Paper 2013/623
Off-Path Hacking: The Illusion of Challenge-Response Authentication
Yossi Gilad, Amir Herzberg, and Haya Shulman
Abstract
Everyone is concerned about Internet security, yet most traffic is not cryptographically protected. Typical justification is that most attackers are off-path and cannot intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges re-use existing header fields to protect widelydeployed protocols such as TCP and DNS. We argue that this practice may often give an illusion of security. We review recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet practical. The attacks foil widely deployed security mechanisms, and allow a wide range of exploits, such as long-term caching of malicious objects and scripts. We hope that this review article will help improve defenses against off-path attackers. In particular, we hope to motivate, when feasible, adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, providing security even against stronger Man-in-the-Middle attackers.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. IEEE Security and Privacy Magazine
- Keywords
- challenge-response defensescryptographic protocolsoff-path attacksDNS cache poisoningTCP injections.
- Contact author(s)
- haya shulman @ gmail com
- History
- 2013-09-28: received
- Short URL
- https://ia.cr/2013/623
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2013/623,
author = {Yossi Gilad and Amir Herzberg and Haya Shulman},
title = {Off-Path Hacking: The Illusion of Challenge-Response Authentication},
howpublished = {Cryptology {ePrint} Archive, Paper 2013/623},
year = {2013},
url = {https://eprint.iacr.org/2013/623}
}
