[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bellovin's and Ahar's attacks
>
> A lot depends on our assumptions. For TCP, it's probably feasible, so
> long as rekeying occurs more frequently than the TIMEWAIT period. For
> UDP, there's no mandatory dead time in the protocol. I strongly suspect
> that we absolutely must use very rapid key changes, though -- per user
> (though with AH+ESP for some services), per packet (a la SKIP), or per
> socket. Nothing less seems to guard adequately against both replay attacks
> and the CBC cut-and-paste attack that I outlined.
>
I agree that rapid rekeying is a good idea. However, it isn't sufficient for
all cases.
By the way, the replay attack Ashar suggests relies on the ability of an
intruder running on a machine discovering which port to use to receive the
replayed traffic. Since ESP hides this information in the encrypted
part, the intruder must use indirect methods to discover this.
Dan