tags:

views:

384

answers:

4
+1  Q: 

How to resist MITM and replay attacks when sending encrypted data?

Assuming I've securely exchanged keys with another computer (using Diffie-Hellman perhaps), here's my tentative solution:

packet number + encrypted data + message authentication code (MAC)

The packet number is an incrementally-increased number starting at 0. After that is the encrypted data itself, followed by a MAC of them both. If someone attempts a MITM attack, the MAC should fail to compute. If they attempt a replay attack, the recipient will notice it has already received that packet number.

Is there any flaw in my reasoning here?

A: 

You're not describing a man in the middle attack, but a replay attack.

With a MITM attack the key exchange is intercepted and you say that you already have exchanged keys securely - so it is not the problem.

Replay attacks are easy enough to mitigate against, you include a unique message ID and then check it for uniqueness on the receiving side. Generally each message has an expiry date and time so you don't need to keep an ever growing list of message IDs to validate.

blowdart  2009-05-03 20:28:29
Man-in-the-middle attacks aren't only performed to steal keys during their exchange; that's an overly-specific definition. Wikipedia defines it merely as any attack in which the intended originator and recipient are made to believe "they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker."
 2009-05-03 20:34:39
Yes but, if you have exchanged keys already then it doesn't matter who you connect through, just as long as the packets make it - no-one in the middle can decrypt (assuming public/private key)
blowdart  2009-05-03 20:37:02
But they can still intentionally corrupt the data, hence the need for the MAC.
 2009-05-03 20:39:10
That depends on the encryption mechanism, some simply won't decrypt because they already have checksums inside (for example most block based ciphers). However generally what happens if you include a message hash anyway, SHA256 for example, calculated after the encryption has happened.
blowdart  2009-05-03 20:41:25
(This of course being what a MAC is)
blowdart  2009-05-03 20:43:03
I've never heard of block ciphers containing checksums, is this the case with AES? Is it some sort of option that you can turn on or off? I'm specifically using the implementation that comes with the Botan C++ library.And yes, I know I could just calculate the hash myself and encrypt it with everything else, but I figured using the built-in MAC functions in my library would be better (at the very least, cleaner code).
 2009-05-03 20:49:11
Eeek, not most. Bad me. OK there are some "interesting" onces that do.If you're messing with AES take a look at Poly1305-AES as the MAC algorithm.
blowdart  2009-05-03 20:59:45
A: 

Your approach for protecting against replay attacks seems reasonable to me. You are essentially describing a method called timestamping. Your packet number is a "virtual time" that is used by the recipient to verify that the message was not sent before.

Ayman Hourieh  2009-05-03 20:43:20
+1  A: 

Assuming I've securely exchanged keys with another computer (using Diffie-Hellman perhaps)

This is where you face the biggest danger - if the man-in-the-middle manages to control the key exchange (for example, by establishing one key with the client and itself, and establishing another key with server and itself), then the MITM can decrypt (and re-encrypt) everything. Once you've established the secure key exchange, you should be invulnerable to the MITM attack. But the hard part is ensuring that the key exchange is truly secure.

Consult Practical Cryptography (or at Amazon) by Ferguson and Schneier for information about this.

Jonathan Leffler  2009-05-03 22:16:43
A: 

Once the keys have been exchanged then the data cannot be intercepted or spoofed by a third party. (Except when your packet # counter loops. Hypothetically packets from the old window could be replayed as being from the new window.) The solution to this problem is timestamping (as others have mentioned.) Again, though, this can be sabotaged if the attacker is able to compromise in some way the system time. (If they are a man in the middle, they could hypothetically imitate an NTP server and in that way modify a client's system time.)

What an eavesdropper COULD do however is to insert himself between the two parties and disrupt the channel. This would likely cause a new key exchange to occur which could be observed. In order to make key exchange truly secure, you must use 3rd party validation or a pre shared key which only the two communicators know.

ParoXoN  2009-05-11 02:42:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security