Re: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
George Michaelson <ggm@algebras.org> Fri, 29 November 2013 00:40 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BCB1AE03C for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:40:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUiweofRwavR for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:40:44 -0800 (PST)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 94FA21AD8F5 for <ipv6@ietf.org>; Thu, 28 Nov 2013 16:40:44 -0800 (PST)
Received: by mail-pb0-f44.google.com with SMTP id rq2so13479596pbb.3 for <ipv6@ietf.org>; Thu, 28 Nov 2013 16:40:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CTApggXfMct620S7P6UMfGi1DaV9J7FrO7twyu5vV3g=; b=muHH50586WimmC7NjH+6eD9XQMlIFne5SNl4pnPL8sgP/LZ6o4xEmpKAq6F7EyNDuV 7r4woIM/BYbYqK66tmMfOqJS3CNtuZMhfRHnwDDNJnXdhOL98SVf24UKV9nKbe6OVBUf M4ClGHP3PfzqY7i8XbE3ZTPQ3jgHTJx6BLJW3bm/1cO2HJsrylQHA0BZRBOhDP5Gw+zn HkBhh7puxDxif7C0TBe75PuwcyEowqyzFthQ2yYGioZG6eKRdNqBkO/toKBG5wFKmRzg HpQTWFQ5GwykNlBQYYG4SV2/xek0pHy73/v9ta4ySNQ8qNRVtiwQaQKhNBY8+rjScLK8 UtBw==
X-Gm-Message-State: ALoCoQmQqn0/Wx+Ch0bZ0Lg8FI2NrLy0lxJL9+iyIlbK/7TVU5LOIPcqcjvpwT7u4SAJAeeqgIi0
MIME-Version: 1.0
X-Received: by 10.66.148.97 with SMTP id tr1mr24409670pab.163.1385685643593; Thu, 28 Nov 2013 16:40:43 -0800 (PST)
Received: by 10.70.19.98 with HTTP; Thu, 28 Nov 2013 16:40:43 -0800 (PST)
X-Originating-IP: [2001:dc0:a000:4:e8a4:e332:6ba0:4fe0]
In-Reply-To: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
References: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
Date: Fri, 29 Nov 2013 10:40:43 +1000
Message-ID: <CAKr6gn1VvUiY426X9Y-x4xpQdbBT2Qp6A77jhhO_D6QCbe71XA@mail.gmail.com>
Subject: Re: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
From: George Michaelson <ggm@algebras.org>
To: Hosnieh Rafiee <ietf@rozanak.com>
Content-Type: multipart/alternative; boundary="047d7b6d9fa28e9e5d04ec461443"
Cc: marcelo bagnulo braun <marcelo@it.uc3m.es>, Ray Hunter <v6ops@globis.net>, Derek Atkins <DAtkins@mocana.com>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 00:40:47 -0000
forgive neophyte questions: the attacker, using this hash-collision mechanism, has effectively gained the right to subvert *one* CGA identified host, right? not an entire /56 subnet: one specific host. and, they still have to achieve path injection, spoofed source, TCP/IP sequencing &c, in order to exploit this attack, against this one host. right? and, the cost of that one host, and its location, is not of the attackers chosing: they don't know in advance, that they can gain entry to any specific CGA, so they cannot direct the attack against a known CGA endpoint: they opportunisitically can attack *SOME* CGA, by virtue of the hash collision: its not clear if its a high- or a low- value endpoint. On Fri, Nov 29, 2013 at 10:28 AM, Hosnieh Rafiee <ietf@rozanak.com> wrote: > > > > > http://tools.ietf.org/html/rfc4982#page-4 Section 4.1 > > > > talks about using an alternative (simpler hash function) to create > collisions. > > Sec = 0 to me equates to a simpler hash function than sec = 1. > > > > quote: > > In other words, the downgrading attack would work as follows: suppose > > that Alice generates a CGA CGA_A using the strong hash function > > HashStrong and using a CGA Parameter Data Structure CGA_PDS_A. The > > selected hash function HashStrong is encoded as an extension field in > > the CGA_PDS_A. Suppose that by using a brute force attack, an > > attacker X finds an alternative CGA Parameter Data Structure > > CGA_PDS_X whose hash value, by using a weaker hash function, is > > CGA_A. At this point, the attacker can pretend to be the owner of > > CGA_A and the stronger hash function has not provided additional > > protection. > > Yes, it can. Because actually the problem is in verification steps and not > in generation. > > > > Yes. The sec value is not protected in any way by the CGA IID itself. > > > > The attacker is free to choose any sec value: either the same as the > defender > > or higher or lower. > > > > If CGA IID's existed in a vacuum that might be a problem. > > > > But if CGA is being used in combination with DAD, that will create a > different > > IPv6 address. > > If the sec value is 0, the addresses won't match with the local node's > tentative > > address. If the sec value is 1, the hashes won't match. > > As far as I know, the problem again here is there is no checking between > the > source address and target address. The verification is on source address > and > the control of the victim node source address is with target address. This > is where gives an attacker the possibility to forge the identity of the > victim CGA node. > > > > > Or equally the sec value can itself be explicitly protected by a > signature, as in > > SEND RFC 3971 signature option, where the full IPv6 address (and thus the > sec > > value) is also protected. > > Well, the attacker has his own public/private key. He generates his own > signature. No node knows the value of the signature. This is why SSAS or > CGA > needs to use the interface ID as a part of preventing the spoofing. When > the > attacker generates the CGA value similar to the victim node (different in > lonely first 3 bits) then he can sign the message with his own private key > and SeND verification is also successful. In the attack scenario that I > explained in CGA-attack, neither the SeND nor CGA could really be any help > to the victim node. > > As I explained before, SeND without CGA cannot protect the node as it is > expected and it is dependent to CGA and now CGA also cannot protect the > node > as it claimed. > > > Smile, > Hosnieh > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- FW: New Version Notification for draft-rafiee-6ma… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… George Michaelson
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- Re: FW: New Version Notification for draft-rafiee… Dan Luedtke
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Tom Taylor
- RE: FW: New Version Notification for draft-rafiee… Greg Daley
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- Re: FW: New Version Notification for draft-rafiee… Jean-Michel Combes
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee