[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's and Ashar's attacks

To: "Housley, Russ" <housley@spyrus.com>
Subject: Re: Bellovin's and Ashar's attacks
From: smb@research.att.com
Date: Fri, 14 Apr 95 14:27:04 EDT
Cc: linehan@watson.ibm.com, rja@bodhi.cs.nrl.navy.mil, Danny.Nessett@eng.sun.com, ipsec@ans.net

	The attacks we've been talking about for the last few days are
	unrealistic.  As pointed out by Steve Bellovin, a simple replay
	is difficult to counter because the the legitimate user and the
	attacker can occupy the same end point at different times. I
	think the situation is worse that indicated by Steve.  If the
	attacker has access to a machine behind the firewall, then that
	attacker can simply listen to the plaintext traffic as it is
	sent from that host to the firewall. There is not reason to
	mount a complex replay attach -- just listen.  I do not want to
	add a huge amount of complexity to protect against an attacker
	who can read the traffic before it even gets protected.  If we
	want to protect data from other users of the same host, then
	the encryption better be applied before it is tranmitted at
	all.  In other words, not firewall crypto.

Router crypto can be used in several different ways; depending on
your assumptions, different attacks may be possible.  Consider, for
example, an Internet service provider who offers shell acounts.  (There
are many such.)  They may have a cluster of machines with a single
high-end crypto box -- indeed, users may be assigned to an arbitrary
box at login time.  In this case, though, the users have no access to
the physical cable plant -- but they can park themselves on arbitrary
ports.

Looked at more generically, the attacks we've been discussing involve
two different shared resources:  the host (for my CBC cut-and-paste
attack, and the cable/router complex.  If your enemies are only on the
local machine, as above, the wiring isn't at issue.  If your enemies
are only outside the crypto box -- which is the case for many
departmental LANs -- then router-based crypto is perfectly acceptable,
and the risks we've been exploring here don't apply.  (This case --
which I regard as common -- is why I use the term ``router-based
crypto'' instead of ``firewall''.  My departmental LAN is, as I've said
before, a single multiprocessor machine with a funny backplane.  (In
deference to those who've switched to other physical media, I'll delete
my usual description of ``long skinny yellow backplane.)) If your
wiring is exposed, you have to move the crypto back to the host.

Prev by Date: Re: Bellovin's and Ahar's attacks
Next by Date: Re: Bellovin's and Ashar's attacks
Prev by thread: Re: Bellovin's and Ashar's attacks
Next by thread: Re: Bellovin's and Ashar's attacks
Index(es):
- Main
- Thread