[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Suggested modification to AES privacy draft



On Tue, 8 Jan 2002, Andrew Krywaniuk wrote:

> I should point out that this relates to an earlier discussion on this list
> from August of last year, which is whether it is better to have one SA
> between two gateways or whether it is better to have separate SAs for each
> flow. Scott didn't mention his attack back then... maybe he didn't notice it
> until recently.
> 
> Several people commented that it better to have a single SA because it
> thwarts traffic analysis. I pointed out that the only reason I could think
> of to use multiple SAs was to avoid adaptive chosen plaintext
> attacks.

Ultimately, I think that's a pointless discussion: Different people
(read: customers from my point of view) will do it differently. The
protocol should not dictate how you chose to design your network and
policies.

jan



> A
> couple of people replied that ciphers which are not resistant to these
> attacks shoudn't be used with IPsec. But Scott's attack shows that it is not
> enough for the cipher to be resistant to adaptive chosen plaintext attacks.
> The protocol itself also has to be made resistant to these attacks.
> 
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
> 
> 
> 
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
> > Sent: Tuesday, January 08, 2002 11:42 AM
> > To: warlord@mit.edu
> > Cc: sfluhrer@cisco.com; sheila.frankel@nist.gov; skelly@SonicWALL.com;
> > rob.glenn@nist.gov; ipsec@lists.tislabs.com
> > Subject: Re: Suggested modification to AES privacy draft
> >
> >
> > >>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
> >
> >  Derek> Scott Fluhrer <sfluhrer@cisco.com> writes:
> >  >> - Suppose the attacker (Eve) can send packets through the SA.
> >  >> This attacker may be a legitimate user that is not authorized to
> >  >> read all the traffic that is routed through the SA.
> >
> >  Derek> [snip]
> >
> >  >> I would claim that this attack on privacy is unacceptable, as none
> >  >> of the assumptions that this attack makes are about things that
> >  >> the security of IPSec should rely on.  Therefore, I claim that the
> >  >> common practice of reusing the previous ciphertext block (which
> >  >> allows this attack), or otherwise selecting IVs in a predictable
> >  >> manner, should be prohibited.
> >
> >  Derek> If you make the first assumption, then Eve either: a) lives on
> >  Derek> the same host as Alice, or b) lives behind the same SG as
> >  Derek> Alice
> >
> >  Derek> In the case of a, Eve clearly has root so can get any keying
> >  Derek> information they want.  In the case of b, Eve could just
> >  Derek> "tcpdump" on the unprotected link between Eve/Alice and the
> >  Derek> SG, so IPsec isn't going to protect it.
> >
> > You missed a case, and you also overstated (b).
> >
> > The missing case is a SG with more than one LAN coming out of it,
> > where Eve and Alice are on different ports.
> >
> > Second, for (b), most LANs are largely or entirely switched LANs,
> > which means that Eve will be able to see few if any of the plaintext
> > packets from SG to Alice even if Alice and Eve are on the same
> > subnet.
> >
> > 	paul
> >
> >
> 

 --
Jan Vilhuber           vilhuber@cisco.com          (408) 527-0847
Strategic Cryptographic Development, ITD, Cisco Systems, San Jose