How effective is open source crypto? (bad form)

Anne & Lynn Wheeler lynn at garlic.com
Sun Mar 16 13:26:59 EST 2003 

At 09:30 AM 3/16/2003 -0800, Eric Rescorla wrote:

>Correct.
>
>It's considered bad form to design systems which have known replay
>attacks when it's just as easy to design systems which don't.
>If there were some overriding reason why it was impractical
>to mount a defense, then it might be worth living with a replay
>attack. However, since it would have only a very minimal effect
>on offered load to the network and--in most cases--only a marginal
>effect on latency, it's not worth doing.
>
>-Ekr
>
>--
>[Eric Rescorla                                   ekr at rtfm.com]
>                 http://www.rtfm.com/

so, lets look at the alternatives for servers that are worried about server 
replay attacks:

client has public key & crypto-preferred info (dns or cached), generates 
random secret key, encrypts request, encrypts random secret key, single 
transmission

server gets request ... application has opened the connection with or w/o 
server replay attack. if the application, higher level protocol has its own 
repeat checking .... it has opened the connection w/o server replay attack. 
and the server sends the request up the stack to the application. If the 
application has opened the connection with server replay attack, the 
protocol sends back some random data (aka its own secret)... that happens 
to be encrypted with the random key.

The client is expecting either the actual response or the replay attack 
check. If the client gets the actual response, everything is done. If the 
clients gets back the replay attack check .... it combines it with 
something .... and returns to the server.

The difference is basic two packet exchange (within setup/teardown packet 
exchange overhead) plus an additional replay prevention two packet exchange 
(if the higher level protocol doesn't have its own repeat handling 
protocol). The decision as to whether it is two packet exchange or four 
packet exchange is not made by client ... nor the server ... but by the 
server application.

Simple example for e-commerce is sending a P.O. along with payment 
authorization ... the transmitted P.O. form is guaranteed to have a unique 
identifier. The P.O. processing system has logic for handling repeat POs 
... for numerous reasons (not limited to replay attacks).

Single round-trip transaction:

ClientHello/Trans->
                         <- ServerResponse/Finish

Transaction w/replay challenge:

ClientHello/Trans->
                         <-Server replay challenge
ClientResp->
                         <-ServerResponse/Finish


Now, ClientHello/Trans can indicate whether the client is expecting a 
single round-trip or additional data.

Also, the ServerResponse can indicate whether it is a piggy-backed finish 
or not.

So, the vulnerability analysis is what is the object of the replay attack 
and what needs to be protected. I would contend that the object of the 
replay attack isn't directly the protocol, server, or the system .... but 
the specific server application. Problem of course, is that with generic 
webserver (making the connection) there might be a couple levels of 
indirection between the webserver specifying the connection parameters and 
the actual server application (leading to webservers always specifying 
replay challenge option).
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
   
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list