Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2678
Views
0
Helpful
1
Comments

MITM attack IPSec with PKI. part 2

Tagir Temirgaliyev
Spotlight
Spotlight

on ‎03-20-2019 09:58 AM

part1 here https://community.cisco.com/t5/security-blogs/mitm-attack-ipsec-what-happens-if-attacker-knows-ipsec-pre/ba-p/3756562

 

A brief summary of the part1 : we showed that the security level of IPSec with preshared key is equal to the security level of the configuration file of the router. And how can the configuration file of the router fall into the hands of a hacker? There are a lot of options. For example, I bought a used router and there was a working config from one of the banks.

 

Most experts will say that you need to use PKI CA authentication.

Now I will demonstrate to you that IPSec with basic primitive PKI authentication even less secure than IPSec with a preshared

key.

CA.png

on the diagram from Lo0 ROUTER-A to Lo0 ROUTER-B, an IPSec tunnel is established. Authentication is performed using certificates signed by SERVER. This is the simplest configuration.

 

Now suppose that the hacker turned off the link in the direction of ROUTER-B and installed his router R4

CA_R4.png

on R4, the hacker created the same IP addresses, generated an RSA key pare, sent a request to SERVER to sign the public key, received a signed certificate in response, and established an IPSec tunnel with ROUTER-A. So easy.

In the application configuration files.

Preview file
6 KB
Preview file
8 KB
Preview file
6 KB
Preview file
3 KB
0 Helpful
Comments
Tagir Temirgaliyev
Spotlight
Spotlight
‎03-23-2019 05:27 AM

Why is this basic implementation weak?
the first reason is grant auto in SERVER.
This means that the server signs any incoming request.
An attacker can generate a pair of RSA keys
and just send a request and automatically receive a signed certificate in reply.
I believe that in a production environment this can not be done.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents