Re: notes from developer's portion of IETF meeting

[Bill Sommerfeld <sommerfeld@apollo.hp.com>]

> As I recall, integrity is required for security _only_ when there are
> mutually hostile users ...

One terminology nit: I say "mutually suspicious" rather than "mutually
hostile", as actual hostility is not required, merely suspicion that
the other guys are, or may become, hostile..

> ... on multi-user systems at both ends of the
> connection/path.  These multi-user systems "know" that they require
> integrity, and can negotiate it appropriately.

This is true only if you consider an encrypting router fronting for
multiple mutually suspicious end users to be a multi-user system.

> OTOH, a dialup user encrypting to a firewall (or even their target
> multi-user host) from a laptop would _not_ require added integrity.  Big
> interactive RTT savings on a low speed link.

This is simply not true if the firewall is fronting for mutually
suspicious users.  This may seem improbable, but I know of sites where
(for historical reasons) two different organizations sharing a
building also share a large chunk of the network infrastructure..

Here's a very specific, concrete example, of a case where lack of
integrity leads to lack of confidentiality.

			  A
			/
	C =====M==== GW  
                        \ 
                          B


assume a pair of ESP SA's between C and GW (one in each direction) so
there's a single key in use in each direction between C and GW; assume
also that the encryption in question is a block cipher in CBC mode.

assume that B can't tap the A-GW link because it's physically secure,
but wants to spy on A->C traffic; it also has a wiretap/traffic
injection point at M, where it can inject arbitrary messages into the
network.

assume C runs an ICMP echo service.

B sends a large ICMP echo request packet to C, and captures the
encrypted form of the packet at M.

so, what it has is:

	IV  
	ciphertext of B->C ICMP header
	ciphertext of B->C ICMP data
	ciphertext of pad			(at least one full block's worth)
	ciphertext of B->C ESP trailer

B also captures traffic it wants decrypted.  it then constructs a
packet of the form:

	IV 
	ciphertext of B->C ICMP header
	IV of the A->C message			<---+-- same length as
	ciphertext from A->C message		<---+   ICMP data above
	ciphertext of pad
	ciphertext of B->C ESP trailer

Because of the properties of CBC-mode ciphers, C will receive an ICMP
packet with a valid header, a garbled data block corresponding to the
A->C IV, the plaintext of a sequence of blocks from A->C message,
another garbled block (conveniently located in the middle of the
padding) and then a valid ESP trailer.

C will then promply return the decrypted plaintext to B in an ICMP
echo reply.

One might think that the icmp checksum might get in the way, but
there's at least one way around this which only adds a work factor of
2**16-1: B can construct echo packets with all 2**16-1 possible
checksums, and try all of them; C returns the one for which the
checksum matches.

Tapping the C->A traffic is even easier: pull the encrypted packets at
M, substitute the ciphertext into the middle of the encrypted ICMP
reply from C to B, and send them (again) to GW; B simply "forgets" to
check the ICMP checksum on reciept.

					- Bill

---

Follow-Ups:

• Re: notes from developer's portion of IETF meeting
• From: Stephen Kent <kent@bbn.com>

References:

• Re: notes from developer's portion of IETF meeting
• From: "William Allen Simpson" <bsimpson@morningstar.com>

---

• Prev by Date: PMTU/DF issues
• Next by Date: Re: notes from developer's portion of IETF meeting
• Prev by thread: Re: notes from developer's portion of IETF meeting
• Next by thread: Re: notes from developer's portion of IETF meeting
• Index(es):
  • Main
  • Thread