1. The Dangers of Key Reuse: Practical Attacks on IPsec IKE 2018 Attacks IKE IPSec Usenix
    Dennis Felsch, Martin Grothe, Jörg Schwenk, Adam Czubak and Marcin Szymanek
    [View PDF on usenix.org]
    [Show BibTex Citation]

    @inproceedings {217585,
    author = {Dennis Felsch and Martin Grothe and J{\"o}rg Schwenk and Adam Czubak and Marcin Szymanek},
    title = {The Dangers of Key Reuse: Practical Attacks on IPsec {IKE}},
    booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
    year = {2018},
    isbn = {978-1-939133-04-5},
    address = {Baltimore, MD},
    pages = {567--583},
    url = {https://www.usenix.org/conference/usenixsecurity18/presentation/felsch},
    publisher = {{USENIX} Association},
    month = aug,
    }

IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE (Internet Key Exchange) protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and configuration options.

In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.

We found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). All vendors published fixes or removed the particular authentication method from their devices’ firmwares in response to our reports.

  1.