[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRACK

To: Yael Dayan <yael@radguard.com>
Subject: Re: CRACK
From: Ari Huttunen <Ari.Huttunen@datafellows.com>
Date: Mon, 25 Oct 1999 14:05:15 +0300
CC: Dan Harkins <dharkins@network-alchemy.com>, ipsec@lists.tislabs.com, ietf-ipsra@vpnc.org
Organization: Data Fellows Oyj
References: <199910211619.JAA15266@potassium.network-alchemy.com> <38108704.ACB4B8FF@radguard.com>
Sender: owner-ipsec@lists.tislabs.com

Yael Dayan wrote:

Dan,
I think there is some wording missing in the security considerations
section.
I am referring to vulnerabilities to denial of service attacks.
The gateway is required to answer with KE and SIG prior to any knowledge
of who the initiator is. (The SIG cannot be prepared ahead of time.).
An attacker only needs to know the gateway's address to launch an attack
that requires very little effort on his behalf.
Yael

There are at least two ways that I can think of, to make this more
DoS secure. It's hard for a malicious client to
a) receive IP packets if the source address is spoofed, and
b) it's computationally expensive to generate public/private key pairs.

We can use these to improve DoS resitance by making the client
first prove that it can receive IP packets and to give the gateway
the public key (and prove possession of the private key) before
the gateway gives KEr or SIG1. Something along the lines below.

   Client (I)                     Gateway (R)
-----------                     -----------
   HDR, SAi, Ni
     [, CERTREQ]          --->
                          <---     HDR, SAr, [CERT, ] Nr
   HDR, KEi, PK, SIG0     --->
                          <---     HDR, KEr, SIG1
   HDR*, CHRE             --->
                          <---     HDR*, < SIG2 | CHRE >
   HDR*, < SIG3 | CHRE > --->

Here SIG0 is something suitable that proves possession of the private key.
If this is a DoS attack, the source IP address and/or the PK is put to a black
list and denied access in the future. There are several (minor?) disadvantages too.
I'll leave it to the authors if this is worth it or not.

Another matter is that I believe SIG2 could be replaced by a hash. Since
the gateway has already signed KEr, which specifies the encrypting channel,
which is in turn used to transport the hash, this should be secure? This
could also be usable for SIG3 if SIG0 is added as suggested in this mail.

Incidentally, this modified exchange looks somewhat like base mode..

BTW, there's an interesting paper by Pekka Nikander and Tuomas Aura
about stateless connections that makes protocols more resistant to DoS
attacks ( http://www.tcm.hut.fi/~pnr/publications/ICICS-97.ps ). The idea
of my previous DoS secured base mode mails is from here.

Ari

--
Ari Huttunen phone: +358 9 859 900
Senior Software Engineer fax : +358 9 8599 0452

Data Fellows Corporation http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security

References:

CRACK

From: Dan Harkins <dharkins@network-alchemy.com>

Re: CRACK

From: Yael Dayan <yael@radguard.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-isakmp-di-mon-mib-01.txt
Next by Date: "PKIX Profile for IKE"--Is it really a profile?
Prev by thread: Re: CRACK
Next by thread: CRACK
Index(es):
- Main
- Thread