[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RPSEC] rate limiting management traffic, redux

Hi,

At 16:22 17/04/2003 -0700, Mark Handley wrote:
>Suppose I have two routers, A and B that were communicating securely.
>Now, A restarts.  How is B going to accept any more packets from A, as
>A can no longer send packets that fall in the window?
>
>I think you implied (trying to fill in the details myself): 
>
> - A sends a re-initialization packet to B with nonce_A. 

If you send nonce_A and H(secret, nonce_A) you will ensure that router A
is authenticated because (by the definition) only A knows the secret.
The router A can also offer a new sequence number in the same packet.
To make guessing even harder we can say that the router A should
send H(secret, nonce_A, new_seq_A).

By sending only nonce_A you are forcing the router B to respond to
any request it receives. It does not have any means to discriminate
which requests are legitimate and which are not. By sending a hash
in the first packet you can authenticate the sender.

> - B replies with nonce_A and a new nonce_B. 

B can reply with nonce_A, nonce_B, new sequence B and H(secret,
nonce_B, new_seq_B) and H(secret, sequence A+1). The first hash
H(secret, nonce_B, new_seq_B) server to initialize the new
sequence number for the reverse session (from A to B). The second
hash, H(secret, seq_A+1) is used normally as envisaged. The router
A will check it first to determine if it will accept the packet
or not.

I think that you can accomplish the same result with only two
messages instead of four. Since all data are sent in the clear
the strength of the protection lies in the one-way hash function
and the shared secret.

These steps could probably be abandoned.

> - A sends nonce_A and nonce_B back to B along with the new sequence
>   number it wants to use and the one-way hash of nonce_A, nonce_B,
>   the new sequence number and the secret.
>
> - On success, B sends nonce_A and nonce_B back to A, the new sequence number
>   specified by A, and the one-way hash of nonce_B (but not nonce_A to
>   avoid replay) the new sequence number and the secret.
>
>On success, the new secret becomes the hash of the old secret and the
>two nonces.

Even using the modified handshake you can derive the new key in the
same manner. A and B are mutually authenticated and H(secret, nonce_A,
nonce_B) was never transmitted.

Gaus
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There are no insolvable problems. 
The question is can you accept the solution? 

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec