[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested modification to AES privacy draft



Scott Fluhrer <sfluhrer@cisco.com> writes:

> - Suppose the attacker (Eve) can send packets through the SA.  This
>   attacker may be a legitimate user that is not authorized to read
>   all the traffic that is routed through the SA.

[snip]

> I would claim that this attack on privacy is unacceptable, as
> none of the assumptions that this attack makes are about things
> that the security of IPSec should rely on.  Therefore, I claim
> that the common practice of reusing the previous ciphertext
> block (which allows this attack), or otherwise selecting IVs
> in a predictable manner, should be prohibited.

If you make the first assumption, then Eve either:
	a) lives on the same host as Alice, or
	b) lives behind the same SG as Alice

In the case of a, Eve clearly has root so can get any keying
information they want.  In the case of b, Eve could just "tcpdump" on
the unprotected link between Eve/Alice and the SG, so IPsec isn't
going to protect it.

I suppose they may be a 'c' in the case of multicast SAs, but those
are not a part of the document that you are worrying about.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available