[saag] Classifying MITM attacks

Jonathan Hoyland <jonathan.hoyland@gmail.com> Fri, 08 January 2021 14:45 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00203A0FF4 for <saag@ietfa.amsl.com>; Fri, 8 Jan 2021 06:45:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-1vbFCy9uu9 for <saag@ietfa.amsl.com>; Fri, 8 Jan 2021 06:45:34 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5C883A0FF0 for <saag@ietf.org>; Fri, 8 Jan 2021 06:45:34 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id b9so6637798qtr.2 for <saag@ietf.org>; Fri, 08 Jan 2021 06:45:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=fXEbXaLh6JpAAekUkd7EdDQP4aezcUKbEe7UDZLafcg=; b=JGu155DcsI8TXwCG2ND1E6QwbboND74R59E1Hp5KzazELzia/LgZQb8ey27nGtUZfh 8si2nKSK2WzmsC3+zfYmwdofV3SmYAOJnmAhpTTGWzz5uzV6D5Q192ZoCoWqQ2zi7GR2 qHSKhCEI/1uqZxj5inJ+Wqo/Ay00sI9KUMmdW3dWDny6L6zBT/qJhtBGq+p4dRnVcWvD QLKh3uNGnAk8Quu2uTGam98XAcC427qXJrH2PwgWFpSrpeUXWc0ebJi5wHDKmaVl8JW6 EWJjZDuAlOt857/FBU1GVqeA5L/H/QT2D3j1PugFBTiZkj15PvZIpS9z1WxQvPN4VFnW wahA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=fXEbXaLh6JpAAekUkd7EdDQP4aezcUKbEe7UDZLafcg=; b=jsPy1gNJXZtFOXXexDA3UaW9xAhLrWbrlxZQk1uGqu33YN8klujSQ60YzCYj8dcTEi tsfY94wj9Hyy9n5Y/x0qWtKm7o5TN8qUWiWxJF4N/yar98sGZtL3OGSiKWjn+ykTIfSo 8FHxP2LRevFISgRysARzloDrn0lk+1UBo3rck4o0kRZc5JYoEfR62nu+Bx5+VSnP6mgS 5Ywpix/domEDvVWKxMZ4EG5rVzKbRSBVGGi+RdgblJXboLQgdxuC4sWOdst35pOzaAIn s+LIoD5UE1wR/9s7gIjLvJG5J0a//67zFSc9ldcZjid5UG0oNYYj7oUGp4FJ+TX6WnV6 VVwg==
X-Gm-Message-State: AOAM5307Ol/ApUJnkWPjIoKH9b20MJVM4RoAo8xBACaSQbhA4iIiP7nJ 9474s51byKhsOOWt1a+bMi+wwiyyeyk+d5HSPf98br7S7G78Wg==
X-Google-Smtp-Source: ABdhPJwtOaQJfv+rLD3/EuU95NU6/GKYzmuKVcf1mY6+mgeiBqfw+fYSfL1X/FcuF0JydPhT0howyeiIQjaryq99Pp8=
X-Received: by 2002:ac8:4e05:: with SMTP id c5mr3682585qtw.359.1610117133435; Fri, 08 Jan 2021 06:45:33 -0800 (PST)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Fri, 8 Jan 2021 14:47:06 +0000
Message-ID: <CACykbs3q8wzGYAU6u_xg8B7-usZk0Tz1yf+kxh7hmB44gbqYTg@mail.gmail.com>
To: saag@ietf.org
Cc: Benjamin Kaduk <kaduk@mit.edu>, Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000c906ee05b8649b89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/t9DhPXi85vGxvoaYsCya2Gv8zpI>
Subject: [saag] Classifying MITM attacks
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 14:45:37 -0000

Hi SAAG,

So I've been thinking about classifying MITM attacks a little over the
winter break, à la draft-richardson
<https://www.ietf.org/archive/id/draft-richardson-saag-onpath-attacker-01.html>,
and did a quick literature survey to see what academia has to say about
MITM attacks, and their variations.

The best paper I found was "A survey of man in the middle attacks" [1],
which doesn't propose any terminology, but does group the attacks.

I think a decent ontology would be a useful bit of work.

To that end, I was thinking about what kind of attacks should be in scope,
and thus should unambiguously be captured in a taxonomy.

Some potentially ambiguous examples:

   1.

   If both endpoints are anonymous, is the attack still a MITM attack?
   What's the line between two separate connections and a MITM attack in an
   anonymous scenario?

   a. What about in a scenario where identities can't be verified, such as
   vehicle-to-vehicle / vehicle-to-environment communications in a remote
   area?
   2.

   If I put a probe on a bus am I performing a MITM attack? At what point
   does a MITM attack shade into compromise of the endpoint?


   1.

   In a group chat scenario does impersonating another user count as a MotS
   attack? Consider Alice, Bob, and Carol all legitimately participating in a
   group chat. If Carol impersonates Bob to Alice (and herself) in the group
   chat, how would we describe that attack?


   1.

   If I stick a malicious QR code over an on-boarding QR code, what kind of
   MITM attack have I performed?

   a. If Mallory swaps the registration QR codes of two devices, and Alice
   then registers Bob's device has she performed a MITM attack?

Another useful exercise might be to go through the attacks listed in [1]
and check any ontology describes them appropriately. (Finding this paper
online is surprisingly hard, but I'm happy to send anyone a copy.)

One final question is do we want a strict taxonomy, where each attack fits
into exactly one category, and relationships between attacks are captured
by distance in the tree, or do we want a more flexible ontology where we
can classify attacks more fuzzily, but still have basic groups?

One comment specific to the draft is that it currently uses the term
"in-the-rough", which I don't really like.

As a non-golf player "in-the-rough" makes me think of precious stones, not
a golf metaphor.

Esp. as no dictionary I could find [1]
<https://www.merriam-webster.com/dictionary/in%20the%20rough> [2]
<https://www.dictionary.com/browse/in--the--rough> [3]
<https://www.collinsdictionary.com/dictionary/english/in-the-rough> [4]
<https://www.urbandictionary.com/define.php?term=in%20the%20rough> lists
the golf meaning even as a subsidiary meaning, I think we should come up
with something more understandable, esp. to non-golf players and non-native
English speakers.

Suggestions for better terminology would be welcome.

I've also pushed a PR <https://github.com/mcr/saag-onpath-attacker/pull/1>
cleaning up some of the text.

Regards,

Jonathan

[1] Conti, Mauro, Nicola Dragoni, and Viktor Lesyk. "A survey of man in the
middle attacks." *IEEE Communications Surveys & Tutorials* 18.3 (2016):
2027-2051.