RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
"Hosnieh Rafiee" <ietf@rozanak.com> Fri, 29 November 2013 00:28 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95A41AE260 for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6sXm6sMALPH for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:48 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id B21021AE261 for <ipv6@ietf.org>; Thu, 28 Nov 2013 16:28:45 -0800 (PST)
Received: from kopoli (g231248182.adsl.alicedsl.de [92.231.248.182]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0LbdtT-1VN3KW0oep-00kob5; Thu, 28 Nov 2013 19:28:44 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Ray Hunter' <v6ops@globis.net>
Subject: RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Date: Fri, 29 Nov 2013 01:28:35 +0100
Message-ID: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-language: en-us
Thread-index: Ac7sme6IsPv/dQK4SQys2pOhOuurCA==
X-Provags-ID: V02:K0:nejN2ZWQmmaLFSjNBc2QtSqb+w3vLa8SeEpIa2RJsda SZDBOkyDAEdR2H/Lqax6hcTz6L380gTc1BJuqj2yZso3MkhhqD EfPBas7ySV0U/CoaEomk2ihWos5JgDJXdUnOWkQJUeV4fVSCJb w06HD/ztqjxroVxh03/V2agdb3v3yz1kcVw+d/P+aykHVOYwN+ YNlZ35H8b2q2PUYMucKYxdzSyxextFCkWW0g7a27PZy1/JJdWq 7vrsHFDYjjZJeuk1+L9MOZpkGlQcw7r00h4mIFJL4SopNChU5A olTTQ7v4fCbgL9orDNJTTelpfvK/mQ8HqGiEKqYaXs0375nh4j JLCvseJgGCq/aU22YA8g=
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, 'Derek Atkins' <DAtkins@mocana.com>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 00:28:50 -0000
> > > http://tools.ietf.org/html/rfc4982#page-4 Section 4.1 > > talks about using an alternative (simpler hash function) to create collisions. > Sec = 0 to me equates to a simpler hash function than sec = 1. > > quote: > In other words, the downgrading attack would work as follows: suppose > that Alice generates a CGA CGA_A using the strong hash function > HashStrong and using a CGA Parameter Data Structure CGA_PDS_A. The > selected hash function HashStrong is encoded as an extension field in > the CGA_PDS_A. Suppose that by using a brute force attack, an > attacker X finds an alternative CGA Parameter Data Structure > CGA_PDS_X whose hash value, by using a weaker hash function, is > CGA_A. At this point, the attacker can pretend to be the owner of > CGA_A and the stronger hash function has not provided additional > protection. Yes, it can. Because actually the problem is in verification steps and not in generation. > Yes. The sec value is not protected in any way by the CGA IID itself. > > The attacker is free to choose any sec value: either the same as the defender > or higher or lower. > > If CGA IID's existed in a vacuum that might be a problem. > > But if CGA is being used in combination with DAD, that will create a different > IPv6 address. > If the sec value is 0, the addresses won't match with the local node's tentative > address. If the sec value is 1, the hashes won't match. As far as I know, the problem again here is there is no checking between the source address and target address. The verification is on source address and the control of the victim node source address is with target address. This is where gives an attacker the possibility to forge the identity of the victim CGA node. > > Or equally the sec value can itself be explicitly protected by a signature, as in > SEND RFC 3971 signature option, where the full IPv6 address (and thus the sec > value) is also protected. Well, the attacker has his own public/private key. He generates his own signature. No node knows the value of the signature. This is why SSAS or CGA needs to use the interface ID as a part of preventing the spoofing. When the attacker generates the CGA value similar to the victim node (different in lonely first 3 bits) then he can sign the message with his own private key and SeND verification is also successful. In the attack scenario that I explained in CGA-attack, neither the SeND nor CGA could really be any help to the victim node. As I explained before, SeND without CGA cannot protect the node as it is expected and it is dependent to CGA and now CGA also cannot protect the node as it claimed. Smile, Hosnieh
- FW: New Version Notification for draft-rafiee-6ma… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… George Michaelson
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- Re: FW: New Version Notification for draft-rafiee… Dan Luedtke
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Tom Taylor
- RE: FW: New Version Notification for draft-rafiee… Greg Daley
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- Re: FW: New Version Notification for draft-rafiee… Jean-Michel Combes
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee