A small problem in security protocol

A small problem in security protocol
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
A small problem in security protocol wt.eric@gmail.com 09-01-2006
Posted by wt.eric@gmail.com on September 1, 2006, 11:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
        In many protocols under academic discussion (like NSPK protocol,
Big-mouth-frog protocol, etc) there is no an apparent field in some
messages that shows which step in which protocol this message is and
who is the sender of this message, is it a problem?

        I got this problem for if there is no such a tag, it will bring a
problem that when one agent receive a message in the protocol, how does
he know use which key in his own private key and other agents' public
(maybe decades or even hundreds) to decrypt the message like message 1
in NSPK protocol in an environment where many different protocols and
multi instances of same protocol are executed at the same time. It is
impossible to try each key for most asymmetric key cryptograph
algorithms are highly resource-cost.

        Considering the case in Woo Lam mutual authentication protocol of
missing the sender's identification:
1. P -> Q : P, N1
2. Q -> P : Q, N2
3. P -> Q : {P, Q, N1, N2}Kps
4. Q -> S : {P, Q, N1, N2}Kps, {P, Q, N1, N2}Kqs

        When Q get message 3 being encrypted by Kps which is a shared key
between P and S and Q didn't know it, consider multi instances of this
protocol are carry out at the same time, how does Q know this message 3
is from P and compose the second half part of message 4 using P's ID in
{P, Q, N1, N2}Kqs? And further considering in a multi protocol
environment, Q may even doesn't know message 3 is a message in Woo Lam
mutual authentication protocol.

        Maybe this problem of showing the sender of message can be resolved
easily by adding the sender ID in the message, but will it bring new
security problem to the protocol? If the protocol analysis won't
consider the situation of multi protocol environment, is it right and
won't there be an attack scheme of cross-protocol attacking?


Posted by =?ISO-8859-1?Q?Lassi_Hippel=E4 on September 4, 2006, 2:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wt.eric@gmail.com wrote:
>         In many protocols under academic discussion (like NSPK protocol,
> Big-mouth-frog protocol, etc) there is no an apparent field in some
> messages that shows which step in which protocol this message is and
> who is the sender of this message, is it a problem?

As a general answer (I'm not familiar with the protocols in question):
yes. This is a potential DoS attack vector. If an attacker can inject
messages into the stream, they can knock the state machines out of sync.
Even worse attacks, e.g. session hijack, could be possible if the
protocols aren't designed against it.

That's why many protocols carry cookies or nonces as a security feature.

-- Lassi

Posted by wt.eric@gmail.com on September 4, 2006, 11:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for your response. Maybe I hadn't made a clear description. My
problem is that: when an agent receives an encrypted message (signature
message we assume here), without apparent fields of message sequence
number in protocol and sender's ID, how does he rapidly get know which
message in which protocol this message is and which keys should he use
to decrypt the message.

Lassi Hippel=E4inen wrote:
> wt.eric@gmail.com wrote:
> >         In many protocols under academic discussion (like NSPK protocol,
> > Big-mouth-frog protocol, etc) there is no an apparent field in some
> > messages that shows which step in which protocol this message is and
> > who is the sender of this message, is it a problem?
>
> As a general answer (I'm not familiar with the protocols in question):
> yes. This is a potential DoS attack vector. If an attacker can inject
> messages into the stream, they can knock the state machines out of sync.
> Even worse attacks, e.g. session hijack, could be possible if the
> protocols aren't designed against it.
>
> That's why many protocols carry cookies or nonces as a security feature.
>=20
> -- Lassi


Posted by =?ISO-8859-1?Q?Lassi_Hippel=E4 on September 6, 2006, 2:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wt.eric@gmail.com wrote:
> Thanks for your response. Maybe I hadn't made a clear description. My
> problem is that: when an agent receives an encrypted message (signature
> message we assume here), without apparent fields of message sequence
> number in protocol and sender's ID, how does he rapidly get know which
> message in which protocol this message is and which keys should he use
> to decrypt the message.

If the message has no cleartext hints about sender/session, the
recipient has to try each active security association to see which one
matches. That is bad. It puts lots of computational load on the
recipient. An attacker can send bogus packets to overload the recipient.

BTW, modern protocols try to do the opposite. To initiate a session the
other end has to compute a "puzzle" before the recipient dedicates any
resources to the negotiation. That way the attacker can't overload the
machine unless she has an even bigger machine.

-- Lassi

> Lassi Hippeläinen wrote:
>> wt.eric@gmail.com wrote:
>>>         In many protocols under academic discussion (like NSPK protocol,
>>> Big-mouth-frog protocol, etc) there is no an apparent field in some
>>> messages that shows which step in which protocol this message is and
>>> who is the sender of this message, is it a problem?
>> As a general answer (I'm not familiar with the protocols in question):
>> yes. This is a potential DoS attack vector. If an attacker can inject
>> messages into the stream, they can knock the state machines out of sync.
>> Even worse attacks, e.g. session hijack, could be possible if the
>> protocols aren't designed against it.
>>
>> That's why many protocols carry cookies or nonces as a security feature.
>>
>> -- Lassi
>

Similar ThreadsPosted
which security protocol for dealing with this situation September 27, 2007, 4:45 pm
Small Screen Security site September 14, 2006, 6:16 am
Problem installing Norton Internet Security (supervisor access needed) February 13, 2005, 9:22 am
Secure Authentication for Remote Desktop Protocol July 18, 2007, 7:24 pm
Small Mac Library for sale August 5, 2005, 3:27 pm
OT question about small office server October 12, 2005, 10:14 am
small&fast Digital signature algorithm September 6, 2007, 2:25 am
Searching (small) AES file + directory tree encryption tool October 29, 2006, 12:29 pm
Problem K9 August 23, 2004, 8:36 pm
Deleted IE - now got a big problem August 9, 2004, 11:13 pm

The site map in XML format XML site map

Contact Us | Privacy Policy