Noone was talkig about that IPSec isn't secure because of this attack scenario. We gave recommendations how to configure IPSec in a secure way with a proof of concept what might happen, if you don't. The described attack won't work too, if aggressive mode can be disabled as for example in Checkpoint FW-1, so it doens't depend only on a crackable PSK. Using this attack every PSK is crackable, but good ones aren't crackable in an acceptable amount of time. I don't want to start another discussion about how to choose good password or preshared keys, I totally agree that you get a lot of security when you choose strong ones, but if you take a look at SANS TOP 20 ( http://www.sans.org/top20/ ) you can see that's still one of the most common problems in praxis. So I think, that you can see that we don't have different point of views how to configure secure VPNs ;-) At 00:08 24.04.03 +0000, David Wagner wrote: >Michael Thumann wrote: > >we would like to announce the publication of a proof of concept paper 'PSK > >cracking using IKE Aggressive Mode'. Paper can be downloaded from > >www.ernw.de/download/pskattack.pdf . >[...] > >4. Of course the psk must be weak to crack it in an acceptable amount of > time > >Well, what did you expect? In your example, the pre-shared key was >derived from the ``secret'' string "cisco". Of course, if you choose >a key that the attacker can guess, the system won't be secure. Surprise! > >What do you expect IPSec to do if you give it an insecure, guessable key? >Noone claimed it would be secure in such a situation. > >I find your recommendations hard to take seriously. This is not a >vulnerability in IPSec, a good reason to disable vpn access, or anything >like that. Just use some common sense in how you use the crypto. If you >must use pre-shared keys, choose strong keys; or, use public keys instead >of pre-shared keying. Surely you agree? > >User: "Doctor, doctor, it hurts when I use insecure crypto keys." >Doctor: "Don't do that, then." ---------------------------------------------------------------------------------------------------- Michael Thumann mlthumann@ids-guide www.ids-guide.de Public Key available at http://www.ids-guide.de/MichaelThumann.asc ---------------------------------------------------------------------------------------------------- The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location...and i'm not even too sure about that one --Dennis Huges, FBI.
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 14:38:51 PDT