[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks



> [ ... email about using TCP sequence numbers to avoid replays ... ]

IMHO TCP sequence numbers are not the right way to avoid replays:

* TCP sequence numbers were designed to handle unintended unwanted
	network errors: they were NOT designed with an adversary in mind
* other protocols (e.g. UDP) deserve replay protection too
* TCP sequence numbers wrap too quickly (though there are workarounds)

> > The real problem though is that every time a machine reboots you are
> > supposed to come up with a random number for the intial sequence
> > number. It is unclear how many TCP's actually do this. Thus you may
> > be able to predict a-prioir what the sequence space will look like
> > after a re-boot.

IMHO TCP sequence numbers are (mostly) irrelevant.

One standard way to avoid replay attacks is to add sequence numbers
which never repeat, and are authenticated by the sender.  These can
be sent in the clear, need not be unpredictable, and can start at 0
or any other convenient value.  They can be reset whenever the MAC
is rekeyed.

There are other solutions (e.g. use unpredictable unauthenticated
non-repeating tags, such as the output from a stream cipher); but
TCP sequence numbering isn't one of them.

> Definitvely. I am sure authenticating is enough to 'gurantee' it's
> integrity. I am not so sure about encryption alone.

Yes.  The protocol designer must ensure the authenticity of IPSEC's
sequence numbers; there is no need to keep them confidential.


TCP and IPSEC sequence numbers have entirely different security
properties, and must satisfy entirely different goals.


So here's a discussion question for those who believe in IPSEC
sequence numbers: should they be handled in an algorithm-specific
way, or should they be a part of the generic AH protocol header?
(For certain MACs, e.g. those based on stream ciphers, replays are
automatically avoided; yet as far as I know these MACs have not
been used in practice much.)


References: