DISQUS

Matasano Chargen: Adam Bozanich Did Not Uncover An NSA IPsec Conspiracy: Diffie Hellman Parameter Validation Explained

  • Erin Ptacek · 2 years ago
    Thanks for the tip, hon!
  • Matt · 2 years ago
    IKE is probably one of the worst protocols ever to come out of the IETF

    Ferguson and Schneier's paper on IPSec, including IKE, from a protocol design standpoint:

    http://schneier.com/paper-ipsec.html

    I also know from first-hand experience that a couple of the existing implementations have disastrously scary codebases.
  • Adam Bozanich · 2 years ago
    and what have we learned?

    That we should be more careful about blog titles? :)
  • djm · 2 years ago
    Parameter validation is actually recommended in RFC 2141 (s. 2.3.1.1) and anyone implementing DH needs to do it, so it isn't fair to blame the protocol here.

    I found and reported this problem to the security contacts of the ipsec-tools and openswan people last May, neither bothered to fix it. Some more details at: http://article.gmane.org/gmane.comp.encryption....

    Of course I was being very web 1.0 about it, I guess I should have just blogged it.
  • Nate · 2 years ago
    I know! We'll add a salt to the DH derived secret like this:

    MD5("barfing bunions" || secret)

    Then rainbow tables cannot be used to attack it. Also, in addition to 1970's Unix crypt being a new discovery, apparently the 1980's chroot break code is also new:

    http://kerneltrap.org/Linux/Abusing_chroot
  • Andy 2 · 2 years ago
    In addition to 1970's crypt and 1980's chroot, the 1990's ISP now contributes...

    Rainbow tables visualized:

    http://ourworld.compuserve.com/homepages/citygl...
  • Peder Grass · 1 year ago
    It's intresting to know Im not alone with a brain in this weird world.
  • JB · 6 months ago
    " When Alice and Bob run DH, they have to be careful not to allow any of the parameters —- p, g, A, or B —- be zero or one mod p. "

    Well, p is always going to be zero mod p!