Re: Revised Pre-Shared and Public Key Sig modes??

Lewis McCarthy <lmccarth@cs.umass.edu> Tue, 17 March 1998 01:30 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA11228 for ipsec-outgoing; Mon, 16 Mar 1998 20:30:43 -0500 (EST)
Message-ID: <350DD531.167E@cs.umass.edu>
Date: Mon, 16 Mar 1998 20:43:13 -0500
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
X-Mailer: Mozilla 3.01Gold (X11; U; OSF1 V4.0 alpha)
MIME-Version: 1.0
To: Matt Thomas <matt@ljo.dec.com>
CC: IP Security List <ipsec@tis.com>
Subject: Re: Revised Pre-Shared and Public Key Sig modes??
References: <199803062023.PAA15057@tecumseh.altavista-software.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Matt Thomas writes:
> The Main Mode exchanges for Pre-Shared keys (HASH_x) or Public Key
> Signatures (SIG_x) are:
[...elided...]
> Is there any reason why 1/2 a round trip could be not eliminated by
> having  Revised versions of these modes such that):
> 
>    HDR, SA                         -->
>                                   <--   HDR, SA, KE, Nr
>    HDR, KE, Ni                     -->
>                                   <--   HDR*, IDir, [HASH_R | SIG_R]
>    HDR*, IDii, [HASH_I | SIG_I]    -->
> 

I think your revised mode would make denial of service attacks easier. 
With the new design, the Responder does a DH computation before 
confirming that the Initiator at least parsed the Responder's cookie. 
An attacker could initiate many exponentiation-inducing exchanges 
without listening to return traffic from the Responder.

-Lewis  <pseudonym@acm.org>

Revised Pre-Shared and Public Key Sig modes?? Matt Thomas
Re: Revised Pre-Shared and Public Key Sig modes?? pau
Re: Revised Pre-Shared and Public Key Sig modes?? Lewis McCarthy