Abstract
Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards mandate its support. We present evidence that such “encryption-only” configurations are in fact still often selected by users of IPsec in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself.
The work described in this paper was partly supported by the European Commission under contract IST-2002-507932 (ECRYPT). An extended version is available [25].
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-34547-3_36
Chapter PDF
Similar content being viewed by others
Keywords
References
Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 1827 (August 1995)
Baker, F.: Requirements for IPv4 Routers. RFC 1812 (June 1995)
Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM TISSEC 7(2), 206–241 (2004)
Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)
Bellovin, S.: Problem Areas for the IP Security Protocols. In: Proceedings of the Sixth Usenix Unix Security Symposium, San Jose, CA, pp. 1–16 (July 1996)
Borisov, N., Goldberg, I., Wagner, D.: Intercepting Mobile Communications: The Insecurity of 802.11. In: Proc. MOBICOM 2001, pp. 180–189. ACM Press, New York (2001)
Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password Interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)
Doraswamy, N., Harkins, D.: IPsec: the new security standard for the Internet, Intranets and Virtual Private Networks, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2003)
Ferguson, N., Schneier, B.: A cryptographic evaluation of IPsec. Unpublished manuscript, available from: http://www.schneier.com/paper-ipsec.html
Frankel, S., Glenn, R., Kelly, S.: The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (September 2003)
Frankel, S., Kent, K., Lewkowski, R., Orebaugh, A.D., Ritchey, R.W., Sharma, S.R.: Guide to IPsec VPNs, NIST Special Publication 800-77 (Draft) (January 2005)
Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (November 1998)
Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (November 1998)
Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (November 1998)
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (obsoletes RFC 2401) (December 2005)
Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (obsoletes RFC 2406) (December 2005)
Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Internet Protocol. RFC 791 (September 1981)
Madson, C., Doraswamy, N.: The ESP DES-CBC Cipher Algorithm With Explicit IV. RFC 2405 (November 1998)
McCubbin, C.B., Selcuk, A.A., Sidhu, D.: Initialization vector attacks on the IPsec protocol suite. In: WETICE 2000, pp. 171–175. IEEE Computer Society, Los Alamitos (2000)
Nguyen, P.Q.: Can we trust cryptographic software? Cryptographic flaws in GNU Privacy Guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004)
NISCC Vulnerability Advisory IPSEC - 004033 (9th May 2005), available from: http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
Paterson, K.G., Yau, A.K.L.: Cryptography in Theory and Practice: The Case of Encryption in IPsec, extended version of this paper available from: http://eprint.iacr.org/2005/416
Pereira, R., Adams, R.: The ESP CBC-Mode Cipher Algorithms. RFC 2451 (November 1998)
Postel, J.: Internet Control Message Protocol. RFC 792 (September 1981)
Stubblebine, S., Gligor, V.: On Message Integrity in Cryptographic Protocols. IEEE Security and Privacy, 85–104 (May 1992)
Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)
Yu, T., Hartman, S., Raeburn, K.: The perils of unauthenticated encryption: Kerberos version 4. In: Proc. NDSS, The Internet Society (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Paterson, K.G., Yau, A.K.L. (2006). Cryptography in Theory and Practice: The Case of Encryption in IPsec. In: Vaudenay, S. (eds) Advances in Cryptology - EUROCRYPT 2006. EUROCRYPT 2006. Lecture Notes in Computer Science, vol 4004. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11761679_2
Download citation
DOI: https://doi.org/10.1007/11761679_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34546-6
Online ISBN: 978-3-540-34547-3
eBook Packages: Computer ScienceComputer Science (R0)