Hello all,
Maybe this has been asked and answered, but it seems like session key derivation
can be triggered by a packet that has not yet been authenticated since one can't
authenticate such a packet until after the new session keys have been derived.
Isn't that true? Or am I missing something. When the packet index is zero,
modulo the key derivation rate, then you have to do a key derivation to get
the authentication key to attempt to authentication the packet. Right?
So it seems like an attacker can cause significant CPU usage, especially for a low key
derivation rate (i.e., frequently deriving new session keys) by just sending packets with
random sequence numbers and getting lucky when they fall within the range that causes
a new key derivation. Once the offending packet fails authentication the damage
could be undone (save old keys etc. and don't overwrite until the packet is
authenticated) but it would still burn significant CPU time doing the derivation?
Is this a correct assessment?
Regards,
Mike Taylor