[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested modification to AES privacy draft

To: Derek Atkins <warlord@mit.edu>, Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: Suggested modification to AES privacy draft
From: Scott Fluhrer <sfluhrer@cisco.com>
Date: Mon, 07 Jan 2002 08:57:38 -0800
Cc: sheila.frankel@nist.gov, skelly@SonicWALL.com, rob.glenn@nist.gov, ipsec@lists.tislabs.com
In-Reply-To: <sjm1yh2z0ay.fsf@indiana.mit.edu>
References: <Scott Fluhrer's message of "Sun, 06 Jan 2002 17:33:25 -0800"><200201070124.ADF71964@mira-sjcm-3.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 06:46 AM 1/7/02 , Derek Atkins wrote:
>Scott Fluhrer <sfluhrer@cisco.com> writes:
>
>> - Suppose the attacker (Eve) can send packets through the SA.  This
>>   attacker may be a legitimate user that is not authorized to read
>>   all the traffic that is routed through the SA.
>
>[snip]
>
>> I would claim that this attack on privacy is unacceptable, as
>> none of the assumptions that this attack makes are about things
>> that the security of IPSec should rely on.  Therefore, I claim
>> that the common practice of reusing the previous ciphertext
>> block (which allows this attack), or otherwise selecting IVs
>> in a predictable manner, should be prohibited.
>
>If you make the first assumption, then Eve either:
>	a) lives on the same host as Alice, or
>	b) lives behind the same SG as Alice
>
>In the case of a, Eve clearly has root so can get any keying
>information they want.
Why is this the case?  I do believe that people without root access
can never-the-less transmit packets.

>                       In the case of b, Eve could just "tcpdump" on
>the unprotected link between Eve/Alice and the SG, so IPsec isn't
>going to protect it.
Again, is this true?  What if the links have physical security, so
Eve can't get access to them?

In any case, both of these objections would appear to be "there's
something outside of IPSec that happens to protect against the
attack".  I claim that this is not acceptable -- the security that
IPSec provides should only depend on IPSec (and the keying protocol)
only -- not on the assumption that everyone that can generate
packets can be trusted.

>
>I suppose they may be a 'c' in the case of multicast SAs, but those
>are not a part of the document that you are worrying about.
>
>-derek
>
>-- 
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>       warlord@MIT.EDU                        PGP key available
>

References:
- Suggested modification to AES privacy draft
  - From: Scott Fluhrer <sfluhrer@cisco.com>
- Re: Suggested modification to AES privacy draft
  - From: Derek Atkins <warlord@mit.edu>

Prev by Date: ANNOUNCE: NDSS'02 Early Registration Deadlines Approaching
Next by Date: RE: Suggested modification to AES privacy draft
Prev by thread: Re: Suggested modification to AES privacy draft
Next by thread: Re: Suggested modification to AES privacy draft
Index(es):
- Date
- Thread