[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: active attacks (Was: Applicability (Was: authmeth review notes [long]))

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: active attacks (Was: Applicability (Was: authmeth review notes [long]))
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 10 Mar 2004 15:00:40 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20040310xjzj@bombur.uio.no>
References: <6.0.1.1.0.20040227070642.04cd3330@127.0.0.1> <HBF.20040309eff@bombur.uio.no> <6.0.1.1.0.20040309110733.050420f8@127.0.0.1> <HBF.20040309w5q2@bombur.uio.no> <HBF.20040309vun0@bombur.uio.no> <6.0.1.1.0.20040309172155.05130580@127.0.0.1> <HBF.20040310xjzj@bombur.uio.no>

At 01:55 PM 3/10/2004, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>>At 01:42 PM 3/9/2004, Hallvard B Furuseth wrote:
>>>I wrote:
>>>
>>>> DIGEST-MD5...
>>> ... is also vulnerable to active intermediary attacks ([Authmeth]
>>> section 10).
>> 
>> So is TLS (version downgrade attack), see RFC 2246.
>
>I couldn't find that, but I found 'version rollback attack'.

That's it.

>Then [Authmeth] should mention that TLS is vulnerable too.

Or simply say that implementors should be aware of and understand
TLS security considerations as discussed in RFC 2246.  It does
not make much sense trying to reiterate this material, it can
be incorporated by reference.  However, [Authmeth] should discuss
any LDAP-specific attacks or any LDAP-specific defenses against
these attacks.

>However, an
>unqualified statement that it is vulnerable seems wrong.

My point exactly, as applied to both TLS or DIGEST-MD5.

>As far as I can tell from RFC 2246, TLS is 'reasonably secure'
>if one uses version 3.0+ and addresses the attack properly.

Same can be said for DIGEST-MD5 and it's technical specification.

>Should be added to Section
>3.1.4 (Discovery of Resultant Security Level), which will then need to
>
>> DIGEST-MD5 addresses the known active intermediate vulnerability
>> (the layer downgrade attack) of the authentication exchange by
>> stating that both peers must ensure that adequate protections have
>> been established before transferring any application-protocol data.
>> Likewise, [Authmeth] must say this for its use of SASL as LDAP's
>> SASL mechanism discovery facility is also subject to downgrade
>> attacks (unless protected by other means).
>
>Um... that "also" confuses me.  Are you talking about two different
>attacks on DIGEST-MD5, or is it one attack and DIGEST-MD5 is secure
>(as far as we know) if one addresses this attack?

There is an attack on SASL mechanism discovery (mechanism downgrade)
and an attack on DIGEST-MD5 mechanism (layer downgrade) and, these
attacks can be used together in some interesting ways.  Both
attacks (and combined attacks) are addressed by having each peer
ensure the resultant security level meets their minimum
requirements before continuing.  (It is also wise to avoid
entering into an exchange which cannot possible result in
acceptable security level.)

I believe all known attacks upon DIGEST-MD5 are discussed in
draft-ietf-sasl-rfc2831bis.  If not, please holler on the SASL
WG list.

Kurt

References:
- Re: authmeth review notes [long]
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Applicability (Was: authmeth review notes [long])
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Applicability (Was: authmeth review notes [long])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Applicability (Was: authmeth review notes [long])
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- active attacks (Was: Applicability (Was: authmeth review notes [long]))
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: active attacks (Was: Applicability (Was: authmeth review notes [long]))
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: New text: Attributes with no equality matching rule
Next by Date: RE: Protocol: control specifications.
Index(es):
- Chronological
- Thread