[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: linux-ipsec: Decrypting ID payload in Main Mode w/shared secrets
OK, I'll concede this. Some organization may be able to correlate airline
flight records, images from Internet cafe video cameras, ISP logs, and telephone
bills into a damning indictment on a single individual. Impressive but not beyond
my imagination. Don't you also think that there's some hit squad in some
repressive dictatorship that would rather find out that a wanted man is in
some exact location at an exact time? "He's in the El Mariachi Internet Cafe!
Move!" But this kind of posturing is better done face-to-face with some
libation in hand.
An active attack on what you describe may be easier to hide than you imagine.
As soon as the IKE SA is "authenticated" and the identities determined
delete messages are sent back to the parties to delete the SA. Since the packets
that initiated the IKE exchange in the first place are still in the hopper waiting
for an IPSec SA it'll initiate another exchange. This 2nd one will succeed. The
user sees a slight delay which might be normal for the local PTT.
But this is bizarre. You're arguing _for_ doing something that allows for
an active attack when you have perfectly good options that will solve your
problem and not open you up to attack. Is there a problem with El-Gamal keys?
Is there a problem with the reconstitued ID_KEY_ID scheme I described? Why
not use GNU Privacy Guard DSA keys? That would seem to advance two products
in tandem, which would be a good thing (actually GNU Privacy Guard El-Gamal
encryption keys would be better). If I was paranoid I'd think you had an
ulterior motive.
Dan.
On Fri, 30 Apr 1999 11:49:53 PDT you wrote
> Dan, your replies sound disingenuous. This isn't rocket-science.
> Why anyone would want to help us design a protocol that promises security
> and anonymity, but doesn't actually deliver it, I would have no idea...
>
> > This proposed solution permits eavesdroppers to determine that the same
> > person (the same opaque blob) is connecting from a variety of places,
> > even if they don't know the "identity" of that person.
> >
> > That would require large scale traffic analysis to derive this information
> > and I'm not sure what use can be made of it-- that some opaque blob (the sa
>me
> > person) is connecting from a variety of places.
>
> I certainly can't think of any secretive three-letter organizations
> that are doing large scale traffic analysis. Can you?
>
> Once ANY corroborating information makes it possible to link that blob
> to a person, EVERY communication that person has had in the past, or
> will have in the future, has been identified to them.
>
> It's easy to link a blob with many other identifying bits of
> information. If airline flight records (passed to the State Dept for
> every international flight, for passport clearance) show you in twenty
> cities on specified dates over three years, and there are connections
> by that blob from eighteen of those cities at the right times... If
> you plug in in an Internet cafe and your image is recorded on the
> security camera, or perhaps you pay for the session and some lunch
> with a credit card... If you dial an ISP which authenticates your PPP
> login/password over the net in the clear, and then that blob comes
> from that IP address twelve seconds later... If your telephone bills
> (available to the police in the US with *no* warrant, even assuming
> the intelligence services haven't infiltrated the telco billing
> computers) show that your home phone or cellophone has made calls to
> an ISP at the same times that blob appeared on the 'net...
>
> > If that's scary in your
> > environment than why isn't an active attack against "open secret" scary?
>
> Active attacks are detectable by the parties to the communication.
> Secretive three-letter organizations hate for the parties to know that
> they're watching. It encourages the parties to take active measures against
> the watchers.
>
> Also, active attacks require more than merely passive monitoring of
> e.g. satellite or undersea-cable communications, which is well within
> the realm of undetectable technology. Active attacks would require
> injecting packets covertly into the Internet -- a process that can be
> tracked back to the source, with enough work, the way that Shimomura
> tracked Mitnick, from router to router, and through compromised and
> doctored phone switches.
>
> Active attacks are much harder to do on a mass scale. If done on that
> scale, the probability of detection is very great. Whereas worldwide
> passive wiretapping on a mass scale has been going on for decades
> without much significant confirmed detection -- merely very strong
> suspicion. Active attacks can be witnessed by reliable third
> parties, and credible evidence brought to a judge; they can't be
> prevented from disclosure to the target or the public as "classified
> information".
>
> Furthermore, if a single connection's identity is revealed by an
> active attack against a single IKE negotiation, that identity will not
> be linked to any previous or future IKE negotiations by the same
> person. Each one is protected by the Diffie-Hellman exchange.
>
> Are those a few good reasons, Dan?
>
> > Yes, the Quick Mode exchange would break down but now this attacker knows
> > who (the actual identity, not just "the same opaque blob") and where. If
> > I was running a hit squad that would be valuable intelligence; knowing that
> > an opaque blob is running around connecting from various POPs would not.
>
> It was certainly useful in WW2 to know that a given opaque U-boat
> callsign was running around connecting from various POPs and BANGs,
> even if its "identity" wasn't known. The blob *is* the identity, for
> many useful purposes. Traffic analysis alone -- including radio
> direction-finding -- provided a very large fraction of the useful
> information the Allies received in WW2. I doubt the situation has
> changed today.
>
> John
References: