[471] in cryptography@c2.net mail archive
Re: How bad is this?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Apr 2 15:12:40 1997
To: cryptography@c2.net
In-reply-to: Your message of "Wed, 02 Apr 1997 09:44:37 PST."
<199704021744.JAA11746@netcom7.netcom.com>
Reply-To: perry@piermont.com
Date: Wed, 02 Apr 1997 15:08:35 -0500
From: "Perry E. Metzger" <perry@piermont.com>
Mike Duvos writes:
> Mr. Moderator Writes:
>
> > [The problem is sequence number attacks. Using hashes instead of
> > conventional time based sequence numbers defends against this. You don't
> > want "random" sequence numbers -- you want separate spaces of sequences
> > for each socket. See RFC1948 by Steve Bellovin for details. --Perry]
>
> Just read the RFC. It certainly isn't an attack an unsophisticated user
> can easily perform.
Actually, given the fact that tools to automate the process have been
circulating in the cracker community, I'm not so sure about that.
> It seems the real problem here is a lack of authentication, and the fact
> that anyone can put any return address on their datagrams.
This is certainly a problem. However, as sequence number attacks can be
used to sieze connections in progress, it is generally a good idea to
try to scramble the initial sequence numbers.
> Even with a brilliant hashing strategy for generating initial sequence
> numbers, those numbers are transmitted in the clear over possibly
> many insecure hops.
Yup. In general, the only cure here is IPSec.
> It would also seem a clever cryptographic hash would be the last thing
> you would want here, since random selection of initial sequence
> numbers would tend to negate their original function of protecting
> successive incarnations of a connection from each other.
Re-read 1948 more carefully. That issue is covered in the way it
proposes to use the hash.
Perry
