LibTomNet [v0.01]

tom st denis tomstdenis at yahoo.com
Mon Jul 7 20:37:09 EDT 2003


--- Eric Rescorla <ekr at rtfm.com> wrote:

> > Heck, if you could find a security flaw in LibTomNet [v0.03] I'll
> buy
> > you a beer.
> Your protocol does not use appear to have any protection against
> active attacks on message sequence, including message deletion,
> replay, etc.  True, the attacker can't inject *predictable*
> plaintext,
> but he can inject garbage plaintext and have it accepted as real.

No he can't.  You need a correct HMAC for the data to be accepted. 
This allows a replay attack which I should fix.  One beer.

Ultimately though the plaintext won't match if you replay though so its
only half a bug [though a bug that must be fixed].

> Your protocol is susceptible to truncation attack via TCP FIN
> forging.

I don't even know what that is but my protcol must read an entire block
before parsing it.

> Your server doesn't generate any random values as part of the
> handshake,
> thus, leaving you open to full-session replay attack.

Which is why people should use some authentication scheme ontop of
this.  Note that the server has no clue who you are after making the
connection.  This is intentional.\

So if you are in the area [or at Crypto'03] I'll buy you a beer.

Tom

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list