[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clogging attacks on SKIP




Aziz and others,

> >An attacker could abuse this mechanism by simply sending many
> >packets with different source addresses. Poor $r$ would have
> >to buffer all of these packets as well as engage in asking
> >for master keys for all of them, verifying,...
> >
> >Q: doesn't this attack hold for all methods?
> >A: Well, in any method the attacker can pretend to initiate
> >the key exchange, that's true. But in SKIP packets are sent
> >immediately following the key exchange, and there is no
> >negotiation mechanism so $r$ cannot limit the number of
> >concurrent key exchanges.
>
> This isn't true. The receiver always knows when it
> is computing a new DH derived key, and therefore
> can keep a count of the number of such concurrent
> activities it is willing to tolerate. Same as
> the case for interactive key management.

Of course the receiver can count number of key exchanges it engages in and
discard any more... You missed my point rather than finding me untrue :-)
The problem is that if the receiver is deciding it is too busy, the sender
is unaware of this, and continues sending messages. If the receiver is just
dropping all of them, this is as severe a denial of service as any you'll get.
This is not the case with the interactive scheme, where the sender is aware
that the receiver has not agreed to a key and therefore would not spend
resources sending the packets.

Also, with the interactive schemes, esp. Photuris, the overhead for the
receiver for checking the incoming request is much much less than in
SKIP.

And...

> Second, playback of legitimate old packets can occur within
> a session for interactive key-management cases as well.
> As soon as an attacker has one legitimate packet, that
> packet can be repeatedly played back for the duration of the
> session. The only way to prevent this for the interactive
> case is to use sequencing as well.
>

Agreed, however in the interactive scheme there is no demage except the
replay of the packet. In SKIP, this makes caching more keys and reduces
efficiency.

Best, Amir




References: