Re: Comments re ISC's announcement on bind9 security



Given the extremely small amount of space for randomization (16-bit
query ID's) does a cryptographically strong PRNG really make
difference?

For a couple of decades the original algorithm was simply id++. Yes,
it makes a difference to use a slightly more sophisticated and
essentially "resource-free" algorithm, at least against some of the
potential "attacks".

Not all attacks stand on their own. The ID behaviour is typically
part of the problem space that an attacker has to deal with when some
other DNS problem is being attacked.

The main problem space people are talking regards DNS servers. But
the same (or similar) algorithm can also be used in resolver libraries
(ie. inside libc) to deal with other (different or similar...)
potential "attacks".

The algorithmic complexity of going from id++ to something more
sophisticated places no great burden on anyone... the machines can
handle it... so why not just do it. We don't need an uber-secure
PRNG.... since it is only a 16 bit exposed space. But it is good if
it has a few other "characteristics".

Aside from stopping an easy prediction, doesn't it just generate a
little extra work for a determined malicious individual?

The worst case for the attacker requires 65536 responses instead of 1.

Some style of attacks can require less.

If the computation / network costs of predicting a 16-bit PRNG is
higher than the cost of simply slamming with 65536 packets, attackers
will use the latter method.

But there are always mitigating factors... Maybe an attacker can't
generate that much traffic, or maybe he doesn't want to because he can
be spotted.. etc. There are other factors that select against doing
DNS attacks like this, such as the various any-cast architecture some
servers are setup with.

It _is_ a 16 bit ID space, and that is not fixable inside the strict
DNS protocol, but that still leaves us room to do the best job with
what we have, rather than do nothing at all. Some people appear to be
on the edge of arguing that we do nothing.

Seems to be a moot point to me---whether the PRNG is
cryptographically weak or not because of the small sequence number
space.

Around 10 years ago the PRNG used was id++.

I still think that the algorithm we invented as a group with Niels
Provos, David Mazieres, some researchers at Core SDI, and further
improved by David Wagner is better than what ISC is shipping. We've
been using our algorithm for 10+ years, too. Not just for DNS ID's
but also for the related problem of IP ID's. Every packet our
machines generate hits the same algorithm, to help a bit with the IP
ID ++ issues.

Relative to the new ISC code... ours is not worse. But it is simpler,
and non-heuristical in nature. It is just plainly mathematical,
designed by math nerds who we asked to help. And it is a lot less
code to do the same thing.

But perhaps it doesn't matter that much. At least we are not back in the
days of id++ on all systems. Though I suspect there are still lots of
DNS libraries and other similar subsystems.........



Relevant Pages

  • Password "security" - was"Passwords with Lan Manager (LM) under Windows" and &qu
    ... it is limited to 7 characters, when NTLM is up to 14 in older Windows, ... Algorithm 256 encryption algorithm and AES ... etc) will have infinite collisions. ... Final rant, other attacks on passwords... ...
    (Pen-Test)
  • Re: Security of Secret Algorithm encruption
    ... > how difficult is it to attack an arbitrary and unknown algorithm? ... cracks that attackers can use for compromise. ... secret algorithm that was supposed to be widely deployed ... ... so the threat models are not only how difficult are frontal attacks ...
    (sci.crypt)
  • Re: How to pick best encryption algorithm based on application
    ... the optimum encryption algorithms for your particular application. ... severley affected if one algorithm is better at treating a continuous ... AES and other AES contest finalist will be unfeasible to break from a ... we should take in account not only attacks to the algorithm ...
    (sci.crypt)
  • Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit
    ... If you use an ecryption algorithm to store/get data into/from the ... database you will not be able to do SQL injections? ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Re: Random delay as a countermeasure to timing attacks
    ... random delays is an efficient countermeasure against timing ... and are the only randomness in the adversary's measurements. ... One of the key features of an algorithm are that it be fast. ... where other attacks such as brute force ...
    (sci.crypt)