IETF Logo Mail Archive

RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt

"Hosnieh Rafiee" <ietf@rozanak.com> Fri, 29 November 2013 00:28 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95A41AE260 for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6sXm6sMALPH for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:48 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id B21021AE261 for <ipv6@ietf.org>; Thu, 28 Nov 2013 16:28:45 -0800 (PST)
Received: from kopoli (g231248182.adsl.alicedsl.de [92.231.248.182]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0LbdtT-1VN3KW0oep-00kob5; Thu, 28 Nov 2013 19:28:44 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Ray Hunter' <v6ops@globis.net>
Subject: RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Date: Fri, 29 Nov 2013 01:28:35 +0100
Message-ID: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-language: en-us
Thread-index: Ac7sme6IsPv/dQK4SQys2pOhOuurCA==
X-Provags-ID: V02:K0:nejN2ZWQmmaLFSjNBc2QtSqb+w3vLa8SeEpIa2RJsda SZDBOkyDAEdR2H/Lqax6hcTz6L380gTc1BJuqj2yZso3MkhhqD EfPBas7ySV0U/CoaEomk2ihWos5JgDJXdUnOWkQJUeV4fVSCJb w06HD/ztqjxroVxh03/V2agdb3v3yz1kcVw+d/P+aykHVOYwN+ YNlZ35H8b2q2PUYMucKYxdzSyxextFCkWW0g7a27PZy1/JJdWq 7vrsHFDYjjZJeuk1+L9MOZpkGlQcw7r00h4mIFJL4SopNChU5A olTTQ7v4fCbgL9orDNJTTelpfvK/mQ8HqGiEKqYaXs0375nh4j JLCvseJgGCq/aU22YA8g=
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, 'Derek Atkins' <DAtkins@mocana.com>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 00:28:50 -0000

> >
> http://tools.ietf.org/html/rfc4982#page-4 Section 4.1
> 
> talks about using an alternative (simpler hash function) to create
collisions.
> Sec = 0 to me equates to a simpler hash function than sec = 1.
> 
> quote:
>    In other words, the downgrading attack would work as follows: suppose
>    that Alice generates a CGA CGA_A using the strong hash function
>    HashStrong and using a CGA Parameter Data Structure CGA_PDS_A.  The
>    selected hash function HashStrong is encoded as an extension field in
>    the CGA_PDS_A.  Suppose that by using a brute force attack, an
>    attacker X finds an alternative CGA Parameter Data Structure
>    CGA_PDS_X whose hash value, by using a weaker hash function, is
>    CGA_A.  At this point, the attacker can pretend to be the owner of
>    CGA_A and the stronger hash function has not provided additional
>    protection.

Yes, it can. Because actually the problem is in verification steps and not
in generation.

 
> Yes. The sec value is not protected in any way by the CGA IID itself.
> 
> The attacker is free to choose any sec value: either the same as the
defender
> or higher or lower.
> 
> If CGA IID's existed in a vacuum that might be a problem.
> 
> But if CGA is being used in combination with DAD, that will create a
different
> IPv6 address.
> If the sec value is 0, the addresses won't match with the local node's
tentative
> address. If the sec value is 1, the hashes won't match.

As far as I know, the problem again here is there is no checking between the
source address and target address. The verification is on source address and
the control of the victim node source address is with target address. This
is where gives an attacker the possibility to forge the identity of the
victim CGA node.

> 
> Or equally the sec value can itself be explicitly protected by a
signature, as in
> SEND RFC 3971 signature option, where the full IPv6 address (and thus the
sec
> value) is also protected.

Well, the attacker has his own public/private key. He generates his own
signature. No node knows the value of the signature. This is why SSAS or CGA
needs to use the interface ID as a part of preventing the spoofing. When the
attacker generates the CGA value similar to the victim node (different in
lonely first 3 bits) then he can sign the message with his own private key
and SeND verification is also successful. In the attack scenario that I
explained in CGA-attack, neither the SeND nor CGA could really be any help
to the victim node. 

As I explained before, SeND without CGA cannot protect the node as it is
expected and it is dependent to CGA and now CGA also cannot protect the node
as it claimed.


Smile,
Hosnieh

v2.23.0 | Report a Bug | By Email