[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Suggested modification to AES privacy draft
On Tue, 8 Jan 2002, Andrew Krywaniuk wrote:
> I should point out that this relates to an earlier discussion on this list
> from August of last year, which is whether it is better to have one SA
> between two gateways or whether it is better to have separate SAs for each
> flow. Scott didn't mention his attack back then... maybe he didn't notice it
> until recently.
>
> Several people commented that it better to have a single SA because it
> thwarts traffic analysis. I pointed out that the only reason I could think
> of to use multiple SAs was to avoid adaptive chosen plaintext
> attacks.
Ultimately, I think that's a pointless discussion: Different people
(read: customers from my point of view) will do it differently. The
protocol should not dictate how you chose to design your network and
policies.
jan
> A
> couple of people replied that ciphers which are not resistant to these
> attacks shoudn't be used with IPsec. But Scott's attack shows that it is not
> enough for the cipher to be resistant to adaptive chosen plaintext attacks.
> The protocol itself also has to be made resistant to these attacks.
>
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
>
>
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Koning
> > Sent: Tuesday, January 08, 2002 11:42 AM
> > To: warlord@mit.edu
> > Cc: sfluhrer@cisco.com; sheila.frankel@nist.gov; skelly@SonicWALL.com;
> > rob.glenn@nist.gov; ipsec@lists.tislabs.com
> > Subject: Re: Suggested modification to AES privacy draft
> >
> >
> > >>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
> >
> > Derek> Scott Fluhrer <sfluhrer@cisco.com> writes:
> > >> - Suppose the attacker (Eve) can send packets through the SA.
> > >> This attacker may be a legitimate user that is not authorized to
> > >> read all the traffic that is routed through the SA.
> >
> > Derek> [snip]
> >
> > >> I would claim that this attack on privacy is unacceptable, as none
> > >> of the assumptions that this attack makes are about things that
> > >> the security of IPSec should rely on. Therefore, I claim that the
> > >> common practice of reusing the previous ciphertext block (which
> > >> allows this attack), or otherwise selecting IVs in a predictable
> > >> manner, should be prohibited.
> >
> > Derek> If you make the first assumption, then Eve either: a) lives on
> > Derek> the same host as Alice, or b) lives behind the same SG as
> > Derek> Alice
> >
> > Derek> In the case of a, Eve clearly has root so can get any keying
> > Derek> information they want. In the case of b, Eve could just
> > Derek> "tcpdump" on the unprotected link between Eve/Alice and the
> > Derek> SG, so IPsec isn't going to protect it.
> >
> > You missed a case, and you also overstated (b).
> >
> > The missing case is a SG with more than one LAN coming out of it,
> > where Eve and Alice are on different ports.
> >
> > Second, for (b), most LANs are largely or entirely switched LANs,
> > which means that Eve will be able to see few if any of the plaintext
> > packets from SG to Alice even if Alice and Eve are on the same
> > subnet.
> >
> > paul
> >
> >
>
--
Jan Vilhuber vilhuber@cisco.com (408) 527-0847
Strategic Cryptographic Development, ITD, Cisco Systems, San Jose