Cryptology ePrint Archive: Report 2007/125

Attacking the IPsec Standards in Encryption-only Configurations

Jean Paul Degabriele and Kenneth G. Paterson

Abstract: At Eurocrypt 2006, Paterson and Yau demonstrated how flaws in the Linux implementation of IPsec could be exploited to break encryption-only configurations of ESP, the IPsec encryption protocol. Their work highlighted the dangers of not using authenticated encryption in fielded systems, but did not constitute an attack on the actual IPsec standards themselves; in fact, the attacks of Paterson and Yau should be prevented by any standards-compliant IPsec implementation. In contrast, this paper describes new attacks which break any RFC-compliant implementation of IPsec making use of encryption-only ESP. The new attacks are both efficient and realistic: they are ciphertext-only and need only the capability to eavesdrop on ESP-encrypted traffic and to inject traffic into the network. The paper also reports our experiences in applying the attacks to a variety of implementations of IPsec, and reflects on what these experiences tell us about how security standards should be written so as to simplify the task of software developers.

Category / Keywords: applications / IPsec, integrity, encryption, ESP, standard.

Publication Info: Full version of a paper to appear at the 2007 IEEE Symposium on Security and Privacy

Date: received 3 Apr 2007, last revised 9 Aug 2007

Contact author: kenny paterson at rhul ac uk

Available format(s): PDF | BibTeX Citation

Note: Minor update to Section 9.2.

Version: 20070809:154745 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]