RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
"Hosnieh Rafiee" <ietf@rozanak.com> Sun, 08 December 2013 23:01 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3913A1AE11B for <ipv6@ietfa.amsl.com>; Sun, 8 Dec 2013 15:01:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRRFmJPHFP_c for <ipv6@ietfa.amsl.com>; Sun, 8 Dec 2013 15:01:09 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 944F41AE06E for <ipv6@ietf.org>; Sun, 8 Dec 2013 15:01:09 -0800 (PST)
Received: from kopoli (g231251244.adsl.alicedsl.de [92.231.251.244]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0M2sXu-1VXRVv3nPC-00rzn3; Sun, 08 Dec 2013 18:01:02 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Jean-Michel Combes' <jeanmichel.combes@gmail.com>
References: <20131125140405.14510.36261.idtracker@ietfa.amsl.com> <007701ceea31$05106260$0f312720$@rozanak.com> <CAA7e52r8zPnEDyGfbz+LKjxVAqfoYd+W0e6SU6Sv=chA07LQgg@mail.gmail.com>
In-Reply-To: <CAA7e52r8zPnEDyGfbz+LKjxVAqfoYd+W0e6SU6Sv=chA07LQgg@mail.gmail.com>
Subject: RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Date: Mon, 09 Dec 2013 00:00:54 +0100
Message-ID: <008601cef469$5d2ce5d0$1786b170$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFcy6ZEAgkCvPF12cG9eyx+VjbUAgEDUFtmAnjb5EKbEy3/YA==
Content-Language: en-us
X-Provags-ID: V02:K0:GDAg29Qjs2ky5Xjzpd61IHSotJ4F4ildp8/mdNjdu1G mjfuNzbmtyT6QSmBbKvbf77WsAVTAuoR0BwUsyNgOw2BnUjTbg AH79/8yLrqfgLuIu4+TdBXATyTMgsL2vlo6PeebNlxe/dsjxD9 HXJ4gB1YrEI0pVTpder4QOGFJcyrTgvduiWhXi0tPSvE+pTpRU qJ7woF7CAOn/gMRKJtfBjwP0KmTDZA0piWeQWlybYhAbc0zTi7 ilLhMDpOspYrCR+k1K0MEves6bcRhIKRfNTvRfiq3IpCqm4JO8 vi02SMGNxifpDbUFFK3Nq9OSMfdmsd1JlnuBuoZ9tJ9QrND5Mm nne+7VS+NPUOS6i/2MGA=
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, '6man Mailing List' <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2013 23:01:12 -0000
Hi Jean, Please find my responses as below: >o No comparison of source address with target address >This argument is not valid because, when SEND is used the "Target Address in Neighbor Advertisement is required to be equal to the source address of the packet" (cf. RFC 3971, Section 7.4) The section you discussed about is " SeND limitations" and nothing about the comparison of source address with the target address. I guess you pointed me to somewhere that does not talk about what you argued. I could not find anything regarding what you said in SeND RFC. What is important in SeND RFC is proceeding rules for receiver. Because, I, as a sender can follow my own rule! But if the receiver checks this conditions then I might fail which unfortunately does not happen in SeND RFC. Check here "5.1.2. Processing Rules for Receivers". >o Ignoring Sec Value during DAD >I agree with Christian: the check is done over the complete target address (i.e., including Prefix, Sec value, u/g bits) >Indeed, DAD fails, when receiving a NA message, "if the target address is tentative", meaning "the tentative address is not unique" (cf. RFC 4862, Section 5.4.4). I do not agree with Christian since he also does not accept the case that is clearly said in CGA RFC itself (as Ray pointed out). However, what I said here is that CGA ALONE is vulnerable and dependent to SeND. SeND also can only authorize the routers and prevent the attack about sec value only for routers. The reason is that, it is not operationally ideal to have certification for every single nodes in the network. This makes the SeND deployment so complicated. I refer you to other draft I wrote about "local security". So, the purpose of SeND in other nodes (rather than routers) is that to help CGA to prevent replay attack by including nonce and timestamp to the packets. This is because again CGA, ALONE, cannot also prevent replay attack. Now about DAD attack. Since CGA is considered now 59 bits, we can consider the attacks over these bits regardless of CGA sec value. CGA node in that case has a temporary source address but not the attacker node. It is the CGA node who wants to check whether or not anybody else has the same IP address. If anybody can claim and the verification is successful, then the CGA node gives up and not the attacker. The CGA node checks the target address and verify the source address. But in nowhere in processing, either SeND nor NDP, I could find that target address is compared to source address (please point me to that section in RFC if I missed it). What I can remember, when I myself implemented SeND for windows, I just included this condition to avoid some attacks but , at that time, I still did not think that CGA sec value can be of no use because of verification steps. In SeND there is processing for sender but does it help?? No! because for verifier node, the "receiver processing is important". But I am attacker, I do not need to follow the SeND specification for sender if the receiver does not check it. My receiver even does not checks this situation!! In this case as I explained the situation, the verification is successful and I can prevent the CGA node from IP address configuration. Sec value also could not help to complicate this process because of the problem in SeND and CGA specifications. Now, for another attack, update all neighboring cache. Since the verification is the same process, I guess the attacker has no problem to update the caches or claim to be the victim CGA node in the network and start any communications with other nodes on behalf (forge the identity). This attack does not need to be done immediately(the attacker can do it offline) and start it whenever he wants.. >o Collision vs. Pre-image attack >IMHO, you assume that attack is a real-time one: when a victim node generates a CGA (in fact, an IID), with your attack, the malicious node wants to generate the same _given_ CGA (in fact, the same IID). >So, I agree with Marcelo: this is a pre-image attack ...or a second pre-image attack (as the malicious node knows the CGA parameters). We are actually providing this attack. I am also in email contact with some crypto expert professors and waiting for their opinions about one of my ideas then I share it here. The important case is that, SHA1 divides the messages to block of 512 bits and work on each blocks. We all know that finding a collision for a certain value might be hard when the attacker does not know the plain text. This is not the case for CGA attacker. All the plain text (modifier, etc) is sent with the packet. What the attacker needs to do is use the same values except the public key. If the public key is 2046 bits, since 26 bytes are already the same, the attacker can use the RSA shorter key size (512 or less) and only play with the endings. Until the match happens. Since we have to consider the blocks of 512 bits, I am just trying to have some experiments to find a number that fill the correct value of the first block. One possibility is to use a part of public key of the real node and find a private key, It can be any number but since it is only a part of public key or a part of a prime number, then with sieve prime approach, I guess it is possible to find a faster match so that this attack can be really applicable during DAD process. >o RSA private/public keys >One point I don't understand in your attack is that, even if you find a collision, meaning you "find" a potential value for the public key, how did you get the associated private key needed to generate the RSA Signature option and providing the CGA's proof of ownership? The attacker generates the public/private key itself. Either it plays with modifier or it uses a short key size public key, as I explained in last paragraph and tries to generate the same value. This means the attacker can sign the message with his own private key and not depends on the private key of the CGA node. This is only not possible when the router is authorized. Since this authorization in SeND is only for routers and not operationally ideal for all nodes, the attacker would not encounter any problem. As you know, in CGA every node, itself, generates his own public/private keys and start CGA process and generates his own packets. CPS and CPA is only for routers. So, the attacker does this the same but only tries to have the values for public key that generates the same collision. He is free to either use the same modifier and other values that the legitimate CGA used or use his own. But I guess if he uses the same values and just change the last blocks of SHA1, then it is easier for him to generate the same values faster but you can also wait for the email from those professors and also our experimental results. I would share the code here http://ipv6ssl.hpi.uni-potsdam.de/ Smile, Hosnieh
- FW: New Version Notification for draft-rafiee-6ma… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… George Michaelson
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Christian Huitema
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- Re: FW: New Version Notification for draft-rafiee… Dan Luedtke
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… marcelo bagnulo braun
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee
- Re: FW: New Version Notification for draft-rafiee… Tom Taylor
- RE: FW: New Version Notification for draft-rafiee… Greg Daley
- Re: FW: New Version Notification for draft-rafiee… Ray Hunter
- Re: FW: New Version Notification for draft-rafiee… Jean-Michel Combes
- RE: FW: New Version Notification for draft-rafiee… Hosnieh Rafiee