[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Suggested modification to AES privacy draft



> >> - Suppose the attacker (Eve) can send packets through the SA.  This
> >>   attacker may be a legitimate user that is not authorized to read
> >>   all the traffic that is routed through the SA.
> >
> >[snip]
> >
> >> I would claim that this attack on privacy is unacceptable, as
> >> none of the assumptions that this attack makes are about things
> >> that the security of IPSec should rely on.  Therefore, I claim
> >> that the common practice of reusing the previous ciphertext
> >> block (which allows this attack), or otherwise selecting IVs
> >> in a predictable manner, should be prohibited.
> >
> >If you make the first assumption, then Eve either:
> >	a) lives on the same host as Alice, or
> >	b) lives behind the same SG as Alice
> >
> >In the case of a, Eve clearly has root so can get any keying
> >information they want.
> Why is this the case?  I do believe that people without root access
> can never-the-less transmit packets.
> 
> >                       In the case of b, Eve could just "tcpdump" on
> >the unprotected link between Eve/Alice and the SG, so IPsec isn't
> >going to protect it.
> Again, is this true?  What if the links have physical security, so
> Eve can't get access to them?
> 
> In any case, both of these objections would appear to be "there's
> something outside of IPSec that happens to protect against the
> attack".  I claim that this is not acceptable -- the security that
> IPSec provides should only depend on IPSec (and the keying protocol)
> only -- not on the assumption that everyone that can generate
> packets can be trusted.

The meta-point here is that if Eve can send packets through the SA,
there's a good chance that she can also read packets coming through
the SA via tools like "tcpdump" ... and obtaining that ability could
be  significantly easier and more productive than mounting this attack.

Asking IPsec to solve this problem is a bit of a stretch - an IPsec
gateway is supposed to protect traffic flowing through it from
threats originating from the public side of the gateway, but in
this scenario, Eve has access to the private side by virtue of being
able to send packets through the SA.  I would suggest that the wrong
tool is being used here; if Alice wants end-to-end security
for Bob's password, Alice should be doing something other than using
an any-to-any (or sufficiently wildcarded) SA, e.g.,

	- An SA specific to the telnet session based on a host-resident
		IPsec implementation.
	- A session-based mechanism like TLS or SSH.

In both cases, Eve is unable to send packets through the SA or its
equivalent.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------