[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Suggested modification to AES privacy draft

To: <ipsec@lists.tislabs.com>
Subject: RE: Suggested modification to AES privacy draft
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Tue, 8 Jan 2002 13:48:27 -0500
Importance: Normal
In-Reply-To: <15419.8520.300125.943921@pkoning.dev.equallogic.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

I should point out that this relates to an earlier discussion on this list
from August of last year, which is whether it is better to have one SA
between two gateways or whether it is better to have separate SAs for each
flow. Scott didn't mention his attack back then... maybe he didn't notice it
until recently.

Several people commented that it better to have a single SA because it
thwarts traffic analysis. I pointed out that the only reason I could think
of to use multiple SAs was to avoid adaptive chosen plaintext attacks. A
couple of people replied that ciphers which are not resistant to these
attacks shoudn't be used with IPsec. But Scott's attack shows that it is not
enough for the cipher to be resistant to adaptive chosen plaintext attacks.
The protocol itself also has to be made resistant to these attacks.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
> Sent: Tuesday, January 08, 2002 11:42 AM
> To: warlord@mit.edu
> Cc: sfluhrer@cisco.com; sheila.frankel@nist.gov; skelly@SonicWALL.com;
> rob.glenn@nist.gov; ipsec@lists.tislabs.com
> Subject: Re: Suggested modification to AES privacy draft
>
>
> >>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
>
>  Derek> Scott Fluhrer <sfluhrer@cisco.com> writes:
>  >> - Suppose the attacker (Eve) can send packets through the SA.
>  >> This attacker may be a legitimate user that is not authorized to
>  >> read all the traffic that is routed through the SA.
>
>  Derek> [snip]
>
>  >> I would claim that this attack on privacy is unacceptable, as none
>  >> of the assumptions that this attack makes are about things that
>  >> the security of IPSec should rely on.  Therefore, I claim that the
>  >> common practice of reusing the previous ciphertext block (which
>  >> allows this attack), or otherwise selecting IVs in a predictable
>  >> manner, should be prohibited.
>
>  Derek> If you make the first assumption, then Eve either: a) lives on
>  Derek> the same host as Alice, or b) lives behind the same SG as
>  Derek> Alice
>
>  Derek> In the case of a, Eve clearly has root so can get any keying
>  Derek> information they want.  In the case of b, Eve could just
>  Derek> "tcpdump" on the unprotected link between Eve/Alice and the
>  Derek> SG, so IPsec isn't going to protect it.
>
> You missed a case, and you also overstated (b).
>
> The missing case is a SG with more than one LAN coming out of it,
> where Eve and Alice are on different ports.
>
> Second, for (b), most LANs are largely or entirely switched LANs,
> which means that Eve will be able to see few if any of the plaintext
> packets from SG to Alice even if Alice and Eve are on the same
> subnet.
>
> 	paul
>
>

Follow-Ups:
- RE: Suggested modification to AES privacy draft
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- Re: Suggested modification to AES privacy draft
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: Suggested modification to AES privacy draft
Next by Date: RE: Suggested modification to AES privacy draft
Prev by thread: Re: Suggested modification to AES privacy draft
Next by thread: RE: Suggested modification to AES privacy draft
Index(es):
- Date
- Thread