Cryptography in Theory and Practice: The Case of Encryption in IPsec

Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards mandate its support. We present evidence that such “encryption-only” configurations are in fact still often selected by users of IPsec in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself.

[1]  Phong Q. Nguyen Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 , 2004, EUROCRYPT.

[2]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[3]  Angela Orebaugh,et al.  Guide to IPsec VPNs , 2005 .

[4]  Sheila Frankel,et al.  The AES-CBC Cipher Algorithm and Its Use with IPsec , 2003, RFC.

[5]  Naganand Doraswamy,et al.  Ipsec: the new security standard for the internet , 1999 .

[6]  Virgil D. Gligor,et al.  On message integrity in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[8]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[9]  Rob Adams,et al.  The ESP CBC-Mode Cipher Algorithms , 1998, RFC.

[10]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[11]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[12]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[13]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[14]  Cheryl Madson,et al.  The ESP DES-CBC Cipher Algorithm With Explicit IV , 1998, RFC.

[15]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[16]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[17]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[18]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[19]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[20]  Deepinder P. Sidhu,et al.  Initialization vector attacks on the IPsec protocol suite , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[21]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[22]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[23]  Sam Hartman,et al.  The Perils of Unauthenticated Encryption: Kerberos Version 4 , 2004, NDSS.

[24]  Karen Kent,et al.  SP 800-77. Guide to IPsec VPNs , 2005 .

[25]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[26]  Steven M. Bellovin,et al.  Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[27]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.