Field slide attacks and how to avoid them.
Ben Laurie
ben at algroup.co.uk
Mon Sep 10 05:27:54 EDT 2001
"Steven M. Bellovin" wrote:
>
> In message <4.1.20010908224034.020e9bc0 at pop.ix.netcom.com>, John Kelsey writes:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >[ To: Perry's Crypto List ## Date: 09/08/01 07:35 pm ##
> > Subject: Field slide attacks and how to avoid them. ]
> >
> >Guys,
> >
> >I've been noticing a lot of ways you can mess up a cryptographic
> >protocol due to the "sliding around" of fields within a signed or MACed
> >message. The classic example of this is the old attack on PGP
> >fingerprints, which let you use some odd keysize, and thus get two
> >different keys (with different keysizes) with the same hash, without
> >breaking the hash function. (The raw bits of the two keys are the same,
> >but the fields are broken up differently.)
> >
> >The natural way to resist this is to ensure that all information used to
> >parse a hashed/MACed/signed message is included in the signature. But I
> >was curious whether anyone knows of other standard, simple ways to deal
> >with this problem?
>
> Mike Merritt and I discussed such issues in our critique of Kerberos
> (http://www.research.att.com/~smb/papers/kerblimit.usenix.ps or .pdf).
> We recommended use of ASN.1 or equivalent to prevent it. I
> demonstrated a variety of analogous cut-and-paste attacks in my
> critique of early versions of IPsec; the fix I suggested was strong
> authentication (http://www.research.att.com/~smb/papers/badesp.ps or
> .pdf).
Although I already mentioned ASN.1 in this context, I should explain why
I specifically did not recommend it. It is horribly complex to
implement, and everyone gets it wrong. The experience in SSL is that
almost every implementation of X509 has some kind of screwup in the DER.
This means that code ends up full of exceptions to handle the mistakes,
and also means that one of the most useful properties of such systems
(that you can reconstruct the binary representation of the object to
check signatures) is in practice not available. You simply have to
preserve the original bits because you can't get them back again.
What we really need is something akin to ASN.1/DER but with reduced
complexity. I suspect that you have to lose some of the generality to do
that - but I'm not sure that would be such a bad thing.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list