Hosting Provided By

Re: [Mobopts] Key transfer issue for pana-cxtp

From: Julien Bournelle <julien.bournelle(at)int-evry.fr>
Date: Fri Apr 01 2005 - 04:04:34 EST

Hi james,

On Thu, Mar 31, 2005 at 12:00:14PM -0800, James Kempf wrote:
>
> >
> > Currently we use the mechanism described in pana-mobopts for key

the PANA-Start-Exchange (PSR/PSA) is not protected

> assume PAA-nonce is for nPAA, right? How is that protected (I'm assuming

The PAA_Nonce is created by the PAA and sent to the PaC the PaC_Nonce is created by the PaC and sent to the PAA

> > Thus an attacker can get AAA-Key-new if:

my notation is misleading. I'm sorry about that. What I meant is that to get the AAA-Key the attacker must compromise the pPAA. In fact we can replace "=>" by "The attacker must"

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related irtf.org Links mobopts Request more information about Pantek

> What's to prevent an attacker from starting a PANA exchange

exactly.

>
> > => others ?
> > * it knows Nonces
> > => sniff MN-nPAA PANA-Start-Exchange
> >
> > We need to know if this key transfer is ok from a security point of
> > view.

I got it, The criteria of interest is:

"Compromise of a single NAS cannot compromise any other part of the system, including session keys and long-term keys"

In our situtation, the compromision of the pPAA (NAS) can compromise other part of the system. But the attacker must perform other operations:

sniff MN-pPAA link to get session-id
get nPAA's identity
sniff MN-nPAA link to get Nonces

So this is not only a compromision of the NAS which permit to compromise other part of the system. That's why I'm a little bit confused.

I'd like to get a sort of consensus on this to know if is useful to continue with this idea (transfer of the AAA-Key-int).

Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related irtf.org Links mobopts Request more information about Pantek

regards,

-- 
julien.bournelle at int-evry.fr

_______________________________________________
Mobopts mailing list
Mobopts@irtf.org
https://www1.ietf.org/mailman/listinfo/mobopts

Received on Fri Apr 1 04:06:59 2005

This message: [ Message body ]
Next message: Rafa Marin Lopez: "Re: [Ctp-pana] Re: [Mobopts] Key transfer issue for pana-cxtp"
Previous message: James Kempf: "Re: [Mobopts] Key transfer issue for pana-cxtp"
In reply to: James Kempf: "Re: [Mobopts] Key transfer issue for pana-cxtp"
In reply to James Kempf: "Re: [Mobopts] Key transfer issue for pana-cxtp"
Next in thread: Rafa Marin Lopez: "Re: [Ctp-pana] Re: [Mobopts] Key transfer issue for pana-cxtp"
Reply: Rafa Marin Lopez: "Re: [Ctp-pana] Re: [Mobopts] Key transfer issue for pana-cxtp"
Reply: James Kempf: "Re: [Mobopts] Key transfer issue for pana-cxtp"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:43:10 EDT