Hi Folks --
I have a question about various scenarios for an attack against IPsec by way
of the random number generator. The people on the linux-ipsec mailing list
suggested I bring it up here.
Specifically: consider a central machine (call it Whitney) that is
implementing many IPsec tunnels. For me, this is a highly non-hypothetical
situation.
Step 1) Suppose some as-yet unknown person (the "applicant") contacts
Whitney and applies for an IPsec tunnel to be set up. The good part is that
at some point Whitney tries to authenticate the Diffie-Hellman exchange (in
conformance with RFC2409 section 5) and fails, because this applicant is an
attacker and is not on our list of people to whom we provide service. The
bad part is that Whitney has already gobbled up quite a few bits of entropy
from /dev/random before the slightest bit of authentication is attempted.
Step 2) The attacker endlessly iterates step 1. This is easy. AFAIK there
is no useful limit on how often new applications can be made. This quickly
exhausts the entropy pool on Whitney.
Step 3a) If Whitney is getting key material from /dev/random, the result is
a denial of service. All the IPsec tunnels will time out and will be
replaced slowly or not at all, because of the entropy shortage.
Step 3b) OTOH if Whitney is getting its key material from /dev/urandom
(that's urandom with a U), then we don't have a DoS attack, but instead we
have a situation where the attacker can mount a low-entropy attack against
any or all of the other tunnels. Yuuuuuuuck.
=============
There are variations on this theme. For instance, note that sshd is a
prodigious consumer of random bits. Therefore if your IPsec machine is
running sshd, bad guys have another way of mounting attacks against your
RNG. They don't even need to know a valid ssh key; failed ssh attempts
suck up plenty of entropy.
==============
I certainly hope these issues have been analyzed and brought under control.
Can somebody lend me a clue as to the status, and/or where I might read more
about it? If this list is not the optimal forum for discussing such
things, could somebody point me to a better one?
Thanx --- jsd