[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
problems with ESP with host-pair keying
As discussed at the IETF meeting, the proposed ESP protocol is insecure
if a single key is used for all connections between a given pair of
hosts and the attacker has access to that pair. The flaw can be
exploited to read any encrypted data, and possibly to insert data
into encrypted sessions.
The flaw results from the nature of cipher block chaining (CBC), the
block cipher mode most natural for use with IP, and the one specified
(with DES) as the base standard. Briefly, if a block is damaged in
transmission, on decryption it and the following block will be garbled
by the decryption process, but all subsequent blocks will be decrypted
correctly. (For more details on this, see just about any cryptography
book. Davies and Price's ``Security for Computer Networks'' gives a
particularly good treatment of this issue.)
The attack works by cutting and pasting cipher blocks. The attacker
sends a UDP packet to the other machine, and picks up that packet with
a monitoring machine. All of the encrypted portion except for the UDP
header (and anything leading up to it) is discarded. When another
encrypted packet is sent between the same pair of machines, the
encrypted portion is glued onto the encrypted UDP header and reinjected
onto the net. The receiving kernel will decrypt it -- it's using the
same key -- and as long as no integrity check was specified, the packet
will be passed up to user level.
A necessary and sufficient fix is to change ESP to mandate integrity-
checking with all vulnerable encryption modes. Using per-user keying
or per-connection keying will help, but it is not in general sufficient,
since system services such as NFS remain vulnerable. I hope to have
some concrete recommendations for a change within the next few days.
My slides are at ftp://ftp.research.att.com/dist/smb/hostpair.encrypt.ps
--Steve Bellovin