RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt

["Hosnieh Rafiee" <ietf@rozanak.com>]

Christian,

> The birthday paradox really does not apply in the SEND case. It would
allow an
> attacker to generates two keys that map to the same IPv6 address, but it
> would not allow the attacker to target a specific address, you will need
the
> brute force attack for that.


As far as I know, Birthday attack applies to hash functions and not the key
which is used by SSAS. SSAS didn't use any hash function for IP generation.

 
> There is a related attack, against a group. Suppose a subnet of, say, 1024
> nodes using SEND. An attacker that generates random value has 1024 chances
> each time to find a match not for one specific node, but for some random
> member of the subnet. It will need about 2^49 trials with SEND.

https://www.hackthissite.org/articles/read/1066

In CGA, we have a hash function or like the above example, we have a hash
password. What is important for us is only find another message that leads
to the same hash. This is where birthday paradox applies. So, in CGA, the
attacker really does not care what is the content of your message, it cares
about the hash value. He only wants to have another message (or in birthday
paradox to have another person with the same birthday that matches yours) to
match yours.


> Of course, your SSAS proposal is also susceptible to that attack. In your
design,
> the 64 bits are directly derived from the key, without mixing any subnet
> prefix. Suppose an attacker lists 1 million SSAS address from the DNS. In
2^44
> trials, it will be able to find a match for at least one of them.
> 
> The value of the SEC field does not change the number of required trials,
but
> it makes each trial 2*(16*SEC) times more expensive.
> 
> >> The CGA mechanism protects an IPv6 address. All the identifier bits
> >> are part of the IPv6 address. If an attacker uses a different SEC
> >> value, it is not attacking the protected IPv6 address, but a different
one.
> >
> > I guess I am repeating myself here as I explained it before that how
> > this attack can happens
> 
> I think you are repeating yourself. If an address differs by a few bits,
it is a
> different address. The CGA mechanism answers the question, "is the sender
> the legitimate owner of the specific address." To spoof the address, you
have
> to present a candidate that matches the target completely, including the
SEC
> bits.


As I am repeating here, the problem is the verification in all nodes and
also in CGA nodes or how these nodes behave during the verification. This
actually initiate this attack and make it possible. I only refer you to NDP
document. Because I several times explained that sec value really doesn't
help and the reason is the way they verify the node. Target address as you
know is different than the source address. You only need to have the victim
target address but different source address that follows the condition of
verification that is it is enough to match only 59 bits of the Interface ID.
SeND as I explained before only adds four options and explain them and ask
the nodes to use them to verify the other node but it does not change the
way NDP works. 

Smile,
Hosnieh