Re: Replays - thoughts on Gutmann response|
Allan Latham <alatham,AT,flexsys-group,DOT,com>|
Thu, 9 Oct 2003 09:11:14 +0200|
<944775566166B64B9A2DD5EE0159B5CDBA2A@europa.directory.futurefoundations.com> <firstname.lastname@example.org> <3F834DFF.email@example.com>|
I have still not seen this message on the list which I sent yesterday.
Thanks for the comment re TCP KX but:
1. An attacker can idenify the KX packets without further effort.
2. Adds complexity to the program.
3. May cause firewall problems.
4. Doesn't allow the peer to change IP address (dynamic IP).
5. Relies on TCP to provide replay protection.
(Note on point 5. This should be sufficient but as one of the attacks
postualted against CIPE involves the theoretical possibility that attackers
can manipulate a TCP stream by flipping bits in the ciphertext then it seems
pointless relying on TCP to protect KX - we just leave ourselves open to more
My initial objective is to minimise changes to the program(s) involved. Any
added complexity should be aimed at making the KX fully secure from a
cryptography point of view not just tweaking it a bit.
If anyone has a view on KX problems and how we can improve them I would like
to hear it. Currently I don't have time to look at it in detail.
On Wednesday 08 October 2003 01:36, Sandino Araico Sanchez wrote:
> Allan Latham wrote:
> >If that were all, my opinion would be that we don't have a replay problem
> > with CIPE. Unfortunately there are some concerns:
> >1. ICMP and UDP traffic could possibly be replayed to cause a DOS attack.
> >2. Key exchange replays may allow an attacker to force CIPE to use the
> > static key or an already cracked dynamic key.
> >I hope to cover the whole subject of how to harden key exchange later.
> If we use TCP instead of UDP for key exchange the replay problem can be
> worked around and there's no performance impact since there's no TCP
> over TCP encapsulation in key exchange.
> There's lower complexity using UDP exclusively for traffic and TCP
> exclusively for key exchange since we don't need to find out if the
> received UDP package contains a package or a key. When we are sure no
> UDP package contains a key we just need to check integrity, decrypt the
> encapsulated package and pass it to the upper layer so the process is