Paul Wouters writes: > On Wed, 5 Apr 2017, Tero Kivinen wrote: > > >> This is vulnerable to a DOS attack though. The attacker once inserts > >> themselves to get IDi. Then they connect to the server often enough > >> with increased offsets to fail authentication, depleting the > >> one-time-pad file for the real user, who presumbly then is locked out. > > > > Nope. Like normally you are not using the data in the file unless it > > is properly authenticated. I.e. even if the attacker can say use PPK > > from offset 0x123123, the other end will not update the offset > > 0x123123 to be used unless the other end also proofs it knows the PPK > > at that offset. > > That opens up an attack where an attacker can trick you into re-using > the same PPK many times. I was assuming that could be dangerous in > itself? If it is not, then we should clearly explain that in the > document.
How? They can trick you trying to use same PPK multiple times, but all of those tries will fail and no traffic is ever transmitted protected by that PPK, thus it does not matter. It is not dangerous to use same PPK many times. My understanding is that in most cases the PPK will be static, and will not change very often. To be able to change it often, you need some kind of protocol to distribute them, and we currently do not have one yet. The reason people might want to change PPK is to limit how much data can be decrypted if someone succesfully hacks in to one of the end points. I.e., if you have used the same PPK for last year, and then someone hacks in to your machine and steals that PPK, then they can break the Diffie-Hellman for your last years worth of traffic, and decrypt it because they know the PPK. If you change your PPK every day, and make sure that you destroy old used PPKs out from the system, then hacker will only gain one days worth of traffic they can attack on by breaking the Diffie-Hellman. This means that you should zero out the part of file containing PPK you used when that PPK is no longer needed (i.e., you move to next one), so DVD full of random stuff is not very good for distributing them. The memory sticks has same problem, as you are not sure if the data has been erased securely from the stick... > > And the real user will most likely be locked out earlier because when > > the attacker starts to do several tens of million IKE connections to > > the server the server will most likely lock the user out or add > > delays to connections long before the attacker is able to deplate the > > one time pad... > > If the attacker can lock out the real user, that is also a DOS attack :) Yep, and almost all systems do it already. I.e., if you give wrong password enough times, the account is locked for some time, and at one point they might even disable it permanently. Thats why the old admin wisdom was always to create secondary admin account with different username, and make sure nobody knows what that username is, so when someone locks your "root" account you can log in with that admin account and unlock the "root"... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
