Flaw Found in VPN Crypto Security 106
peeon writes "CNET reports the British National Infrastructure Security Coordination Centre has discovered a flaw in IPSEC protocol. From the article: 'The flaw, which the NISCC rates as "high" risk, makes it possible for an attacker to intercept IP packets traveling between two IPsec devices. They could then modify the encapsulation security payload--a subprotocol that encrypts the data being transported.'"
Hype Warning (Score:5, Informative)
Always read vulnerability details; people love to sensationalize stuff like this to the extreme.
Re:Hype Warning (Score:4, Interesting)
Re:Hype Warning (Score:3, Informative)
Sure, if you disable authentication. But there's nothing specifically related to NAT traversal.
-a
Re:Hype Warning (Score:5, Informative)
So if you have the integrity trailer turned on -- which, as the original poster said, is good practice -- it should make no difference if it's a raw ESP packet or an ESP packet in the payload of a UDP packet.
There also look to be some fairly large technical difficulties with implementing the attack, not the least of which is that you have to bit flip arbitrarily to recover the data and depending on your SA lifetime that might not be terribly productive.
Yes, it's a flaw in IPSec and that's bad, but I think it's technically a very difficult attack AND relatively easy to work around.
Re:Hype Warning (Score:2)
No, it is not a flaw in IPsec. It is simply a misconfiguration. IPsec is a very flexible protocol, and it has been both praised and criticized for that fact. The upside is that you can choose to use whatever crypto algorithms you want. The downside is that you may choose a dumb combination.
-a
No, it doesn't (Score:2)
Re:Hype Warning (Score:1)
Quick, all you psuedo-pro's get out your VPN cheat sheet and study up!
oh yeah, and RTFA!!!
Re:Hype Warning (Score:1)
Re:Hype Warning (Score:2)
Re:Hype Warning (Score:1)
First, why would you want to encaps IPSec into GRE? And no. It is a flaw in ESP.
Re:Hype Warning (Score:2)
What you say is true.
Another thing that hasn't been mentioned is that most VPN boxes would use SPD checking to verify that the IPs of packets coming out of the tunnel matc
Moreover (Score:3, Interesting)
Re:The Founding Fathers (Score:2)
What do you think "the conquest of the west" was?
America was built by invading lands occupied by others and driving them out and/or killing them. That's not how we ought to behave now, but was not too far from a mainstream attitude then.
All countries were created and re-created the same way, many times, over millennia. Look at Britain, created by successive waves of invasion and colonisation. Before America, the indigines did the same thing to each other. Prior to the invention of the modern sta
Re:Old news (Score:5, Insightful)
Slashdot is only as up-to-date as you make it. AFAIK the editorial team don't go looking for articles, they wait for YOU the reader to submit them.
If you want current news, you should participate in providing it.
Re:Old news (Score:2)
Yeah, like readers are even remotely in control here...
In bizarro slashdot-land, there's no doubt a peer-reviewed, wiki-ish news system and their critics are arguing that all the trouble with old news, inanity and dupes could be solved if they allowed advertising and used the profit to hire
Whew... (Score:5, Informative)
I was worried there for a second.
Ok, no I wasn't.
Re:Whew... (Score:3, Informative)
Re:Yea. (Score:2)
Re:Yea. (Score:5, Funny)
That's fine if you don't care about the security of your data. Current cryptanalysis indicates that at a minimum you want 16 rounds of ROT-13. And since I'm rather paranoid, as a rule I tend to double the recommendations of cryptographic primitives, so I use 32 rounds of ROT-13. With current CPUs as fast as they are, there's very little reason to use less than 16 rounds. And 2 rounds is just insanity.
I dare you to crack my data.
Jason.
Re:Yea. (Score:2, Funny)
That's fine if you don't care about the security of your data. Current cryptanalysis indicates that at a minimum you want 16 rounds of ROT-13. And since I'm rather paranoid, as a rule I tend to double the recommendations of cryptographic primitives, so I use 32 rounds of ROT-13. With current CPUs as fast as they are, there's very little reason to use less than 16 rounds. And 2 rounds is just insanity.
I dare you to crack my data.
Re:Yea. (Score:2)
-
Re:Yea. (Score:1)
3328 rot-13's work for me...
plus as an added bonus, you can preview the encrypted message for spelling errors before you post it!
shine,
Re:Yea. (Score:1)
Re:Whew... (Score:3, Insightful)
I can't quite speak to its security, but there's nothing I've seen that makes me the least bit concerned. Although Peter Gutmann didn't do a real audit of openvpn, he did have this to say [auckland.ac.nz] about it: "... but a q
Re:Whew... (Score:2)
Easier to configure than most if not all IPSec-based solutions.
Provides pretty much the same functionality, except for obscure bells and whistles.
Has similar, if not better, security.
Runs on pretty much all important platforms.
Has a GUI for Windows, so that even dummies can use it.
It Simply Works (TM).
I will never go back to IPSec.
Re:Whew... (Score:1)
Re:Whew... (Score:2)
I can't argue with this. But IPsec's biggest enemy is its own complexity. I've read enough about IPsec and it scares the shit out of me. Sure, I can set it up and see that it works (and have done so). But to really understand what's going on would take a me a solid week (probably more) of research, and even then there's no guarantee
Re:Whew... (Score:3, Insightful)
OpenVPN's security model [openvpn.net] is quite strong -- as documented in the FAQ [openvpn.net], it borrows heavily from preexisting (time-tested, heavily reviewed) protocols (not just SSL but ESP as well), and supports multiple layers of security (ie. "tls-auth", a pre-shared key authenticating all traffic; support for running unprivileged and within a chroot jail to prevent OS-level security breaches; etc). Further, the (limited region of) code which handles pre-authentication network traf
Re:Whew... (Score:2)
Consider that the average person rewiring their own home often doesn't know of the dangers of having polarity reversed on outlets despite knowing how to use a screwdriver and knowing that grounding is important.
Consider that those who do know about polarity issues might not know about the heat dissipation limitations of various sizes of box for the wi
Re:Whew... (Score:2)
True.
Notably, while OpenVPN's core is documented well enough to allow peer review of its design, and the code is clean enough to allow for easy desk checking, I haven't seen a single 3rd-party patch to the crypto portions submitted or accepted. As such, it's not such an amateur effort as you perhaps make it out to be -- there's a single author of the core, and to the best of my l
Re:Whew... (Score:2)
Getting crypto right requires a lot of thought, that's all. I'm sure OpenVPN works well for you, but I'll stick to ipsec for now.
Re:OpenBSD is clear (Score:3, Informative)
No, the one hole was in openssh. There have been many (well at least one) holes in their apache, but apache is not enabled by default so it is not counted. Openssh is enabled by default, so it counts.
Re:OpenBSD is clear (Score:3, Insightful)
2) Look a the openssh.org homepage. Notice the quote 'OpenSSH is primarily developed by the OpenBSD Project, and its first inclusion into an operating system was in OpenBSD 2.6. '
I'm siding with bluGill on this point, the AC is the dumbass on this trhread.
Nonsense (Score:5, Informative)
Re:Nonsense (Score:2)
Not only that, but this is as designed. If you want to guarantee the integrity of the ESP payload, you've got to turn on integrity guarantees. That's why the option is there. Encryption != guaranteed integrity!
Shame on any vendor which doesn't enable integrity checks on ESP payloads by default. If they make it easy enough to use IPSec without understanding it, they've got a responsibility to use secure defaults or warn the user (loudly) when insecure defaults are used.
So... (Score:2)
Why wouldn't the payload data be encrypted in the first place?
After all, we are talking about sending packets over public lines.
Am I missing something here?
Re:So... (Score:1)
How would you communicate how this is encrypted? You'd need another payload data, which would probably be vulnerable to the same attack.
Re:So... (Score:1)
Of course, the whole thing relies on you having message authentication (hmac-md5 or hmac-sha1) off. Something which was already known to be a bad idea.
With authentication off, someone can twiddle bits in the packet (without knowing their original state, but they can predictably flip a specific bit). From that, you look at the reply. If you do this enough times to field
Re:end-to-end (Score:1, Troll)
simple people. Challenge response + salts + cipher + MAC == much simpler and likely more secure.
If you wanna have fun look at 802.16e it's like 950 pages and specifies dozens of encode methods for the data [e.g. FSK, BFSK, QAM]
So it has 16 modes to transmit it... let's see what the hardware will do... oh right THE BARE ASS MINIMUM
second security flaw today? (Score:1)
I could be wrong, TFA is very sparse on details...
Re:second security flaw today? (Score:1)
Don't go replacing anything just yet. (Score:2, Informative)
Wrong Answer - Please ignore parent (Score:5, Informative)
From the article it states clearly that it is a mode of ESP in tunnel mode that causes the problem NOT IKE (Internet Key Exchange) that is used for session setup.
Now the solution might be in IKE as in don't let IKE configure ESP without authentication - but this boys and girls is why you NEVER do encryption without authentication
Agreed - ICMP backchannel is cute, though (Score:2)
Re:Wrong Answer - Please ignore parent (Score:1)
Re:Wrong Answer - Please ignore parent (Score:2)
Because it causes people to vehemently rise up against it?
OH... you meant insightful.
VPN (Score:5, Funny)
Re: (Score:2)
This method is known as .... (Score:1)
Re:Don't use agressive mode PSK (Score:2)
Yeah... it's called brute force.
A lot of boxes on the net use relatively weak passwords, so it shouldn't take too long, actually... although you might set off the IDP.
-a
Misleading hype (Score:4, Informative)
More info here [cert.org].
Solution (Score:4, Informative)
Solution
- - --------
Any of the following methods can be used to rectify this issue:
1. Configure ESP to use both confidentiality and integrity protection. This is the recommended solution.
2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable.
3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.
Sweet Friday the 13th! (Score:4, Funny)
So who came out a winner betting on this trifecta?
Re:Sweet Friday the 13th! (Score:1)
Microsoft.
Severity of the flaw? (Score:1)
Grrr... (Score:1)
Re:Grrr... (Score:1, Funny)
Re:Grrr... (Score:1)
No, here's what you do: Set up Dvorak->Qwerty transliterative fonts on all your workstations at both ends, and set the keyboard layouts to Dvorak. Your users will still type as if the layout were QWERTY, and due to the transliterative fonts the letters will appear correct. For instance, the user will type the key that they think is "S", but on a Dvorak layout that key is really "O", so the character they typed is "O". However,
Re:Grrr... (Score:2)
Only relevant to the standard (Score:4, Insightful)
It's extremely difficult to design a cryptosystem with optional features, because the security of various techniques tends to depend on properties provided by other techniques, and it's difficult to determine, especially in a committee, whether these properties are provided for the proper function of the system or because the end user is likely to want them.
Re:Only relevant to the standard (Score:2)
IIRC, the standard doesn't say that. I believe it says the opposite.
Disabling authentication is just something vendors like do to increase their published performance numbers. No one should actually deploy that configuration.
-a
Slashdot provides critical security advisory! (Score:5, Funny)
Flashy Title Generates Ad Clicks!` (Score:1)
SSL vulnerable too! (Score:1)
More Info... (Score:2, Informative)
Old News.. This is a non-issue (Score:4, Informative)
But, the creators of IPSec told us this a LONG time ago.. Security wizard Steve Bellovin analyzed this as part of his IPSec reviews and said that encryption without authentication is a very bad idea. See the FreeS/WAN FAQ pages for more info ( http://www.manualy.sk/freeswan-1.3/doc/overview.h
Mr. Bellovin presented a paper on this in the Usenet Security Symposium of July 1996.
No sane IPsec implementation id vulnerable (Score:3, Informative)
Number of Solutions (Score:2)
The NISCC includes a number of solutions to this issue in its advisory.
Solutions:
This is a known issue (Score:3, Informative)
This even works with TCP even though the plaintext header is checksummed. We showed that it was easy to get an identical checksum by modifying an unused part of the TCP header along with a more important part, like destination port.
Using authentication defeats this attack. Just don't forget to authenticate and everything is peachy.
This is the Paris Hilton of Security Advisories (Score:2, Informative)
To call this issue well-known would be an understatement. It is even mentioned in the RFC2406 [rfc-editor.org] in the Introduction. RFC2406 happens to be to RFC that defines ESP mode in IPsec.
It must be a slow news day in Great Britain.
how does VPN work? (Score:2)