[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's and Ashar's attacks

To: smb@research.att.com
Subject: Re: Bellovin's and Ashar's attacks
From: "Housley, Russ" <housley@spyrus.com>
Date: Mon, 17 Apr 95 05:29:29
Cc: ipsec@ans.net
Encoding: 2993 Text



    The attacks we've been talking about for the last few days are 
    unrealistic.  As pointed out by Steve Bellovin, a simple replay is 
    difficult to counter because the the legitimate user and the attacker 
    can occupy the same end point at different times. I think the situation 
    is worse that indicated by Steve.  If the attacker has access to a 
    machine behind the firewall, then that attacker can simply listen to 
    the plaintext traffic as it is sent from that host to the firewall. 
    There is not reason to mount a complex replay attach -- just listen.  I 
    do not want to add a huge amount of complexity to protect against an 
    attacker who can read the traffic before it even gets protected.  If we 
    want to protect data from other users of the same host, then the 
    encryption better be applied before it is tranmitted at all.  In other 
    words, not firewall crypto.

  Router crypto can be used in several different ways; depending on your 
  assumptions, different attacks may be possible.  Consider, for
  example, an Internet service provider who offers shell acounts.  
  (There are many such.)  They may have a cluster of machines with a 
  single high-end crypto box -- indeed, users may be assigned to an 
  arbitrary box at login time.  In this case, though, the users have no 
  access to the physical cable plant -- but they can park themselves on 
  arbitrary ports.

They can also run arbitrary programs, including sniffers.

  Looked at more generically, the attacks we've been discussing involve 
  two different shared resources:  the host (for my CBC cut-and-paste 
  attack, and the cable/router complex.  If your enemies are only on the 
  local machine, as above, the wiring isn't at issue.  If your enemies 
  are only outside the crypto box -- which is the case for many 
  departmental LANs -- then router-based crypto is perfectly acceptable, 
  and the risks we've been exploring here don't apply.  (This case -- 
  which I regard as common -- is why I use the term ``router-based 
  crypto'' instead of ``firewall''.  My departmental LAN is, as I've 
  said before, a single multiprocessor machine with a funny backplane.  
  (In deference to those who've switched to other physical media, I'll 
  delete my usual description of ``long skinny yellow backplane.)) If 
  your wiring is exposed, you have to move the crypto back to the host.
  
In the case of the shared host, we need to ensure that the protocol 
conveys information necessary to prevent leakage when the enemies 
serially reuse the same resource, a port in the recent examples.  
discading the key when the port is closed sounds great.  Better yet, 
Discard the key and tell the other key management daemon that you did 
it.

In the shared comms case, I have a real hard time.  If your enemy is 
sharing the comms between you and your crypto, then you shouldn't bther 
with the crypto at all.

Russ

Follow-Ups:

Re: Bellovin's and Ashar's attacks

From: " " <amir@watson.ibm.com>

Prev by Date: analysis thus far
Next by Date: Re: analysis thus far
Prev by thread: Re: Bellovin's and Ashar's attacks
Next by thread: Re: Bellovin's and Ashar's attacks
Index(es):
- Main
- Thread