[saag] Classifying MITM attacks
Jonathan Hoyland <jonathan.hoyland@gmail.com> Fri, 08 January 2021 14:45 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id B00203A0FF4
for <saag@ietfa.amsl.com>; Fri, 8 Jan 2021 06:45:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id P-1vbFCy9uu9 for <saag@ietfa.amsl.com>;
Fri, 8 Jan 2021 06:45:34 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com
[IPv6:2607:f8b0:4864:20::82d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id A5C883A0FF0
for <saag@ietf.org>; Fri, 8 Jan 2021 06:45:34 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id b9so6637798qtr.2
for <saag@ietf.org>; Fri, 08 Jan 2021 06:45:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to:cc;
bh=fXEbXaLh6JpAAekUkd7EdDQP4aezcUKbEe7UDZLafcg=;
b=JGu155DcsI8TXwCG2ND1E6QwbboND74R59E1Hp5KzazELzia/LgZQb8ey27nGtUZfh
8si2nKSK2WzmsC3+zfYmwdofV3SmYAOJnmAhpTTGWzz5uzV6D5Q192ZoCoWqQ2zi7GR2
qHSKhCEI/1uqZxj5inJ+Wqo/Ay00sI9KUMmdW3dWDny6L6zBT/qJhtBGq+p4dRnVcWvD
QLKh3uNGnAk8Quu2uTGam98XAcC427qXJrH2PwgWFpSrpeUXWc0ebJi5wHDKmaVl8JW6
EWJjZDuAlOt857/FBU1GVqeA5L/H/QT2D3j1PugFBTiZkj15PvZIpS9z1WxQvPN4VFnW
wahA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
bh=fXEbXaLh6JpAAekUkd7EdDQP4aezcUKbEe7UDZLafcg=;
b=jsPy1gNJXZtFOXXexDA3UaW9xAhLrWbrlxZQk1uGqu33YN8klujSQ60YzCYj8dcTEi
tsfY94wj9Hyy9n5Y/x0qWtKm7o5TN8qUWiWxJF4N/yar98sGZtL3OGSiKWjn+ykTIfSo
8FHxP2LRevFISgRysARzloDrn0lk+1UBo3rck4o0kRZc5JYoEfR62nu+Bx5+VSnP6mgS
5Ywpix/domEDvVWKxMZ4EG5rVzKbRSBVGGi+RdgblJXboLQgdxuC4sWOdst35pOzaAIn
s+LIoD5UE1wR/9s7gIjLvJG5J0a//67zFSc9ldcZjid5UG0oNYYj7oUGp4FJ+TX6WnV6
VVwg==
X-Gm-Message-State: AOAM5307Ol/ApUJnkWPjIoKH9b20MJVM4RoAo8xBACaSQbhA4iIiP7nJ
9474s51byKhsOOWt1a+bMi+wwiyyeyk+d5HSPf98br7S7G78Wg==
X-Google-Smtp-Source: ABdhPJwtOaQJfv+rLD3/EuU95NU6/GKYzmuKVcf1mY6+mgeiBqfw+fYSfL1X/FcuF0JydPhT0howyeiIQjaryq99Pp8=
X-Received: by 2002:ac8:4e05:: with SMTP id c5mr3682585qtw.359.1610117133435;
Fri, 08 Jan 2021 06:45:33 -0800 (PST)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Fri, 8 Jan 2021 14:47:06 +0000
Message-ID: <CACykbs3q8wzGYAU6u_xg8B7-usZk0Tz1yf+kxh7hmB44gbqYTg@mail.gmail.com>
To: saag@ietf.org
Cc: Benjamin Kaduk <kaduk@mit.edu>, Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000c906ee05b8649b89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/t9DhPXi85vGxvoaYsCya2Gv8zpI>
Subject: [saag] Classifying MITM attacks
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 14:45:37 -0000
Hi SAAG, So I've been thinking about classifying MITM attacks a little over the winter break, à la draft-richardson <https://www.ietf.org/archive/id/draft-richardson-saag-onpath-attacker-01.html>, and did a quick literature survey to see what academia has to say about MITM attacks, and their variations. The best paper I found was "A survey of man in the middle attacks" [1], which doesn't propose any terminology, but does group the attacks. I think a decent ontology would be a useful bit of work. To that end, I was thinking about what kind of attacks should be in scope, and thus should unambiguously be captured in a taxonomy. Some potentially ambiguous examples: 1. If both endpoints are anonymous, is the attack still a MITM attack? What's the line between two separate connections and a MITM attack in an anonymous scenario? a. What about in a scenario where identities can't be verified, such as vehicle-to-vehicle / vehicle-to-environment communications in a remote area? 2. If I put a probe on a bus am I performing a MITM attack? At what point does a MITM attack shade into compromise of the endpoint? 1. In a group chat scenario does impersonating another user count as a MotS attack? Consider Alice, Bob, and Carol all legitimately participating in a group chat. If Carol impersonates Bob to Alice (and herself) in the group chat, how would we describe that attack? 1. If I stick a malicious QR code over an on-boarding QR code, what kind of MITM attack have I performed? a. If Mallory swaps the registration QR codes of two devices, and Alice then registers Bob's device has she performed a MITM attack? Another useful exercise might be to go through the attacks listed in [1] and check any ontology describes them appropriately. (Finding this paper online is surprisingly hard, but I'm happy to send anyone a copy.) One final question is do we want a strict taxonomy, where each attack fits into exactly one category, and relationships between attacks are captured by distance in the tree, or do we want a more flexible ontology where we can classify attacks more fuzzily, but still have basic groups? One comment specific to the draft is that it currently uses the term "in-the-rough", which I don't really like. As a non-golf player "in-the-rough" makes me think of precious stones, not a golf metaphor. Esp. as no dictionary I could find [1] <https://www.merriam-webster.com/dictionary/in%20the%20rough> [2] <https://www.dictionary.com/browse/in--the--rough> [3] <https://www.collinsdictionary.com/dictionary/english/in-the-rough> [4] <https://www.urbandictionary.com/define.php?term=in%20the%20rough> lists the golf meaning even as a subsidiary meaning, I think we should come up with something more understandable, esp. to non-golf players and non-native English speakers. Suggestions for better terminology would be welcome. I've also pushed a PR <https://github.com/mcr/saag-onpath-attacker/pull/1> cleaning up some of the text. Regards, Jonathan [1] Conti, Mauro, Nicola Dragoni, and Viktor Lesyk. "A survey of man in the middle attacks." *IEEE Communications Surveys & Tutorials* 18.3 (2016): 2027-2051.
- [saag] Classifying MITM attacks Jonathan Hoyland