On the (in)security of IPsec in MAC-then-encrypt configurations

IPsec allows a huge amount of flexibility in the ways in which its component cryptographic mechanisms can be combined to build a secure communications service. This may be good for supporting different security requirements but is potentially bad for security. We demonstrate the reality of this by describing efficient, plaintext-recovering attacks against all configurations of IPsec in which integrity protection is applied {\em prior} to encryption -- so-called MAC-then-encrypt configurations. We report on the implementation of our attacks against a specific IPsec implementation, and reflect on the implications of our attacks for real-world IPsec deployments as well as for theoretical cryptography.

[1]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[2]  William Stallings Network Security Essentials: Applications and Standards (3rd Edition) , 2006 .

[3]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[4]  Donald E. Eastlake rd Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) , 2005 .

[5]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[6]  Steven M. Bellovin,et al.  Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[7]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[8]  Kenneth G. Paterson,et al.  Cryptography in Theory and Practice: The Case of Encryption in IPsec , 2006, EUROCRYPT.

[9]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[10]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[11]  Khawaja Amer Hayat,et al.  Password Interception in a SSL/TLS Channel , 2004 .

[12]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[13]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[14]  Bruce Schneier,et al.  Cryptography Engineering - Design Principles and Practical Applications , 2010 .

[15]  Russ Housley,et al.  Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) , 2004, RFC.

[16]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[17]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[18]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[19]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[20]  Kenneth G. Paterson,et al.  Provable Security in the Real World , 2011, IEEE Security & Privacy.

[21]  Phillip Rogaway,et al.  Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[22]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .