[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: notes from developer's portion of IETF meeting



In article <199704222156.RAA12940@earth.hpc.org>,
Hilarie Orman <ho@earth.hpc.org> wrote:
>  >As I recall, integrity is required for security _only_ when there are
>  >mutually hostile users on multi-user systems at both ends of the
>  >connection/path.  These multi-user systems "know" that they require
>  >integrity, and can negotiate it appropriately.
> 
> This idea has always puzzled me.  Surely block ciphers without some kind of
> integrity are insecure in any active attack environment.

Well, yes, I think that's roughly the case, in practice.

Bellovin's cut-and-paste attack shows that block ciphers aren't secure
against chosen-ciphertext attacks (where the attacker gets the target to
release the decryption of a stretch of attacker-chosen ciphertext).

Multi-user systems (with host-pair keying) are one practical environment
where chosen-ciphertext queries can be mounted; but there are others, too.

For instance, imagine: a mail message comes in over the ipsec-encrypted
link A->B; B's sendmail forwards the message to C; host C doesn't do ipsec,
and so the message is sent unencrypted on the B->C link.  B's sendmail is
letting A mount a chosen-ciphertext query; now A can cut-and-paste ciphertext
from B's other ipsec connections to get them decrypted.  This is an
instance of application-layer forwarding.

Also, short-block attacks work even against single-user machines.

Of course, the proper immunization against chosen-ciphertext attacks is
authentication of the ciphertexts.

This is just a robustness argument: if you're using encryption in an
active attack environment, I say you'd better authenticate the connection
too, or you may very well be subject to pernicious, subtle, and
unanticipated attacks.

Let's learn from earlier mistakes, and be extremely wary of
integrity-less encryption transforms.


References: