[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems



Stephen Kent <kent@bbn.com> writes:

> Yes, but most recent attacks have not been of this flavor, and we 
> have a variety of alternate authentication mechanisms that can be 
> used when people are concerned about passive wiretapping. I'm not 
> opposed to using encryption, but we see lots of attacks that exploit 
> buffer overflows and other bugs that will not be countered by 
> encryption. Moreover, use of encryption does adversely affect use of 
> net-based IDS and one has to decide where this negative side effect 
> outweighs the benefits.

I'm not sure how an authentication system can prevent a buffer
overflow attack, either, except you know authoritatively which host
originated the attack on you.  But that might not help any, because
you don't know whether that other host started it or not.  Besides,
spoofing TCP connections nowadays is pretty hard, so you can be fairly
certain of the source IP of someone attacking with a buffer overrun
(code red, anyone?).  How does authentication help?

> Maybe. Since encryption can also interfere with our ability to detect 
> and track attacks, it's use is not purely beneficial.  In recent 
> experiments sponsored by DARPA, we observed that use of encryption 
> with faulty authentication techniques allowed attackers to gain 
> unauthorized access and to hop from system to system without 
> detection, under cover of the encryption used on a host-to-host basis 
> in a LAN environment.

Perhaps this means we need better, distributed tracking tools.
Insteading of a centralized overseer, perhaps network elements need to
communicate their attack status to their peers.

> >We cannot build a panacea.  No such beast exists, and looking for that
> >perfect solution will, in the end, cause us to have none.
> 
> We agree on the principle, but may differ on where to draw the line.

Indeed.  At least we're heading in the same general direction. :)

> Steve

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


Follow-Ups: References: