SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Dell SonicWALL Vendors:   SonicWALL
(Technical Clarifications) Re: The VPN Implementation on SonicWALL's Tele2 and SOHO Firewalls Uses Weak IKE Authentication Keys
SecurityTracker Alert ID:  1001190
SecurityTracker URL:  http://securitytracker.com/id/1001190
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 28 2001
Impact:   Disclosure of authentication information, Disclosure of system information

Version(s): firmware version 6.0.0.0
Description:   A vulnerability has been discovered in the VPN implementation of SonicWALL's Tele2 and SOHO firewalls that uses short IKE pre-share key sizes.

A user writes to clarify that the pre-shared IKE key is used only for authentication, not to encrypt data. The user notes that "it's deeply unclear as to whether even very VERY weak pre-shared keys materially affect the entropy in the resultant keying material."

Impact:   The impact of this vulnerability may be minimal, according to a user (see the source message).
Solution:   No solution was available at the time of this entry. However, the vendor is working on a firmware fix.
Vendor URL:  www.sonicwall.com (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Mar 28 2001 The VPN Implementation on SonicWALL's Tele2 and SOHO Firewalls Uses Weak IKE Authentication Keys



 Source Message Contents

Subject:  Re: SonicWall IKE pre-shared key length bug and security concern


> -----Original Message-----
> From: Steven Griffin [mailto:sgriffin@BAYSTARCAPITAL.COM]
> Sent: Wednesday, March 28, 2001 6:34 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: SonicWall IKE pre-shared key length bug and security concern
>
>
> I have recently found a bug in the latest firmware
> (6.0.0.0) of SonicWall's Tele2 and SOHO firewalls.
>
> Product details:
> http://www.sonicwall.com/products/tele/details.html
> http://www.sonicwall.com/products/soho/details.html
>
> Bug disovery:
> I was recently configuring the Tele2 and SOHO
> versions of these firewalls[...]
> During my configuration setup I noticed that I
> could not configure an IKE pre-shared key longer
> than 48 bytes.  [...]
[...]
> Security concern:
> Obviously the limitation of using only a  48 byte key
> as opposed to using a full 128 byte key degrades the
> overall security of the firewall.

The "pre-shared key" here is only used for authentication, and never used to
encrypt data. It _does_ play a small part in the IKE keying material, but
it's deeply unclear as to whether even very VERY weak pre-shared keys
materially affect the entropy in the resultant keying material.

In plain terms: 3DES is actually a 168-bit key. The "shared key" entered
when configuring ISAKMP has nothing to do with this key. In any case, 48
bytes is (usually) 384 bits.

The only risk to having a weak "shared key" is an authentication attack,
however a random typeable "key" of even 20-30 characters should have
"enough" entropy for most applications. 48 _bytes_ of pre-shared key is
massive. I don't think an implementation that chooses to cap the shared
secret at 48 characters can be considered "buggy". I'm surprised that
Sonicwall acknowledged it as such, and even more surprised that they're
rushing a fix.

> Workarounds:
> Do not use pre-shared keys. Use certificates, your
> own or from a third party CA, instead.

Good idea. However we're talking about strong authentication here, not
strong encryption.

>
> If you must use pre-shared keys:
>   Use only static gateway addresses if possible.
>   Use a different key for each gateway.
>   Turn on Perfect Forwared Secrecy.
>   Set your key expiration time to a shorter interval.

All good advice. One more thing - if you're using 3DES for your encryption
algorithm for IKE then you should probably not be using DH group 1, as in
your config. I'd personally use Group 2, but Elliptic Curve fans may differ.

[...]
> Disclaimer and closing:
> I must say that I am not a security expert and I do not
> claim to be one.  My opinions are my own.  Use my
> opinions and the information in this posting at your
> own risk.  My intention for posting this information is
> to inform the BugTraq community about a possible
> security concern.
>
> Steven Griffin
> sgriffin@baystarcapital.com

This doesn't appear to be a bug. It's an implementation choice (and not even
a bad one, IMO). 3DES provides about 112 "bits worth" of security. 48 bytes
of pre-shared key provides much more than 112 "bits worth" of entropy with a
well-chosen key so it's not a weak link.

Regards,

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC