Re: [Babel-users] About an authentication extension

[Rodrigo Garcia]

I see, however the project has already been accepted so i will have to
do it anyway :(

Maybe i can think not to use random numbers but something to make it
more difficult that a false ciphertext be accepted by other nodes.

Thanks, i will use the references to point out the vulnerabilities.

El 10/09/17 a las 13:13, Toke Høiland-Jørgensen escribió:
>> Yes, but a node does not have the private key, so it can't create *new*
>> encrypted tokens by its own.
> 
> Not necessarily. In general, even if you don't know the private key,
> changing the ciphertext can still change the plaintext after decryption.
> Especially, since in your scheme an attacker only needs to change a
> single byte (holding the random number attached to a prefix) to get a
> new valid token for that prefix.
> 
> For RSA in particular, don't encrypt things with the private key; see
> https://stackoverflow.com/questions/44261028/modification-of-rsa-encrypted-cipher-text
> and this answer linked from there:
> https://crypto.stackexchange.com/questions/15997/is-rsa-encryption-of-a-cryptographic-hash-with-a-private-key-the-same-as-signatu







___
Babel-users mailing list
Babel-users@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users

Re: [Babel-users] About an authentication extension

[Denis Ovsienko]

>Right, I see. Are you familiar with the HMAC extension to babel
>(RFC7298)? That does something different (it prevents nodes that don't
>know the shared secret from participating in the network at all, but
>does not restrict which prefixes each node can export). However, it may
>be useful to read at least parts of it to help you formulate the
>requirements for your own scheme.

RFC 4593 is a good starting point.

-- 
Denis Ovsienko



___
Babel-users mailing list
Babel-users@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users

Re: [Babel-users] About an authentication extension

[Toke Høiland-Jørgensen]

Rodrigo Garcia  writes:

>> But if everyone knows how to decrypt all the tokens they are not really
>> secret; so it basically becomes the same as a signature, no? Except if
>> it's *not* signed you may be able to spoof other values by changing the
>> ciphertext of a valid token you already own (not sure how susceptible
>> public crypto is to this)...
>> 
>
> Yes, but a node does not have the private key, so it can't create *new*
> encrypted tokens by its own.

Not necessarily. In general, even if you don't know the private key,
changing the ciphertext can still change the plaintext after decryption.
Especially, since in your scheme an attacker only needs to change a
single byte (holding the random number attached to a prefix) to get a
new valid token for that prefix.

For RSA in particular, don't encrypt things with the private key; see
https://stackoverflow.com/questions/44261028/modification-of-rsa-encrypted-cipher-text
and this answer linked from there:
https://crypto.stackexchange.com/questions/15997/is-rsa-encryption-of-a-cryptographic-hash-with-a-private-key-the-same-as-signatu

-Toke

___
Babel-users mailing list
Babel-users@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/babel-users