Re: Bellovin's attack

[ashar@osmosys.incog.com (Ashar Aziz)]

I think this problem needs a bit more discussion before
we can decide that mandating integrity checks with ESP
is the right solution. I believe that Phil Rogaway is
correct that there is no reason to believe that adding
MACs will solve the problem in general.

Consider the following modified attack against UDP based apps.

LA sends UDP traffic to a UDP port (say Pb) that LB is 
listening on. Attacker records all encrypted UDP traffic. 
For this attack, the traffic may also be authenticated 
using MACs.

After LB's listener on Pb goes away, and prior to host
session key renegotiation, attacker binds to the same
port (Pb), which she can do since the earlier UDP receiver
has gone away. Now attacker can simply play back the
recorded encrypted/authenticated UDP traffic, and start
receiving that in the clear on Pb.

Adding MACs to encrypted traffic does not protect against
this class of attacks on UDP traffic, because the traffic
was never modified. This attack is harder to mount against TCP 
apps, because of the TCP state machine. But this attack is bad 
enough if, e.g., it was a UDP based app used for secure 
conferencing (audio/video).

I'll also observe that this attack does not require attaining
any special privilege on the machine (e.g. root access),
or knowledge of the per host key.

I believe that this scenario merits consideration, before
we decide to mandate integrity checking with encryption.

Regards,
Ashar.

---

• Prev by Date: Re: Bellovin's attack and others like it
• Next by Date: Combining key mgmt & ESP (was Re: Bellovin's attack and ...)
• Prev by thread: Re: Bellovin's attack
• Next by thread: Re: Bellovin's attack
• Index(es):
  • Main
  • Thread