lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 12 Dec 2003 21:10:50 -0800
From: Sharad Ahlawat <sha@...co.com>
To: Thor Lancelot Simon <tls@....tjls.com>, bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Re: Multiple vulnerabilites in vendor IKE implementations, including Cisco,


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is in response to the mail posted by Thor Lancelot Simon. The original 
mail is available at http://www.securityfocus.com/archive/1/347351 in which 
Thor has listed two issues. Documented below is Cisco's response to them.

Issue #1: Cisco addressed this issue as part of CSCdw87717 wherein the Cert 
Domain Name verification feature was implemented. This issue has been 
documented under the Cisco security advisory
http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml.

Issue #2: This is a widely known common aspect of the Pre Shared Keys (PSK) 
authentication mechanism since 1999. With PSK, there is no way for a client 
to identify what is on the other side of the connection except that the other 
side has the same PSK.

The use of Digital Certificates as part of PKI for authentication or per user 
PSK are the only current solution to this aspect of using PSKs. It is a 
choice which network administrators must make between ease of use versus 
stronger security.

Additionally, there is another IETF draft specification that Cisco is in the 
process of evaluating, for its VPN 3000 product line, called CRACK (Challenge 
Response Authentication of Cryptographic Keys). More information available at 
http://www.nwfusion.com/links/Encyclopedia/C/722.html. Cisco is incorporating 
this authentication scheme in an upcoming release for the Cisco VPN 3000 
series concentrators. The Cisco VPN client should be supporting it in the 
future.

Brgds,
Sharad

- -- 
Sharad Ahlawat
Cisco Product Security Incident Response Team (PSIRT)
http://www.cisco.com/go/psirt
Phone:+1 (408) 527-6087
PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC12A996C
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat

iD8DBQE/2p9aGoGomMEqmWwRAmM+AJ97lW3LdYAW4WN0LMbx/FN5rkdf+QCdFQ6U
WBbCX0je3eQKjv7IuzHZRHQ=
=abwG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ