Academic researchers from the Ruhr-University Bochum, Germany, and the University of Opole, Poland, managed to break an IPsec VPN connection using a 20-year-old flaw in the protocol. The researchers were able to exploit vulnerabilities in certain implementations of the Internet Key Exchange version 1 protocol – IKEv1 for short – in firewalls and networking equipment that support IPsec VPN tunnels.
The researchers discovered that IKEv1 was vulnerable to a two-decade-old attack technique known as the Bleichenbacher’s Oracle Attack; the technique is named after Swiss cryptographer Daniel Bleichenbacher who discovered it in 1998.
What Is IPsec?
Internet Protocol Security, or IPSec, is an extension of the Internet Protocol (IP) designed to ensure private and secure communications over IP networks through cryptography. Namely, it authenticates and encrypts the packets of data sent over an IPv4 network.
What Is IKE?
In order to establish an encrypted connection using IPsec, both ends of the connection must define, share, and authenticate the keys used for encryption and decryption. Think of keys as mathematical formulas used to code and decode messages. This process can be conducted using the Internet Key Exchange protocol.
IKE consists of two phases. In phase 1, initial authenticated keying material is established between two peers; this phase is known as the handshake and is used to establish trust between the peers. In phase 2, further derived keys are issued for different IP-based connections between the two.
The attack focuses on phase 1.
IKEv1 can use one of four authentication methods in phase 1: two RSA encryption-based methods, one signature-based method, and a pre-shared key based method.
The attack works on RSA encryption-based methods.
We must note that although the IKE in question here is old and has been mostly replaced by a newer version, IKEv2, it is still commonly implemented in operating systems, including new devices.
How Does a Bleichenbacher’s Oracle Attack Work?
Servers are repeatedly targeted with an encoded message that has been deliberately embedded with errors. Attackers can then gradually understand the encrypted content based on the server’s replies to the corrupted message. In other words, the attack involves sending ciphertext to a device and gleaning information from its unencrypted value based on the device’s response.
When used against IKEv1, the attack can be used to obtain the plaintext of the secret nonces exchanged during a handshake. Nonces are unique numbers issued in an authentication protocol used to ensure that old communications cannot be reused in replay attacks. The decrypted nonces allow the attackers to break the RSA-encrypted authentication in IKE’s phase 1.
In layman’s terms, the method allows the attackers to successfully complete the handshake, impersonate an IKE device, and assume the identity of one of the two parties.