Re: [Babel-users] About an authentication extension
I see, however the project has already been accepted so i will have to do it anyway :( Maybe i can think not to use random numbers but something to make it more difficult that a false ciphertext be accepted by other nodes. Thanks, i will use the references to point out the vulnerabilities. El 10/09/17 a las 13:13, Toke Høiland-Jørgensen escribió: >> Yes, but a node does not have the private key, so it can't create *new* >> encrypted tokens by its own. > > Not necessarily. In general, even if you don't know the private key, > changing the ciphertext can still change the plaintext after decryption. > Especially, since in your scheme an attacker only needs to change a > single byte (holding the random number attached to a prefix) to get a > new valid token for that prefix. > > For RSA in particular, don't encrypt things with the private key; see > https://stackoverflow.com/questions/44261028/modification-of-rsa-encrypted-cipher-text > and this answer linked from there: > https://crypto.stackexchange.com/questions/15997/is-rsa-encryption-of-a-cryptographic-hash-with-a-private-key-the-same-as-signatu ___ Babel-users mailing list Babel-users@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] About an authentication extension
>Right, I see. Are you familiar with the HMAC extension to babel >(RFC7298)? That does something different (it prevents nodes that don't >know the shared secret from participating in the network at all, but >does not restrict which prefixes each node can export). However, it may >be useful to read at least parts of it to help you formulate the >requirements for your own scheme. RFC 4593 is a good starting point. -- Denis Ovsienko ___ Babel-users mailing list Babel-users@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users
Re: [Babel-users] About an authentication extension
Rodrigo Garciawrites: >> But if everyone knows how to decrypt all the tokens they are not really >> secret; so it basically becomes the same as a signature, no? Except if >> it's *not* signed you may be able to spoof other values by changing the >> ciphertext of a valid token you already own (not sure how susceptible >> public crypto is to this)... >> > > Yes, but a node does not have the private key, so it can't create *new* > encrypted tokens by its own. Not necessarily. In general, even if you don't know the private key, changing the ciphertext can still change the plaintext after decryption. Especially, since in your scheme an attacker only needs to change a single byte (holding the random number attached to a prefix) to get a new valid token for that prefix. For RSA in particular, don't encrypt things with the private key; see https://stackoverflow.com/questions/44261028/modification-of-rsa-encrypted-cipher-text and this answer linked from there: https://crypto.stackexchange.com/questions/15997/is-rsa-encryption-of-a-cryptographic-hash-with-a-private-key-the-same-as-signatu -Toke ___ Babel-users mailing list Babel-users@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users