Monoculture
Steven M. Bellovin
smb at research.att.com
Wed Oct 1 22:40:14 EDT 2003
In message <87d6dgbnhj.fsf at snark.piermont.com>, "Perry E. Metzger" writes:
>
>Unfortunately, those parts are rather dangerous to omit.
>
>0) If you omit the message authenticator, you will now be subject to a
> range of fine and well documented cut and paste attacks. With some
> ciphers, especially stream ciphers, you'll be subject to far worse
> attacks still.
>1) If you omit the IV, suddenly you're going to be subject to a
> second new range of attacks based on the fact that fixed blocks
> will always encrypt the exact same way.
>
>We went through all that, by the way, when designing IPSec. At first,
>we didn't put in mandatory authenticators, because we didn't
>understand that they were security critical. Then, of course, we
>discovered that they were damn critical, and that most of the text
>books on this had been wrong. We didn't understand lots of subtleties
>about our IVs, either. One big hint: do NOT use IVs on sequential
>packets with close hamming distance!
Better yet, don't use predictable IVs; the threat is much clearer.
Perry is right -- a number of us learned the hard way about
cryptographic protocol complexity. I led the fight to remove sequence
numbers from the early version of ESP, since no one could elucidate a
threat model beyond "the enemy could duplicate packets". My response
was "so what -- packet duplication is always possible per the IP
datagram model". (A while back, my ISP fulfilled that part of the
model; I was seeing up to 90% duplicate packets. But I digress.) But
then I wrote a paper where I showed lots of ways to attack IPsec if you
didn't have both sequence numbers and integrity protection, so I led
the fight to reintroduce sequence numbers, and to make integrity
protection part of ESP rather than leaving it to AH. We all learn,
even in embarrassing ways.
My first published cryptographic protocol, EKE, has had an interesting
history. One version of it is still believed secure: encrypt both halves
of a DH exchange with a shared secret. (Ironically enough, that was
the very first variant we came up with -- I still have the notebook
where I recorded it.) We came up with lots of variations and
optimizations that all looked just fine. We were wrong...
Someone has already alluded to the Needham-Schroeder protocol. It's
instructive to review the history of it. The original protocol was
published in 1978; it was the first cryptographic protocol in the open
literature. Presciently enough, it warned that cryptographic protocol
design seemed to be a very suble art. Three years later, Denning and
Sacco showed an attack on the protocol under certain assumptions; they
suggested changes. In 1994, Abadi and Needham published a paper
showing a flaw in the Denning-Sacco variant. In 1996, Lowe published
a new attack on the *original* Needham-Schroeder paper. Translated
into modern terms -- the first paper was published before certificates
were invented -- the faulty protocol was only three lines long! Three
lines of protocol, in the oldest paper in the literature, and it took
18 years to find the flaw...
No, we're not a guild. To me, "guild" has connotations of exclusivity
and closed membership. Anyone can develop their own protocols, and
we're quite happy -- *if* they understand what they're doing. That
means reading the literature, understand the threats, and deciding
which you need to counter and which you can ignore. In IPsec, Steve
Kent -- who has far more experience with cryptographic protocols than
most of us, since he has access to, shall we say, more than just the
open literature -- was a strong proponent of making integrity checks
option in ESP. Why, when I just finished saying that they're
important? Integrity checks can be expensive, and in some situations
the attacks just don't apply. The trick is to understand the
tradeoffs, and *to document them*. Leave out what you want, but tell
people what you've left out, why you've left it out, and under what
circumstances will that change get them into trouble.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list