Re: A small problem in security protocol

From: Lassi Hippeläinen <lahippel@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Sep 2006 06:56:24 GMT

wt.eric@xxxxxxxxx wrote:

Thanks for your response. Maybe I hadn't made a clear description. My
problem is that: when an agent receives an encrypted message (signature
message we assume here), without apparent fields of message sequence
number in protocol and sender's ID, how does he rapidly get know which
message in which protocol this message is and which keys should he use
to decrypt the message.

If the message has no cleartext hints about sender/session, the recipient has to try each active security association to see which one matches. That is bad. It puts lots of computational load on the recipient. An attacker can send bogus packets to overload the recipient.

BTW, modern protocols try to do the opposite. To initiate a session the other end has to compute a "puzzle" before the recipient dedicates any resources to the negotiation. That way the attacker can't overload the machine unless she has an even bigger machine.

-- Lassi

Lassi Hippeläinen wrote:
wt.eric@xxxxxxxxx wrote:
In many protocols under academic discussion (like NSPK protocol,
Big-mouth-frog protocol, etc) there is no an apparent field in some
messages that shows which step in which protocol this message is and
who is the sender of this message, is it a problem?

As a general answer (I'm not familiar with the protocols in question):
yes. This is a potential DoS attack vector. If an attacker can inject
messages into the stream, they can knock the state machines out of sync.
Even worse attacks, e.g. session hijack, could be possible if the
protocols aren't designed against it.

That's why many protocols carry cookies or nonces as a security feature.

-- Lassi

References:
- A small problem in security protocol
  - From: wt.eric@xxxxxxxxx
- Re: A small problem in security protocol
  - From: Lassi Hippeläinen
- Re: A small problem in security protocol
  - From: wt.eric@xxxxxxxxx

Prev by Date: Re: DRM and pdf
Next by Date: Re: HELP
Previous by thread: Re: A small problem in security protocol
Next by thread: Re: It's a fake terrorist scare, folks
Index(es):
- Date
- Thread

Relevant Pages

Re: Where do the random numbers come from?
... Which part of the protocol is too slow? ... Diffie-Hellman key exchange is too slow for you, ... key exchange so that an attacker can't fake it. ... the best-known random number generator used for non- ...
(comp.security.ssh)
Re: Where do the random numbers come from?
... I'll look into ssh... ... >>just using an established protocol is that resources on my client are ... > the server is convinced of your identity, a malicious attacker in ... >>Of course you can seed the BouncyCastle random number generator with ...
(comp.security.ssh)
[Full-Disclosure] NetBSD Security Advisory 2003-006: Cryptographic weaknesses in Kerberos v4 protoco
... A cryptographic weakness in version 4 of the Kerberos protocol allows ... principal in a realm. ... An attacker controlling a krb4 shared cross-realm key can ... This attack may be performed against cross-realm principals, ...
(Full-Disclosure)
NetBSD Security Advisory 2003-006: Cryptographic weaknesses in Kerberos v4 protocol
... A cryptographic weakness in version 4 of the Kerberos protocol allows ... principal in a realm. ... An attacker controlling a krb4 shared cross-realm key can ... This attack may be performed against cross-realm principals, ...
(Bugtraq)
Re: Authentication
... I think trying to invent this kind of protocol on your own is too ... keys, i.e., that if you pick a public key by picking bits at random, ... an attacker can break this scheme by spoofing A. ... I hope this is enough to convince you that design of these protocols ...
(sci.crypt)