Re: SNMPv2 security
Frank Kastenholz <kasten@tri-flow.ftp.com> Fri, 28 January 1994 22:59 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa14575; 28 Jan 94 17:59 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa14571; 28 Jan 94 17:59 EST
Received: from relay.tis.com by CNRI.Reston.VA.US id aa18773; 28 Jan 94 17:59 EST
Received: by relay.tis.com; id AA02121; Fri, 28 Jan 94 17:33:37 EST
Received: from magellan.tis.com(192.33.112.124) by relay via smap (V1.0mjr) id smae02064; Fri Jan 28 17:32:40 1994
Received: from magellan.tis.com by magellan.TIS.COM id aa17064; 28 Jan 94 17:27 EST
Received: from sol.tis.com by magellan.TIS.COM id aa17056; 28 Jan 94 17:22 EST
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA02366; Fri, 28 Jan 94 17:22:04 EST
Received: by relay.tis.com; id AA01925; Fri, 28 Jan 94 17:22:33 EST
Received: from babyoil.ftp.com(128.127.2.105) by relay via smap (V1.0mjr) id sma001919; Fri Jan 28 17:22:29 1994
Received: from tri-flow.ftp.com by babyoil.ftp.com with SMTP id AA09989; Fri, 28 Jan 94 17:22:18 -0500
Received: by tri-flow.ftp.com.ftp.com (5.0/SMI-SVR4) id AA05334; Fri, 28 Jan 94 17:22:14 EST
Date: Fri, 28 Jan 1994 17:22:14 -0500
Message-Id: <9401282222.AA05334@tri-flow.ftp.com.ftp.com>
To: uri@watson.ibm.com
Subject: Re: SNMPv2 security
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Frank Kastenholz <kasten@tri-flow.ftp.com>
Reply-To: kasten@ftp.com
Cc: romanov@nacto.lkg.dec.com, snmp@psi.com, snmpv2@magellan.tis.com
Content-Length: 3567
> What is the reason people change their [secret] keys? > Why not leave the same one for indefinite time? The more traffic in the same key that you have, the easier it is to break the code. It is much much harder to break a key when you have one message than when you have many messages. Also, as you say, if my key has been compromised but I do not know it, then only the traffic encrypted in the compromised key is compromised. > Now in this XOR scheme, it doesn't matter at what point > in time I get your key - but your traffic is open to > me from now on, both in past (pre-recorded messages) > and whatever you'll send in the future. Also, if > there's is a cryptanalytic attack on the key, > then these XORs make sure I'll be able to > exploit _all_ the traffic, rather than > just those messages, encrypted or > protected by that particular > key I'm trying to crack. > > Thus - what do we save by "changing" the key in > such a funny way? What kind of "attack" are we > twarting? Inquiring minds want to know (:-). Ok, suppose you and I are using Kold to communicate. We wish to go to a new key, Knew. I send you Knew DES-encrypted with Kold. Now, for a third party to get Knew from that transaction, they would have to know Kold. Right? OR I send you Knew xored with Kold. Again, for the third party to get Knew from the transaction they would have to know Kold. Right? Either way, the third party must know Kold in order to extract Knew from the data stream. In the XOR method, you can then quite easily go back and calculate all previous keys. But then if DES is used to set keys, you will have both the cipher-text (the DES-encrypted message that set Kold) and part of the clear-text of the cipher-text (we posit that you have Kold) so then DES becomes much less robust. This is a tradeoff. Transferring keys with DES would be safer, but that leads to problems exporting goods from the US, so by using the XOR mechanism, we give up some robustness in key transfer and make it much easier to build easily-exportable products. Though both of these assume that Kold has been compromised -- which is hard and where the true robustness comes in. P.S. There is an interesting additional bit of security in the XOR scheme that is not in DES. In XOR, you just XOR the 16 bytes of the key. In DES you DES-encrypt the entire packet. So, suppose I had a machine that was capable of doing an exhaustive attack on DES (i.e. I simply decrypt the packet using every possible key from 0 to 0xffffff...). There are certain patterns in the packet that I can look for. I know how the SNMP packet is encoded. I know that, e.g., there must be tag bytes and length bytes of a certain, knowable (or guessable) values at a certain locations in the packet. Thus, as I do the exhaustive DES attack, I can throw away any "provisional" key that does not give me one of these values. On the other hand, in XOR, you only XOR the 16 bytes of key. You do not have any knowledge of what any of those bytes will be so you do can not know which value is the right one. In other words, if, after decrypting a packet with a particular DES key the packet starts 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00... you can guess that the key is not the one that originally encrypted the packet. If, however, you 'de-XOR' a 16-byte key and get 0x00 0x00 0x00... that might be the key, or it might not -- there is no way to tell by looking at the key itself... -- Frank Kastenholz FTP Software 2 High Street North Andover, Mass. USA 01845 (508)685-4000
- Re: SNMPv2 security Frank Kastenholz
- Re[2]: SNMPv2 security cyoung
- Re: SNMPv2 security Frank Kastenholz
- Re: SNMPv2 security Frank Kastenholz
- Re: SNMPv2 security uri
- Re: SNMPv2 security uri
- Re: SNMPv2 security Frank Kastenholz
- Re: SNMPv2 security Julie Tarr
- Re: SNMPv2 security Keith McCloghrie
- Re: SNMPv2 security Julie Tarr
- Re: SNMPv2 security Sath. Nelakonda
- Re: SNMPv2 security michael (m.) sam chee