[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Tero's draft

To: Tero Kivinen <kivinen@ssh.fi>, Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: RE: Tero's draft
From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Date: Thu, 25 Nov 1999 21:06:20 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


Hi Tero.

> Pre-shared keys and rsa-encryption mode authentications are not
> vulnerable at all with this attack, because they SKEYID used as a key
> depends on the information that only the related parties can know, and
> those SKEYID values are different for each exchange.

Yes, this is only a vulnerability of signature-based authentication, but
since it's the auth method many of us are advocating...


> For the signature mode the SKEYID is not tied to the related parties,
> but it is is tied to the Diffie-Hellman output. So only way the
> attacker can get that information is doing active attack, and if he is
> going to launch huge number of active attacks against one user, I
> think it will be detected. 

What if they are doing aggresive mode? The responder sends KE and SIG in the
same packet. The attacker has no need for active attacks. He listens
passively until he finds an input that works and then he forges KE and SIG
at the same time. (And this works against both parties in base mode.)

During this time, an intermediate router could drop packets in order to
increase the time it has to search for a suitable hash input. Occasional
dropped packets are unlikely to be logged as an attack.


> If the attacker is able to generate an input that will result to a
> given hash output, then the hash algorithm is broken.

I guess you're right that the hash algorithm would have to be somewhat weak.
Probably you should require implementors to use a hash algorithm that is
sufficiently resistant against birthday attacks (e.g. not MD5).

But your statement about having to "generate an input that will result to a
given hash output" is incorrect. You have to generate an input that will
hash to one of many hash outputs for which the signature is known.

You also have to worry about differential plaintext attacks. Does the hash
function maintain its full N bits of entropy against small changes in input?
Valery's suggestion of hashing each message individually would actually
strengthen your proposal against a differential chosen plaintext attack.

In most parts of IKE, we only hash messages that are also encrypted (we also
use HMAC, which is more resistant to birthday attacks). The phase 1
signature is the only place where we can see the direct output of the hash
(by decrypting the SIG and removing the deterministic padding).

I'm not saying that forging the signature would be easy, but it's much
easier to perform a birthday attack on a variable message than it is to
forge the signature for a completely deterministic message, so this change
will clearly weaken IKE.

Before:
- attack is most likely active
- chosen input plaintext is limited

After:
- attack is passive
- input plaintext can be chosen

I'm just wondering how many bits of effective security do we lose, and what
recommendations do we need to make about the choice of hash function.


> I don't think this kind of attack is feasible, but I can ask our
> cryptographers to check it out. 

Let me try. Say that:

N is the entropy of the hash.
X is the dictionary of known hashes.
Y is the number of trial hashes the attacker can generate during the session
hijacking window.
Z is the number of phase 1 negotiations which he can attempt to hijack.

I think all the variables are orthogonal. If all variables are expressed in
bits and N is the entropy of the hash and we disregard insignificant terms
then the security loss against a long-term passive attack is X + Y + Z bits.

If the hash has a weakness against chosen differential plaintext attacks
then... it's too complicated for me to figure out. Say that:

N* is the effective entropy of the hash against differential input.
A reflects the time spent searching for differential attack candidates.
B reflects the time spent specifically on the differential attack.
A + B > 100%, since the searches are not orthagonal.

My estimate would be X + [log2(1+A) + log2(1+B)(N - N*)] Y + Z bits.

(Note that if A=1 and B=0 this reduces to X + Y + Z)

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.

Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-flow-monitoring-mib-00.txt
Next by Date: No Subject
Prev by thread: RE: Tero's draft
Next by thread: IPSec 2000
Index(es):
- Main
- Thread