IETF Logo Mail Archive

Re: SNMPv2 security

Julie Tarr <tarr@itd.nrl.navy.mil> Tue, 01 February 1994 17:08 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07403; 1 Feb 94 12:08 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07399; 1 Feb 94 12:08 EST
Received: from [192.94.214.100] by CNRI.Reston.VA.US id aa11319; 1 Feb 94 12:08 EST
Received: by relay.tis.com; id AA14877; Tue, 1 Feb 94 11:40:41 EST
Received: from magellan.tis.com(192.33.112.124) by relay via smap (V1.0mjr) id sma014869; Tue Feb 1 11:40:17 1994
Received: from magellan.tis.com by magellan.TIS.COM id aa00216; 1 Feb 94 11:31 EST
Received: from sol.tis.com by magellan.TIS.COM id aa00212; 1 Feb 94 11:24 EST
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA28150; Tue, 1 Feb 94 11:24:04 EST
Received: by relay.tis.com; id AA14731; Tue, 1 Feb 94 11:24:37 EST
Received: from itd.nrl.navy.mil(128.60.2.2) by relay via smap (V1.0mjr) id sma014726; Tue Feb 1 11:23:58 1994
Received: by itd.nrl.navy.mil (4.1/SMI-4.1) id AA00610; Tue, 1 Feb 94 11:22:26 EST
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Julie Tarr <tarr@itd.nrl.navy.mil>
Message-Id: <9402011622.AA00610@itd.nrl.navy.mil>
Subject: Re: SNMPv2 security
To: Keith McCloghrie <kzm@hls.com>
Date: Tue, 01 Feb 1994 11:22:24 -0500
Cc: snmp@psi.com, snmpv2@magellan.tis.com
In-Reply-To: <9402010407.AA14474@nms.hls.com> from "Keith McCloghrie" at Jan 31, 94 08:07:37 pm
X-Mailer: ELM [version 2.4 PL22]
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Length: 2364 

> 
> > There are two reasons to change keys in a cryptographic system - 1)  The old
> > key has been compromised, and 2) to protect them from a 
> > cryptanalysis threat.
> 
> In SNMPv2, there is a third reason: to allow the clock to be reset without
> allowing all previous messages to be replayed.
> 
> The "linear" (as someone else called it) change of XOR-ing the keys can
> have two impacts:
> 
> 1. it doesn't make the cryptanalyst's job any easier, it could make no 
> difference, or (my guess) it could make it at least a little harder,
> although the amount by which it is harder may be negligible, I don't know.
> 
> 2. without the XOR, the cryptanalyst can work from any subset of the
> messages; with XORs, the cryptanalyst must capture all the packets
> to/from that agent, inspect them all for a) SetRequests which modify
> partyAuthPriv, and b) the matching Response messages to make sure that
> the identified SetRequests were successful, etc., and then factor the
> changes into the calculations.  Wouldn't you say that make the job a
> bit harder ?
> 
In order for the cryptanalysis to have the data to crack the keys, he must
already selectively capture traffic going to/from that agent.  The XOR scheme
does not make his job significantly harder.  It gives him unlimited time
in which to crack the code.

Also note that, as someone else in this discussion group has already pointed out,
the XORed key change message is vulnerable to replay attack.  If an attacker replays
a key change message within the window of oppportunity provided by the message lifetime,
then the replayed message will change the keys back to the old key.  That is,
the manager sends to the agent (Kold XOR Knew) . The agent calculates 
Kold XOR (Kold XOR Knew) to produce Knew and changes its key to Knew.  If the
agent receives a replay of this key change message, it will calculate 
Knew XOR (Kold XOR Knew) to produce Kold and change the key back to Kold.  The 
agent will send a confirmation of this change back to the manager, so the manager
will be aware that an attacker has tampered with the system.  However, how is 
the manager going to reset the key?  If it tries to send another XOR key change
message, the attacker can simply repeat this procedure.

Note that this replay attack is relatively simply to perform, it only requires
good timing.

				Julie

v2.23.0 | Report a Bug | By Email