In collaboration with colleagues from Opole University in Poland, researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) have demonstrated that the Internet protocol “IPsec” is vulnerable to attacks. The Internet Key Exchange protocol “IKEv1”, which is part of the protocol family, has vulnerabilities that enable potential attackers to interfere with the communication process and intercept specific information.
The research results are published by Dennis Felsch, Martin Grothe and Prof Dr Jörg Schwenk from the Chair for Network and Data Security at RUB as well as Adam Czubak and Marcin Szymanek from Opole University on 16 August 2018 at the Usenix Security Symposium as well as on their blog.
Secure and encrypted communication
As an enhancement of Internet protocol (IP), “IPsec” has been developed to ensure cryptographically secure communication via publicly accessible resp. insecure networks, such as the Internet, by using encryption and authentication mechanisms. This type of communication is often relevant for enterprises whose employees operate from decentralised workplaces – for example as sales reps or from home office – and have to access company resources. The protocol can, moreover, be utilised to set up virtual private networks, or VPNs.
In order to enable an encrypted connection with “IPsec”, both parties must authenticate and define shared keys that are necessary for communication. Automated key management and authentication, for example via passwords or digital signatures, can be conducted via the Internet Key Exchange protocol “IKEv1”.
“Even though the protocol is considered obsolete and a newer version, namely IKEv2, has been long available in the market, we see in real-life applications that it is still being implemented in operating systems and still enjoys great popularity, even on newer devices,” explains Dennis Felsch. But it is precisely this protocol that has vulnerabilities, as the researchers found out during their analysis.
Bleichenbacher’s attack successful
In the course of their project, the researchers attacked the encryption-based logon mode of “IPsec” by deploying the so-called Bleichenbacher’s attack, which had been invented in 1998. Its principle is: errors are deliberately incorporated into an encoded message, which is then repeatedly sent to a server. Based on the server’s replies to the corrupted message, an attacker can gradually draw better and better conclusions about the encrypted contents.
“Thus, the attacker approaches the target step by step until he reaches his goal,” says Martin Grothe and adds: “It is like a tunnel with two ends. It’s enough if one of the two parties is vulnerable. Eventually, the vulnerability permits the attacker to interfere with the communication process, to assume the identity of one of the communication partners, and to actively commit data theft.”
Bleichenbacher’s attack proved effective against the hardware of four network equipment providers. The affected parties were Clavister, Zyxel, Cisco, and Huawei. All four manufacturers have been notified and have now eliminated the security gaps.
Passwords under scrutiny
In addition to the encryption-base logon mode, the researchers have also been looking into password-based login. “Authentication via passwords is carried out with hash values, which are similar to a fingerprint. During our attack, we demonstrated that both IKEv1 and the current IKEv2 present vulnerabilities and may be easily attacked – especially if the password is weak. Accordingly, a highly complex password provides the best protection if IPsec is deployed in this mode,” concludes Martin Grothe. The vulnerability was also communicated to the Computer Emergency Response Team (CERT), as it coordinates the response to actual IT security incidents and provided assistance to the researchers as they notified the industry about the vulnerability.
All-clear for users and network equipment providers
The identified Bleichenbacher vulnerability is not a bug in the standard but rather an implementation error that can be avoided – it all depends on how manufacturers integrate the protocol in their devices. Moreover, the attacker has to enter the network first, before he can do anything. Nevertheless, the researchers’ successful attack has demonstrated that established protocols such as “IPsec” still include the Bleichenbacher gap that makes them potentially vulnerable to attack.
Presentation at symposium
The research team headed by Jörg Schwenk will present the vulnerabilities at the Usenix Security Symposium, which will be taking place from 15 to 17 August 2018 in Baltimore, USA.
Dennis Felsch, Martin Grothe, Jörg Schwenk, Adam Czubak, Marcin Szymanek: The dangers of key reuse: practical attacks on IPsec IKE, 2018, Online preview: https://www.usenix.org/conference/usenixsecurity18/presentation/felsch