Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur ¨ Ozen and Jean-Pierre Hubaux Ecole Polytechnique F´ ed´ erale de Lausanne 1 / 41
Introduction CGA for IPv6 CGA++ Outline 1 Introduction 2 CGA for IPv6 Outline Several Attacks Efficiency 3 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison 2 / 41
Introduction CGA for IPv6 CGA++ Problem outline Problem: The need for the nodes to be able to generate their own address and verify the ones from others without relying on any global trusted authority. Solution: Using self-certifying addresses, which allows hosts and domains to prove they have the address they claim to have regardless of a trusted third party or a public-key infrastructure (PKI). An Example: Cryptographically Generated Addresses (CGA) for Internet Protocol version 6 (IPv6) addresses. 3 / 41
Introduction CGA for IPv6 CGA++ Motivation The Impact CGA is used in Internet Protocol version 6 (IPv6) addresses. IPv6 is the next-generation Internet Protocol version designated as the successor to version 4, IPv4. CGA is used in Secure Neighbour Discovery Protocol for proof of adress ownership and dublicate address detection. What is missing? A more in-depth security/efficiency analysis of CGA. 4 / 41
Introduction CGA for IPv6 CGA++ Our Contribution A detailed security/efficiency analysis of CGA Security: Introduction of a security framework for CGA-like protocols. Efficiency: Estimation of the cost of address generation/verification and possible attacks. Investigation of several attack scenarios A new and more secure protocol is designed: CGA++ . Resistant against certain type of attacks which are possible against CGA. Better authentication. Less efficient (more later). 5 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA Basics: The notion of a self-certifying name The public-key itself: 6 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA Basics: The notion of a self-certifying name Or, for convenience the hash of the public-key The public-key itself: 6 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA for IPv6 Hash2 SHA−1 Proposed by Aura at ISC 2003. Zero Zero Modifier Public Key Collision Subnet Prefix Count Introduces the so-called “hash extensions” which SHA−1 trades efficiency for security. Appeared in an RFC 3972 in Hash1 2005. u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 7 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA for IPv6 Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 8 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 9 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 10 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits SHA−1 of the result are Hash2 . Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 11 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. Zero Zero Modifier Public Key Collision 2 Concatenate the modifier and the encoded PK . Subnet Prefix Count 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 SHA−1 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 12 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. Zero Zero Modifier Public Key 2 Concatenate the modifier and the encoded PK . Collision Subnet Prefix Count 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 SHA−1 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 13 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . Zero Zero Modifier Public Key 3 Execute SHA-1 algorithm. The leftmost 112 bits Collision Subnet Prefix Count of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step SHA−1 (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. Hash1 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 14 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits Zero Zero Modifier Public Key of the result are Hash2 . Collision Subnet Prefix Count 4 Compare the 16 × Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). SHA−1 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. Hash1 7 Execute SHA-1 . The leftmost 64 bits of the result u,g are Hash1 . Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 15 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? 1 Set modifier to a random 128-bit value. SHA−1 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . Zero Zero 4 Compare the 16 × Sec leftmost bits of Hash2 Modifier Public Key Collision with 0. If they are all zero, continue with Step Subnet Prefix Count (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. SHA−1 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1 . The leftmost 64 bits of the result Hash1 are Hash1 . 8 Form an interface identifier by setting u , g in u,g Sec 59 bits (3 bits) (2 bits) Hash1 both to 1 and the three leftmost bits to Sec . Subnet Prefix (64 bits) Interface ID (64 bits) 16 / 41
Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . SHA−1 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 Zero Zero with 0. If they are all zero, continue with Step Modifier Public Key (5). Otherwise, increment the modifier and go Collision Subnet Prefix Count back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision SHA−1 count and encoded PK values. 7 Execute SHA-1 . The leftmost 64 bits of the result are Hash1 . Hash1 8 Form an interface identifier by setting u , g in Hash1 both to 1 and the three leftmost bits to u,g Sec 59 bits Sec . (3 bits) (2 bits) 9 Concatenate the subnet prefix and interface identifier to form a 128-bit IPv6 address. Subnet Prefix (64 bits) Interface ID (64 bits) 17 / 41
Recommend
More recommend