[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Use of Encryption in Heartbeat Packets

To: "'Chris Trobridge'" <CTrobridge@baltimore.com>, "'Andrew Krywaniuk'" </o=TimeStepCorporation/ou=TIMESTEP/cn=Recipients/cn=akrywaniuk@newbridge.com>, "'IPSEC Mailing List @ tis labs'" <ipsec@lists.tislabs.com>
Subject: RE: Use of Encryption in Heartbeat Packets
From: "Andrew Krywaniuk" <akrywani@newbridge.com>
Date: Tue, 29 Feb 2000 18:09:18 -0500
Importance: Normal
In-Reply-To: <1FD60AE4DB6CD2118C420008C74C27B81D0518@baltimore.com>
Reply-To: <akrywani@newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Chris,

> I was more concerned that you though encryption would provide a quick
> authentication check and strengthen the authentication.

Encryption does provide a "quick authentication check."

In formal-speak, encryption provides an O(1) authentication check of a NbnS
indicator of packet validity. (NbnS = Necessary, but not Sufficient)

As the term (NbnS) implies, you still have to do the full check later.


> Ok, re-reading, you
> do say this is strengthening is only useful where the authentication
> algorithm is weak in the first place.  I could be wrong, but
> I wasn't aware
> that the prescribed authentication algorithms were weak in this way.

Encryption also strengthens the authentication by preventing a known
plaintext analysis of the hash. Of course, no one that we know of currently
has the ability to break an MD5 MAC by known plaintext analysis, which is
why this property provides no tangible benefit (except for that warm, fuzzy
feeling you get knowing that no one can read your packets).


> You do go on to say that encryption helps you reject large
> spoofed packets
> more quickly than authentication alone thus helping defeat a
> DOS attack.
> This was the other point I was questioning.

I assume you mean this comment:

> > > An attacker can still modify later bytes in
> > > the datagram
> > > which would pass any sensible decryption test but not the
> > > authentication
> > > check.

No heartbeat protocol can realistically hope to protect against an adversary
who can modify packets in transit. This is a reasonable limitation, and if
you read the client puzzles document that was recently posted to this list
(http://www.rsasecurity.com/rsalabs/staff/ajuels/papers/clientpuzzles.pdf),
you will see that they make a similar assumption for their protocol.

Remember that such an adversary (presumably an intermediate router) can
easily convince you that the peer has crashed simply by refusing to forward
any packets on the link (unless you are using ToS = high reliability, but
that's besides the point).

If the packet is modified in transit, it will still be rejected, just not in
a fully DoS-resistant fashion.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.

References:

RE: Use of Encryption in Heartbeat Packets

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Prev by thread: RE: Use of Encryption in Heartbeat Packets
Next by thread: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Index(es):
- Main
- Thread