[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5

To: ipsec@ans.net
Subject: Re: AH-MD5
From: perk@watson.ibm.com (Charlie Perkins)
Date: Wed, 25 Jan 95 17:00:29 -0500

Perry Metzger:
>
>Hilarie Orman:
>> The security provided to IP depends on the MD5 algorithm.  The security
>> of the MD5 algorithm depends on the structure of the IP datagram.  This
>> is a dependency loop, the sort of thing that one tries to avoid in
>> secure software design.
>
> If MD5 is a strong hash algorithm, then it should be impossible for an
> attacker to produce another text that has the same hash. That means
> that it should be impossible for an attacker to replace contents of
> the packet -- including the length -- without it being noticed. The
> attacker could replace the hash, but without knowing the key that
> should not be possible. The attacker could steal the packet and
> replace it with one with an extension of the plaintext and a hash
> derived from the original hash by extension, but then they would have
> to hack the length. If anyone can concretely think of something we
> haven't thought of here, please mention it.

I'm usually just a lurker, but how about the following scenario.

Say we have two protocols -- IP, and XXP.  XXP was invented in 1999.
Just by coincidence that nobody thought of, it is possible with
protocol XXP to cause a packet to emerge that looks like a valid
IP packet (but isn't) and seems to have a long IP length field.
Then the resulting XXP packet, authenticated with an MD5 checksum,
may be vulnerable to a variety of append attack to "fill out" the
rest of the "pretend-IP" packet to be something dangerous.

Charlie P.

Follow-Ups:

Re: AH-MD5

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: Re[2]: AH-MD5
Next by Date: on a more serious note... do we want MD5?
Prev by thread: AH-MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread