RE: Data integrity check in CIPE - Please explain me the necessityor benefit of a larger checksum.|
"Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>|
Mon, 29 Sep 2003 13:05:11 +0100|
(PLEASE, everyone, when replying send only to list, not to person and list -
I get two copies)
> * Existing packets: possible within the lifetime of the dynamic key (15
> minutes IIRC, so 7 min. on average) It will be seen as duplicated packets
> within the tunnel traffic.
If this were part of a complete sequence, replaying it a few seconds later
could be catastrophic. Even if it were TCP, a new connection faked
correctly could cause, for example, a database transaction to be repeated,
or worse. Replay is an issue - not just duplicate packets sent at the same
time. Coupled with the checksum issue, as one of those packets may even
have been modified, and you're looking at a vulnerability that can be used
by someone capable of sniffing and introducing their own packets into the
> * Impossible IMHO, since it is computed from the encrypted packet.
Could the payload be altered to include such a CRC, and compare both the new
and existing checksums to determine if the packet has been altered?
Mark Smith - Avco Systems Ltd
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078