Re: [SWMP] My understanding so far

Roland Weber <ossfwot@dubioso.net> Thu, 20 September 2007 17:33 UTC

Return-path: <swmp-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYPuE-0005i2-PH; Thu, 20 Sep 2007 13:33:38 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYPuC-0005a7-Ns for swmp@ietf.org; Thu, 20 Sep 2007 13:33:36 -0400
Received: from moutng.kundenserver.de ([212.227.126.187]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IYPu8-0006Nr-P4 for swmp@ietf.org; Thu, 20 Sep 2007 13:33:33 -0400
Received: from e180013223.adsl.alicedsl.de [85.180.13.223] (helo=[85.180.13.223]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1IYPtn16zS-0002V5; Thu, 20 Sep 2007 19:33:31 +0200
Message-ID: <46F2AEF8.4090406@dubioso.net>
Date: Thu, 20 Sep 2007 19:33:44 +0200
From: Roland Weber <ossfwot@dubioso.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070807 SeaMonkey/1.1.4
MIME-Version: 1.0
To: swmp@ietf.org
Subject: Re: [SWMP] My understanding so far
References: <OFFA72042F.751DC694-ON85257348.006F170E-85257348.0070D266@lotus.com> <46D88058.8070008@dubioso.net> <46D894F6.1090901@mediamachines.com>
In-Reply-To: <46D894F6.1090901@mediamachines.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Provags-ID: V01U2FsdGVkX1+9Zqkc2SgAgzqCyLoAYS1tnY20dWxFPn3sWpb ka/UfOjyEDmdWmcpBmX6i3PV3PhBXf//ZS6/BWrK/5Ef1h0vOt RvciBY/gLtp7D51pmhObUfT0M8jTlBO
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
X-BeenThere: swmp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of a Simple Wide-area Multiuser-3D Protocol <swmp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/swmp>, <mailto:swmp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/swmp>
List-Post: <mailto:swmp@ietf.org>
List-Help: <mailto:swmp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/swmp>, <mailto:swmp-request@ietf.org?subject=subscribe>
Errors-To: swmp-bounces@ietf.org

Hi Jay,

sorry for the late reply, I had little time to spare.

Jay C. Weber wrote:
> Roland Weber wrote:
>> Tickets are used similar to session cookies. When a network
>> element X opens the initial channel to Y, it sends a message
>> "HELLO, I am X and here is your ticket YtoX for contacting me".
> Yes and tickets usually have an expiration time/date (a date is part of the 
> ticket and the whole thing is digitally-signed to prevent tampering) in order to 
> address the man-in-the-middle attacks to which you alluded before.

In the web world, there is a distinction between session cookies
(like jsessionid) with an inactivity timeout, and authentication
cookies (like the LTPA cookie in WebSphere Application Server),
which have an expiration time.
The LTPA cookie fits your description: it is encrypted and has
an expiration time, in addition to user credentials. It is used
for Single Sign-On: one server issues the ticket, others receive
and verify it. However, the session is tracked by the standard
jsessionid.
In SWMP, as discussed so far, the ticket is only sent back to
the server where it came from. That server will probably not
bother to decrypt it, since it can just as well compare the
encrypted data bit by bit. I don't really see the purpose of
the encryption here. Since a timestamp is encrypted, it will not
be possible to guess from one ticket what the next will be. But
that would also be achieved by any cryptographically strong
pseudo random number generator. On the other hand, expiration
of the ticket requires re-issuing tickets during a session.

A ticket that is simply copied into a message will not protect
against man-in-the-middle attacks. The MITM can take it from
the intercepted message and pass it on in a modified message.
As discussed so far, an attacker doesn't even need to be in the
middle. It is sufficient to spy on one UDP packet to hijack the
respective channel in the direction of the sent packet. Just
fire a few messages with the ticket, and increment the message
IDs by 5 instead of 1 each time. The receiver will accept the
forged messages because they have the correct ticket, and
ignore all messages from the genuine sender because their ID
is too low.
Switching to a hashing technique has some advantages over
this, though at the price of hash computation. Firstly, the
ticket is only sent in plain during the initial handshake on
the main TCP channel. The hash in the UDP packets will not
allow an eavesdropper to guess the ticket and forge messages.
If the hash is computed over the message header only, MITM
attacks are still possible. If the hash is computed over the
full message, message integrity can be verified. A MITM could
still selectively drop messages, but not forge them. If so
desired, the ticket exchange on the main channel can be
protected by standard mechanisms like TLS or SASL.
Secondly, the paper says that ticket size is not fixed. So
a server might have some clients that use a 32 bit random
number as the ticket, and others that use 3 kbyte BLOBs as
tickets. If updates are to be sent to all clients, those
with a large ticket would need different and more messages
than those with the small tickets.

We can discuss that stuff in detail when we tackle authentication.
As long as anyone can connect to anyone else and get a ticket,
MITM attacks are pretty pointless ;-) Does your implementation
have authentication mechanisms in place?

cheers,
  Roland

_______________________________________________
SWMP mailing list
SWMP@ietf.org
https://www1.ietf.org/mailman/listinfo/swmp