[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suggestion for JFK
In message <20011213062153.EB51054C55@tailor.sailpix.com>, dharkins@tibernian.c
om writes:
>On Wed, 12 Dec 2001 13:02:17 MST you wrote
>>
>> As I understand Dan's suggestion, including the IP address means that the
>> initiator can't bounce around to different IPs - I don't get what it buys th
>o
>>ugh.
>
>What it buys is a guarantee that there is only one case in which a token
>would be valid but the encrypted data is garbage-- when message 3 was sent
>by the same IP address which optained the token in message 2.
>
>If the token is correct in message 3 then the responder does work. It would
>be nice (to me at least) to know who is trying to make me do some work for
>no reason. Right now all I know is that someone is doing this thing to me,
>not who.
>
>In addition, by not including the IP address in the hash calculation JFK
>opens itself up to a varient of Simpson's "cookie jar" attack. What happens
>is I send a JFK implementation X message 1's with different nonces and g^i's
>and receive X valid tokens in response. Provided that message 1 and message
>X obtained a token based on the same HKr (I'll know this if the signed g^r
>is the same) I can then send X message 3's with bogus source IP addresses
>and the responder will use up his CPU exponentiating to decrypt lots and
>lots of garbage. And he has know idea where the person is who is doing this
>to him.
>
>I will now stop beating this horse since I am the only person who thinks
>it is not dead yet.
>
I'm not convinced one way or another -- your note arrived during the
IETF, which is not a time I find conducive to analyzing cryptographic
protocols. (My first reaction was "this breaks NAT transparency",
which was of course wrong -- and a perfect reason why I'm going to
defer thinking about it.)
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com