Encrypting with nonces in IKE

hadz

6/27/23, 11:49 AM

In IKE exchanges, first messages sent unencrypted and unauthenticated. For authentication, messages sent encrypted with nonces.

If a man in the middle is eavesdropping this conversation, he/she will know which encryption algorithm will be used in exchanges. Can't the attacker know contents of every encrypted messages because nonces are also included in messages? How can we say these exchanges are safe?

For example: In IKEv1, Main mode, authentication with digital signatures:

Initiator Sends: HDR, SA (SA is an Security Association negotiation payload with one or more proposals)

Responder: HDR, SA

Initiator: HDR, KE, Ni (KE is public Diffie-Hellman value and Ni is Nonce)

Responder: HDR, KE, Nr

Initiator : HDR*, IDii, [ CERT, ] SIG_I (Now messages are encrpyted)

If an attacker eavesdropped the first exchanges, can't the attacker also decrypt the encrypted ones?

0 + 0

encryption

nonce

man-in-the-middle

encoding

ipsec

Score:1

Crypto

poncho

6/27/23, 5:20 PM

If a man in the middle is eavesdropping this conversation, he/she will know which encryption algorithm will be used in exchanges. Can't the attacker know contents of every encrypted messages because nonces are also included in messages?

Yes, they will know what the IKE encryption algorithm is; they won't know the encryption keys. That's because IKE (all modes of all versions) always does a Diffie-Hellman exchange, and generates the keys based on that. The man in the middle cannot derive that, and so won't know the keys (and so can't listen in)

0 + 0

Score:1

Crypto

Maarten Bodewes

6/27/23, 2:58 PM

The algorithm and algorithm configuration is generally presumed to be known by an adversary, so that part is not a problem. If a certificate is send in the clear then the information in the certificate can directly be eavesdropped. This is why TLS 1.3 for instance starts encrypting directly after key agreement.

And no, when DH is used we can assume that the session keys are derived from a DH key agreement. With DH, even without authentication, it is impossible to decrypt by eavesdropping. You can still have a MitM attack or an unknown party establishing the connection though, if you don't authenticate said party. If the protocol is anything to go by then SIG_I is used for entity authentication. But please note that this is just the initiator that is authenticating themselves.

0 + 0

Maarten Bodewes

6/27/23, 2:59 PM

Beware, I've just looked up what some of the IKE terms means. If there is anybody that has a working knowledge of IKE please adjust, comment or - of course - post a better or different answer.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Encrypting with nonces in IKE

TH: การเข้ารหัสด้วย nonce ใน IKE

RO: Criptare cu nonces în IKE

RU: Шифрование с одноразовыми номерами в IKE

VI: Mã hóa bằng nonce trong IKE

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.