RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
"Hosnieh Rafiee" <ietf@rozanak.com> Fri, 29 November 2013 00:28 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC081AE260 for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geRUaD2j1isK for <ipv6@ietfa.amsl.com>; Thu, 28 Nov 2013 16:28:41 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id F16691AE25B for <ipv6@ietf.org>; Thu, 28 Nov 2013 16:28:40 -0800 (PST)
Received: from kopoli (g231248182.adsl.alicedsl.de [92.231.248.182]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0MFcwX-1VpED72NC1-00ESlQ; Thu, 28 Nov 2013 19:28:31 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Christian Huitema' <huitema@microsoft.com>, 'Ray Hunter' <v6ops@globis.net>
Subject: RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Date: Fri, 29 Nov 2013 01:28:20 +0100
Message-ID: <005601ceec99$ed4cfc40$c7e6f4c0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-language: en-us
Thread-index: Ac7smeEVNwYyIhAhQU6l3NdCwlajXw==
X-Provags-ID: V02:K0:aVqmtfkBMWVsYjtEUlh0ZL/yNQIrEHhlo2uaK6QyLiQ vSEI6PKQv8TB/GYVaYuqoV7YVFkyh//E7Yro3MGBx1BEbdZpsM 23CxmpI1OdPpkBtoq6Glif24ligyaNofx8whZIVS9Js7qIxuZR 5UIJJY6GGRSDGvq9LLzT3E5V2Ag2eFRRiQpuvYrctJIeW7YFVR RKT5LZGJv4yCjHB34t+DH0b5pynpDjK9QsVeHtDq/UpaZUKx++ FKE6VOhPDqZ3qAfyL3oYy8AMNT2bQQWabLmpgqZTZEINZhU4hx S/YPqKSnIXi/2n5Ah9MAyqdhEM7jE8WNWGL0gEwDKP94Jj7MsO dd6l7uQ1apfE5UK0zH80=
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, ipv6@ietf.org, Erik Nordmark <nordmark@sonic.net>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 00:28:44 -0000
Hi Christian, During my conference I had a really nice discussion with some crypto experts professors about SHA1, SHA2, SHA3, CGA algorithm and the birthday attack. I guess people here get confused with two different security aspects. First is the complexity of breaking a hash function and the other is finding collision (which is not breaking the hash function but finding a value that hash a similar hash). The birthday paradox is for the latter case and not for the first case. Now, here we assume that the default hash function is SHA1, the complexity of finding a collision in this hash functions is 2^160 and with birthday paradox is 2^80 and some people also could do it in 2^60. Now we have only a part of this hash function that is only 59 bits for CGA sec value 0. So the complexity of brute forcing and breaking it is 2^(number of bits) that is 2^59. But according to birthday paradox, ( you can refer to birthday paradox attack), finding collision in hashes is half of the exponential of brute force searching , this means for CGA sec value 0, this value is 2^(29.5). Now, let's have a simple calculate for other sec values. Sec value 1 => 2^(59+16) for brute force searching => for birthday paradox => 2^(30) This is actually the total security you obtain with sec value 1 and we know that the other sec values are not ideal to use Sec value 2=> 2^(59+32) for brute force searching => for birthday paradox => 2^(45.5) So you dramatically decreased the performance but you only could gain 15 more bits. ... You can continue this calculation for all sec values. This is actually what I am going to add to the draft to clarify it. The other interesting discussion during the conference was that whether it is different to use SHA1, SHA2 or SHA3. The answer was not so much really. The reason was because we only have a part of hash and not the whole hash value. So we really do not use the whole strength of this hash. Here I just give you some references for SHA1, SHA2... breaking @Ray, I guess in this email you can find the answer to the most questions that you asked in the other email. Address to the brute force attack(not birthday attack) http://www.hpi.uni-potsdam.de/meinel/security_tech/ipv6_security/ipv6ssl.htm l (cga multicore) here you can find also other attacks as well. As soon as Fabian finishes the birthday attack, I will share it. He is going to prepare also the GPU version. (Really thanks to him ) > The CGA mechanism protects an IPv6 address. All the identifier bits are part of > the IPv6 address. If an attacker uses a different SEC value, it is not attacking > the protected IPv6 address, but a different one. I guess I am repeating myself here as I explained it before that how this attack can happens. Unfortunately this is not true. Let me explain it in a simple example I am attacker and generate the address x. node A generates the address y. x and y are only different in the first 3 leftmost bits of the address. The attacker sets destination address of the packets to multicast group of the victim address, target address to the exact address of victim and source address to x. Due to verification process. When the nodes receive NS/NA packets that the destination address is to the multicast group, all nodes check the target address specified in the message. If it is the same as their own address, they start verifications of the source address and ignore the leftmost 3 bits. This is actually gives this possibility for the attacker to use different sec value since the node ignore these 3 bits in verification and only use these 3 bits to know what the other CGA node used to generate such address so that they can verify it. This means they verify the sender node with his own sec value and not their own. So, this is successful and the owner just tries to increment the collision count (the attacker can do the same and generate again the same value :-) and after 3 tries, the legitimate CGA node stops further tries and the attacker is successful! Now, consider another scenario where the nodes are checks the reachability of other nodes in their neighboring cache (a table that exist in their memory). The nodes in the network sends a message "anybody still using this address", what I understood from RFC 4861, all checks is based on the target address. Also the node modifies the value of the cache if it sees any changes of the value with what he has in the cache as a link layer address. Everytime any other nodes wants to communicate with original CGA node, they start with these NS messages. Since the attacker node's CGA value can be verified by the other nodes, he can starts the communication with the other node and forge the identity of the victim CGA node. He can either send several packets with false CGA value and make the victim node busy with that communication while starting the communication with other nodes since for this attack, the attacker node has time to generate the same value as the CGA nodes inside this network offline (does not need to create a rainbow table but it can only tries to find the similar values as what other nodes have in this network to forge their identity whenever they wanna start any communication with any other nodes in this network. The attacker can also play MITM. Since he can then forge the identity of both side with his CGA values that is only different in the first 3 leftmost bits to those of the two communicating nodes. This is actually where the CGA document claim to make these attacks more complex but it is not as complex as it was claimed. > > We also thought that it would take 2^59 but this is not true too based on > Birthday paradox attack. > > This is a serious misunderstanding of the birthday paradox. The paradox states > that if a number can take N values, it takes about sqrt(N) random trials for > having 50% chance to find the same number twice. But the number found is a > random number. > The birthday paradox does not apply in the scenario where you try to find a > specific value. If a number can take N values, it takes about N/2 trials before > having 50% chance to find the target number. I actually explained this in my above message. I can provide you with birthday paradox references. > > So what? The attacker ends up using an IPv6 address that has many bits in > common as the target address, but it different. There is no masquerading. The > attack that you are describing just does not work. If it is DAD process, the attacker will not let the CGA node to configure its address. After 3 tries as I explained earlier the CGA node stops further attempts. > > Hosnieh, your draft also mentions a duplicate address attack. That attack is > already described in RFC 3971 (SEND), with a proposed mitigation: > > 9.2.3. Duplicate Address Detection DoS Attack > > This attack is described in Section 4.1.3 of [22]. SEND counters > this attack by requiring that the Neighbor Advertisements sent as > responses to DAD include an RSA Signature option and proof of > authorization to use the interface identifier in the address being > tested. If these prerequisites are not met, the node performing DAD > discards the responses. > > Do you have a novel way to break these mitigations? I explained before that how it happens. Please check my example scenarios. What is saying here is different. The attacker does not have invalid Signature since he generates himself the public private key and only tried to find collision in the hash of the victim node but with different sec value. So, this step really does not help to protect the node against the attack I am talking about. Smile, Hosnieh
- FW: New Version Notification for draft-rafiee-6ma… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… George Michaelson
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- Re: FW: New Version Notification for draft-rafiee… Dan Luedtke
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Tom Taylor
- RE: FW: New Version Notification for draft-rafiee… Greg Daley
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- Re: FW: New Version Notification for draft-rafiee… Jean-Michel Combes
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee