[IPsec] Garage door - let's pick a different example
Tero Kivinen <kivinen@iki.fi> Fri, 25 July 2014 23:07 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8411A0402 for <ipsec@ietfa.amsl.com>; Fri, 25 Jul 2014 16:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.122
X-Spam-Level:
X-Spam-Status: No, score=-1.122 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRIy8Em834Oq for <ipsec@ietfa.amsl.com>; Fri, 25 Jul 2014 16:07:47 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C13F1A0401 for <ipsec@ietf.org>; Fri, 25 Jul 2014 16:07:46 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s6PN7gd6004063 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 26 Jul 2014 02:07:42 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s6PN7fEh009376; Sat, 26 Jul 2014 02:07:41 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21458.58173.437081.804657@fireball.kivinen.iki.fi>
Date: Sat, 26 Jul 2014 02:07:41 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <53D287BA.2070104@gmail.com>
References: <53D287BA.2070104@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 5 min
X-Total-Time: 5 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/_huPp7-DGa_f33n6qXYT7a-k5jI
Cc: ipsec <ipsec@ietf.org>
Subject: [IPsec] Garage door - let's pick a different example
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 23:07:50 -0000
Yaron Sheffer writes: > This might sound like a nit, but we have this text in the draft, as > a use case for null auth: > > "User wants to get some simple action from the remote device. Consider garage > door opener: it must authenticate user to open the door, but it is not > necessary for the user to authenticate the door opener. In this case one-way > authentication is sufficient." > > The problem is, this is an incorrect protocol. Specifically, a MITM (who might > be physically located by the kitchen door), could redirect the protocol > exchange to a door different from the one I intended to open. Seeing that > nothing happens, I will simply press the remote again and open the garage > door, too. > > This is of course a generic problem, where unauthenticated protocols have > unforeseen consequences. No, that is not caused by the unauthenticated protocol, but caused by the same device to be used with two different doors. Even if the device would do full authentication and would verify that the door is in his list of doors which can be opened, attacker could still do the same thing. Only way to get rid of that, would be to either put display on the device telling which door responded, or put multiple buttons to the device and you would have to bind each button to exactly one door (i.e. each button using separate key or shared secret). And, not you do not even need man in the middle in cryptographic sense, just rerouting the packets from the air to the other destination would be enough. So for that kind of uses the devive would need to be tied to exactly one door... -- kivinen@iki.fi
- [IPsec] Garage door - let's pick a different exam… Yaron Sheffer
- [IPsec] Garage door - let's pick a different exam… Tero Kivinen
- Re: [IPsec] Garage door - let's pick a different … Yaron Sheffer
- Re: [IPsec] Garage door - let's pick a different … Hannes Tschofenig
- Re: [IPsec] Garage door - let's pick a different … Yoav Nir
- Re: [IPsec] Garage door - let's pick a different … Hannes Tschofenig
- Re: [IPsec] Garage door - let's pick a different … Valery Smyslov
- Re: [IPsec] Garage door - let's pick a different … Valery Smyslov
- Re: [IPsec] Garage door - let's pick a different … Valery Smyslov
- Re: [IPsec] Garage door - let's pick a different … Yaron Sheffer