Field slide attacks and how to avoid them.

Kevin E. Fu fubob at MIT.EDU
Mon Sep 10 16:50:07 EDT 2001 

>I've been noticing a lot of ways you can mess up a cryptographic
>protocol due to the "sliding around" of fields within a signed or MACed
>message.  The classic example of this is the old attack on PGP
>fingerprints, which let you use some odd keysize, and thus get two
>different keys (with different keysizes) with the same hash, without
>breaking the hash function.  (The raw bits of the two keys are the same,
>but the fields are broken up differently.)
>...
>This is the kind of thing that someone must have already dealt with in
>detail.  Any references?  Are any of these ideas useful?  There is
>nothing very difficult about any of them, and it would be trivial to
>come up with dozens of similar fixes.

We use hashes of marshalled XDR representations of data in the SFS
read-only file system [2].  This allows us to protect the integrity of
public, read-only content without having to worry about simple
splicing attacks.  The eXternal Data Representation Standard is
popular for implementing things like NFS [2, 4].

Recently I've spent quite a bit of time analyzing cookie-based,
HTML-form-based, and URL-based authenticators.  As you might expect,
many of these systems fall to the basic attack you describe.  One of
my favorite bad schemes is from an operating sytems class at MIT [0]
(no offense to my thesis advisor...):

 auth = expiration time + MAC_k(expiration time)

The problem is that an ambiguous message is signed, making this attack
possible:

 (username, expiration) -> MAC signature
 ---------------------     --------------------------
 (Alice, 21-Apr-2001    -> MAC (Alice21-Apr-2001, key)
 (Alice2, 1-Apr-2001    -> MAC (Alice21-Apr-2001, key)

An adversary need only create an Alice2 account with an appropriate
expiration time to forge an authenticator for the real Alice.  In the
real world, sites and systems like WSJ.com and ArsDigita ACS suffer
from variants of this marshalling problem [1].  Just sign what you
mean -- using a delimiter or variable name outside the message space
is usually sufficient.

-Kevin Fu


[0] 6.033 Spring 2001 Quiz 2.  http://web.mit.edu/6.033/www/handouts/s01_2.ps
[1] Dos and Dont's of Client Authentication on the Web, USENIX Security 2001,
     http://cookies.lcs.mit.edu/
[2] NFS Version 3 Protocol Specification, RFC 1813
[3] SFS Read-only File System, USENIX OSDI 2000, http://www.fs.net/
[4] XDR: External Data Representation, RFC 1014

--------
Kevin E. Fu (fubob at mit.edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list