[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's and Ahar's attacks

To: smb@research.att.com
Subject: Re: Bellovin's and Ahar's attacks
From: Theodore Ts'o <tytso@MIT.EDU>
Date: Wed, 12 Apr 1995 17:15:01 +0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: Danny.Nessett@eng.sun.com, ipsec@ans.net, linehan@watson.ibm.com
In-Reply-To: smb@research.att.com's message of Wed, 12 Apr 95 15:28:42 EDT,<199504121934.AA06717@interlock.ans.net>
Phone: (617) 253-8091

   From: smb@research.att.com
   Date: Wed, 12 Apr 95 15:28:42 EDT

   I strongly suspect
   that we absolutely must use very rapid key changes, though -- per user
   (though with AH+ESP for some services), per packet (a la SKIP), or per
   socket.  Nothing less seems to guard adequately against both replay attacks
   and the CBC cut-and-paste attack that I outlined.

What would happen if we required that every single encrypted packet be
also integrity protected?  Wouldn't that mean that the cut and paste
attack would fail, since the kernel would see that the integrity check
failed, and thus refuse to pass the decrypted data back up to the user?

To prevent the UDP attack of another user binding to the same UDP socket
and playing back the exact same packet, we'd also need per-user keying.

But it seems to me that protecting against these attacks is doable.
What am I missing?

							- Ted

References:

Re: Bellovin's and Ahar's attacks

From: smb@research.att.com

Prev by Date: Re: Bellovin's attack
Next by Date: Photuris.01: signature message
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread