[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [AVT] Attack causing false key derivation

To: <mtaylor.design at yahoo.com>
Subject: Re: [AVT] Attack causing false key derivation
From: mcgrew <mcgrew at cisco.com>
Date: Fri, 07 Mar 2008 09:26:42 -0800
Authentication-results: sj-dkim-3; header.From=mcgrew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: avt at ietf.org
Delivered-to: ietfarch-avt-web-archive at core3.amsl.com
Delivered-to: avt at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3097; t=1204910819; x=1205774819; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew at cisco.com; z=From:=20mcgrew=20<mcgrew at cisco.com> |Subject:=20Re=3A=20[AVT]=20Attack=20causing=20false=20key= 20derivation |Sender:=20; bh=l1O4MwVoomzyB3aXIEsPRXQ6jrAyhy7ThkjedZT6qCE=; b=OSalVwC3cpA6/KvufZUzJaI/V8KstqXP/EYT7pEgRutrOHEvprzgvV4beV 1UhKuZUjPNu58uiLBQD87kazXwxvWFih3gIdhoJJxW7fpF1axpdddqjWP04P 7VMjDCTqeB;
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
Sender: avt-bounces at ietf.org
Thread-index: AciAeGiip0+D1uxrEdyuUQAUUQnMFg==
Thread-topic: [AVT] Attack causing false key derivation
User-agent: Microsoft-Entourage/11.2.4.060510

Hi Mike,

>Hello all,
> 
>Maybe this has been asked and answered, but it seems like session key
>derivation can be triggered by a packet that has not yet been authenticated
>since one can't authenticate such a packet until after the new session keys
>have been derived.  Isn't that true?

Yes, that's right. 

>Or am I missing something.  When the packet index is zero, modulo the key
>derivation rate, then you have to do a key derivation to get the
>authentication key to attempt to authentication the packet.  Right?

Exactly.

> 
>So it seems like an attacker can cause significant CPU usage, especially for a
>low key derivation rate (i.e., frequently deriving new session keys) by just
>sending packets with random sequence numbers and getting lucky when they fall
>within the range that causes a new key derivation.  Once the offending packet
>fails authentication the damage could be undone (save old keys etc. and don't
>overwrite until the packet is authenticated) but it would still burn
>significant CPU time doing the derivation?
> 
>Is this a correct assessment?

Yes and no.  Your analysis of the protocol is right, but in most cases the
additional CPU usage due to the need to generate a new authentication key is
not that significant.   When the default authentication method of HMAC-SHA1,
it takes two AES operations to generate a new auth key; this is the same
amount of time that it takes to encrypt 32 bytes of data with AES.  So if
the packets are 80 bytes, by way of example, then the cost of generating the
auth key is an additional 40% of the cost of encryption.  It would be an
even smaller fraction of the total crypto cost, since we need to factor in
the computational cost of checking the authentication of the packet too.
For small packets, the computational cost of HMAC-SHA1 authentication is
actually greater than the cost of AES encryption, so in the above example
the key derivation overhead drops to 20%.   So for many applications, I
would expect that the additional cost of a key derivation could be fit into
the processor budget associated with the processing of a single packet.

I suppose that the worst case scenario would be g.729, in which the two AES
operations are required to encrypt the packet, and the cost of HMAC-SHA1
authentication would be roughly double that cost (recall that authentication
processes the headers as well).   Deriving a key will take an additional %33
of the CPU.  Quite possibly there are processors that could handle the
default SRTP cryptoalgorithms, but could not handle that additional burden -
I guess they might need to avoid using the key derivation.   (As a side
note, the cost of g.729 encoding on a DSP is higher than that for the
cryptography, so the actual picture might not be so bleak.  The shortest
packets come from the most intensive compression algorithms, so there is an
inverse relationship between the amount of processing needed for compression
and the amount needed for cryptography.)

Best regards, 

David

> 
>Regards,
> 
>Mike Taylor

_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www.ietf.org/mailman/listinfo/avt

Prev by Date: Re: [AVT] Review of draft-ietf-avt-rtp-atrac-family-13
Next by Date: [AVT] Ad-hoc meeting in Philadelphia to discuss SVC
Previous by thread: [AVT] Attack causing false key derivation
Next by thread: [AVT] Presentations for the AVT sessions in Philadelphia
Index(es):
- Date
- Thread