IETF Logo Mail Archive

Re: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt

Ray Hunter <v6ops@globis.net> Fri, 29 November 2013 20:59 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86EA11ADF6C for <ipv6@ietfa.amsl.com>; Fri, 29 Nov 2013 12:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xE_DsV_GHts9 for <ipv6@ietfa.amsl.com>; Fri, 29 Nov 2013 12:59:47 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0A6841ADE87 for <ipv6@ietf.org>; Fri, 29 Nov 2013 12:59:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 4B4E0870F93; Fri, 29 Nov 2013 21:59:41 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PG7C1gIPGNdp; Fri, 29 Nov 2013 21:59:41 +0100 (CET)
Received: from Rays-iMac-2.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 2F815870066; Fri, 29 Nov 2013 21:59:40 +0100 (CET)
Message-ID: <5299003A.7000704@globis.net>
Date: Fri, 29 Nov 2013 21:59:38 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Hosnieh Rafiee <ietf@rozanak.com>
Subject: Re: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
References: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
In-Reply-To: <005701ceec99$f54ae240$dfe0a6c0$@rozanak.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, 'Derek Atkins' <DAtkins@mocana.com>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 20:59:48 -0000

> Hosnieh Rafiee <mailto:ietf@rozanak.com>
> 29 November 2013 01:28
>> http://tools.ietf.org/html/rfc4982#page-4 Section 4.1
>>
>> talks about using an alternative (simpler hash function) to create
> collisions.
>> Sec = 0 to me equates to a simpler hash function than sec = 1.
>>
>> quote:
>>    In other words, the downgrading attack would work as follows: suppose
>>    that Alice generates a CGA CGA_A using the strong hash function
>>    HashStrong and using a CGA Parameter Data Structure CGA_PDS_A.  The
>>    selected hash function HashStrong is encoded as an extension field in
>>    the CGA_PDS_A.  Suppose that by using a brute force attack, an
>>    attacker X finds an alternative CGA Parameter Data Structure
>>    CGA_PDS_X whose hash value, by using a weaker hash function, is
>>    CGA_A.  At this point, the attacker can pretend to be the owner of
>>    CGA_A and the stronger hash function has not provided additional
>>    protection.
>
> Yes, it can. Because actually the problem is in verification steps and not
> in generation.

No. This is exactly what you've described in your draft. Attacker X has
created a colliding version of Alice's hash, but with a different sec value.
>  
>> Yes. The sec value is not protected in any way by the CGA IID itself.
>>
>> The attacker is free to choose any sec value: either the same as the
> defender
>> or higher or lower.
>>
>> If CGA IID's existed in a vacuum that might be a problem.
>>
>> But if CGA is being used in combination with DAD, that will create a
> different
>> IPv6 address.
>> If the sec value is 0, the addresses won't match with the local node's
> tentative
>> address. If the sec value is 1, the hashes won't match.
>
> As far as I know, the problem again here is there is no checking between the
> source address and target address. The verification is on source address and
> the control of the victim node source address is with target address. This
> is where gives an attacker the possibility to forge the identity of the
> victim CGA node.
No.

Because every node performing DAD defends its own local tentative
address. If the Sec value is different on the attack packet. it will NOT
match the tentative address of the defending interface, and the node
won't even contemplate triggering DAD.
>> Or equally the sec value can itself be explicitly protected by a
> signature, as in
>> SEND RFC 3971 signature option, where the full IPv6 address (and thus the
> sec
>> value) is also protected.
>
> Well, the attacker has his own public/private key. He generates his own
> signature. No node knows the value of the signature. This is why SSAS or CGA
> needs to use the interface ID as a part of preventing the spoofing. When the
> attacker generates the CGA value similar to the victim node (different in
> lonely first 3 bits) then he can sign the message with his own private key
> and SeND verification is also successful. In the attack scenario that I
> explained in CGA-attack, neither the SeND nor CGA could really be any help
> to the victim node. 
No.

You have exactly the same problem in CGA and SSAS, no matter how the
address is "verified", you have to establish a trust anchor relationship.

This is covered by the phrase in RFC 3971

"If the use of a trust anchor has been configured, a valid
      certification path (see Section 6.3) between the receiver's trust
      anchor and the sender's public key MUST be known."

Just because the signed address can be verified against the public key
(of the sender / attacker, and which public key has been potentially
transported in the very same packet as the spoofed hash) does not mean
that the contents are immediately "trusted".

The public key of the sender also has to be somehow verified by the
receiving node.

That is the real implementation problem here: Given end nodes A and B
and a router R and an spoofed router SR, which combination of
modes/partnerships is truly trusted, and who is an attacker and how can
you know, without a pre-established trust-anchor?

That trust anchor bootstrap has got nothing to do with the signing
mechanism itself.
> As I explained before, SeND without CGA cannot protect the node as it is
> expected and it is dependent to CGA and now CGA also cannot protect the node
> as it claimed.
I disagree.
>
> Smile,
> Hosnieh
>
> ------------------------------------------------------------------------


-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email