Network Working Group H. Rafiee
INTERNET-DRAFT C. Meinel
Hasso Plattner Institute
Intended Status: Informational Track
Expires: May 25, 2014 November 25, 2013
Possible Attack on Cryptographically Generated Addresses (CGA)
draft-rafiee-6man-cga-attack-00.txt
Abstract
This document describes the new vulnerabilities with the use of
Cryptographically Generated Addresses.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at http://datatracker.ietf.org/drafts/current.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 25, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. This document is subject to
BCP 78 and the IETF Trust's Legal Provisions Relating to IETF
Documents (http://trustee.ietf.org/license-info) in effect on the
date of publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Rafiee, et al. Expires May 25, 2014 [Page 1]
INTERNET DRAFT CGA AttackNovember 25, 2013
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Sec value vulnerability . . . . . . . . . . . . . . . . . . . 3
2.1. Duplicate Address Detection Process . . . . . . . . . . . 4
2.2. Nodes communications . . . . . . . . . . . . . . . . . . 5
3. Security Considerations . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Rafiee, et al. Expires May 25, 2014 [Page 2]
INTERNET DRAFT CGA AttackNovember 25, 2013
1. Introduction
Cryptographically Generated Addresses (CGA) [RFC3972] is one of the
important options of Secure Neighbor Discovery (SeND) [RFC3971] in
IPv6 networks. CGA provides the node with the proof of IP address
ownership by finding a binding between the public key and the node's
IP address. Therefore, It can protect the nodes from IP spoofing
attack and prevent forging the identity. However, CGA, itself is
vulnerable to some types of attacks such as DoS, replay attack (The
use of timestamp would mitigate this attack), etc [3]. The goal of
this document is not to focus on the well-known attacks but the new
CGA vulnerabilities.
2. Sec value vulnerability
CGA values are the fingerprint of public key. They are generated by
executing a hash function on public key and some other parameters.
Since the default algorithm for generating this hash is SHA-1, the
attacker node only needs to do brute force attacks against 59 bits.
Since Birthday attack is a well-known attacks on hash functions and
CGA value is also the hash of some values, the attacker only needs to
do 2^(n/2) ~= 2^(29.5) brute force attack against the CGA node where
n is the number of bits. In [ugbits], relax the use of these bits.
However, in CGA mixed mode environment these bits have a meaning and
shows whether the node uses CGA or other approaches but we can also
consider the use of these bits. So, the value would be
2^(30.5+sec*16).
To complicate this process, CGA algorithm make use of the sec value
and check the condition of 16*sec value that should be equal to zero.
This presumed to be a way to complicate the brute force attacks and
expand the brute force search to 2^(29.5+ sec*16) possible values.
Unfortunately this is not true and this condition only complicates
the IP address generation process and reduces the performance for the
legitimate CGA node and not for the attacker. The attacker always
uses CGA sec value 0, SHA-1 algorithm.
The reasons are as follow:
- No comparision of source address with target address
Based on the Neighbor Discovery Protocol (NDP) specification on
section 7 RFC 4861 [RFC4861, RFC4862], there is nothing about to
check the source IP address with the target address.
- CGA verifier node ignores the 3 bits sec value
Based on NDP specification, the verifier node checkes to see whether
or not the target address is the same as its own IP address. If it is
Rafiee, et al. Expires May 25, 2014 [Page 3]
INTERNET DRAFT CGA AttackNovember 25, 2013
the same and the node supports CGA, then it starts CGA verification.
Based on step 4 section 5 RFC 3972, the CGA node compares the source
address (IID section) of the sender node to his own IID. The verifier
node ignores 3 bits sec value. So, the attacker can set the target
address to the real CGA address of the victim node disregard its sec
value and set the source address to his own CGA value that is only
different in the 3 leftmost bits. Since the verification is
successful, the attacker can spoof the IP address of CGA node.
- Either conflict on the network or the CGA node waive his rights on
the IP address
The attacker node can persist on his own IP address after a
successful verification by CGA node and either force CGA node to
generate a new IP address and again the attacker repeats this process
or there will be duplicate addresses on the network which cause many
services in the victim network stop working. This is because all the
nodes verify this attacker node the same way as the legitimate CGA
node processed the verification. From their aspects, these two nodes
are the same.
- The lower limit for key size is 384 bits
The attacker does not need to worry about attack on public key and he
can choose the lowest size public key so that he can better play with
the RSA values and easier and faster generates the similar hash of
the CGA node.
- Modifier can be zero
The attacker does not need to generate a really good random value.
Since for him it is only important to match the hash value. This is
especially true for the scenario where the attacker needs to do brute
force attacks against all 64 bits and sec value is not ignored.
In the following subsections, some of these attacks are explained in
more detail.
2.1. Duplicate Address Detection Process
When a node generates his IP address, it process the DAD in order to
avoid collision on the network. The attacker might be able to
generate the CGA value the same of the legitimate CGA node and claim
the ownership of that IP address. The CGA nodes only tries 3 times
and then it give up. This is not limited to DAD process since
whenever the attacker is successful in generating the same value of
any of the CGA node in the network, he can force the CGA node to
waive his rights as we explained in earlier section of this draft.
Rafiee, et al. Expires May 25, 2014 [Page 4]
INTERNET DRAFT CGA AttackNovember 25, 2013
2.2. Nodes communications
When two nodes want to start communication, they try to find the IP
address of eachother by sending multicast NS/NA messages. If the
attacker can generate the CGA of one of these nodes, he can spoof the
identity. This is what against the CGA goal.
3. Security Considerations
-
4. IANA Considerations
-
5. Acknowledgements
The author would like to acknowledge Fabian Braeunlein, one of a
bachelor student at Hasso Plattner Institute who assists us, during
this busy moments, for writing the attacking codes.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3972] Aura, T., "Cryptographically Generated Addresses
(CGA)," RFC 3972, March 2005.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., Soliman,
H., "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
[RFC4862] Thomson, S., Narten, T., Jinmei, T., "IPv6
Stateless Address Autoconfiguration", RFC 4862, September
2007.
[1] AlSa'deh, A., Rafiee, H., Meinel, C., "Cryptographically
Rafiee, et al. Expires May 25, 2014 [Page 5]
INTERNET DRAFT CGA AttackNovember 25, 2013
Generated Addresses (CGAs): Possible Attacks and Proposed
Mitigation Approaches," in proceedings of 12th IEEE International
Conference on Computer and Information Technology (IEEE CIT'12),
pp.332-339, 2012.
[ugbits] Carpenter, B., Jiang, S., "Significance of IPv6
Interface Identifiers",
http://tools.ietf.org/html/draft-ietf-6man-ug, November 2013
Rafiee, et al. Expires May 25, 2014 [Page 6]
INTERNET DRAFT CGA AttackNovember 25, 2013
Authors' Addresses
Hosnieh Rafiee
Hasso-Plattner-Institute
Prof.-Dr.-Helmert-Str. 2-3
Potsdam, Germany
Phone: +49 (0)331-5509-546
Email: ietf@rozanak.com
Dr. Christoph Meinel
(Professor)
Hasso-Plattner-Institute
Prof.-Dr.-Helmert-Str. 2-3
Potsdam, Germany
Email: meinel@hpi.uni-potsdam.de
Rafiee, et al. Expires May 25, 2014 [Page 7]