular session [time limit Eg: 2 minutes]. If it
receives same nonce with in the permissible time limit it should rejected.
If it more than permissible limit server will throw an error SKEW_ERROR,
handling of which is explained below.

To do it more effectively Ikev2 client should be clock synchronized with
server by negotiating client time by using encrypted nonce(Ni) --> timestamp
[Ni is encrypted by RSA private key of certificate of ikev2 client
certificate]  in INIT-REQUEST it self, and server can check the received
time [encrypted nonce(Ni):timestamp] and if it is more than permissible time
limit say Eg: 2 minutes it can throw an clock skew error[SKEW_ERROR], by
putting its server time using  encrypted server nonce (Nr) using RSA private
key of certificate of ikev2 server certificate.

Upon receipt of skew error ikev2 client must compute the difference (in
seconds) between the
two clocks based upon the client and server time contained in the SKEW_ERROR
message. The client should store this clock difference in non-volatile
memory and must use it to adjust ikev2 client timestamps[Ni] in subsequent
INIT-REQ request messages by adding the clock skew to its local clock value
each time.
If the encrypted nonce differs from server time by permissible limit it can
reject the INIT-REQ and avoid replay attacks. 
>>>>>>>>>>>>>>>>>> 


-- 
kivinen@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec