RE: Simplifying IKE

[Steve.Robinson@psti.com]

Andrew,

While I certainly agree that the attack described in the Ferguson/Schneier
paper on ESP was esoteric, I disagree on your conclusion that
no damage will be done.  Let's assume that no attack is occurring.  What if
the system administrator enters the section of the key used for decryption
incorrectly?  Authentication will work correctly, but right now, there is
no verification mechanism in place to assure that the plaintext is not
garbage, and once you pass garbage up to the upper layers, the behaviour is
system specific and unknown -- it could range from catastrophic to no
damage at all.  Authenticating the text after decryption assures that the
correct plaintext is passed to the upper layers.  If the current order is
only maintained to ward off DoS, then  I'd suggest that the argument is
weak, since DoS can only be minimized, not eliminated.

Steve




                                                                                                                          
                    "Andrew Krywaniuk"                                                                                    
                    <andrew.krywaniuk@al        To:     "'Dan McDonald'" <danmcd@East.Sun.COM>, "'Sandy Harris'"          
                    catel.com>                  <sandy@storm.ca>                                                          
                    Sent by:                    cc:     <ipsec@lists.tislabs.com>                                         
                    owner-ipsec@lists.ti        Subject:     RE: Simplifying IKE                                          
                    slabs.com                                                                                             
                                                                                                                          
                                                                                                                          
                    08/09/01 07:45 AM                                                                                     
                    Please respond to                                                                                     
                    andrew.krywaniuk                                                                                      
                                                                                                                          
                                                                                                                          




> > > 4. modify ESP to ensure it authenticates all data used in
> the deciphering
> >          of the payload
> >
> > This is the only recommendation in this paper based on a
> direct security
> > flaw, with a proposed attack to demonstrate it. There are
> others in the
> > Simpson paper.
>
> And if you use Choice 3a above, you get this for free - AH
> covers the whole
> ESP datagram, SPI/IV/etc.


If my memory serves me correctly, Ferguson/Schneier were actually
suggesting
that

1. encryption be applied AFTER authentication

or, failing that, that

2. the encryption/decryption key be included in the data which is hashed

This is to prevent an esoteric attack they describe which is infeasible and
wouldn't cause any damage anyway. That is not a compelling reason to
redesign ESP.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

---

Follow-Ups:

• Re: Simplifying IKE
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
• RE: Simplifying IKE
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: Re: Simplifying IKE
• Next by Date: RE: DRAFT: ipsec charter update
• Prev by thread: Re: Simplifying IKE
• Next by thread: Re: Simplifying IKE
• Index(es):
  • Main
  • Thread