Cryptology ePrint Archive: Report 2013/623
Off-Path Hacking: The Illusion of Challenge-Response Authentication
Yossi Gilad and Amir Herzberg and Haya Shulman
Abstract: Everyone is concerned about Internet security, yet most
traffic is not cryptographically protected. Typical justification is that most
attackers are off-path and cannot intercept traffic; hence, intuitively,
challenge-response defenses should suffice to ensure authenticity. Often,
the challenges re-use existing header fields to protect widelydeployed
protocols such as TCP and DNS.
We argue that this practice may often give an illusion of security.
We review recent off-path TCP injection and DNS poisoning attacks,
enabling attackers to circumvent existing challenge-response defenses.
Both TCP and DNS attacks are non-trivial, yet practical. The attacks
foil widely deployed security mechanisms, and allow a wide range of
exploits, such as long-term caching of malicious objects and scripts.
We hope that this review article will help improve defenses against
off-path attackers. In particular, we hope to motivate, when feasible,
adoption of cryptographic mechanisms such as SSL/TLS, IPsec and
DNSSEC, providing security even against stronger Man-in-the-Middle
Category / Keywords: cryptographic protocols / challenge-response defenses, cryptographic protocols, off-path attacks, DNS cache poisoning, TCP injections.
Original Publication (in the same form): IEEE Security and Privacy Magazine
Date: received 26 Sep 2013
Contact author: haya shulman at gmail com
Available format(s): PDF | BibTeX Citation
Version: 20130928:175200 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]