On the (in)security of IPsec in MAC-then-encrypt configurations

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 493-504

  Degabriele, Jean Paul ^a   Paterson, Kenneth G ^a  

^a UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

AH; ESP; Fragmentation; IPsec; MAC then encrypt; Traffic flow confidentiality

Indexed keywords

AH; ESP; FRAGMENTATION; IPSEC; MAC-THEN-ENCRYPT; TRAFFIC FLOW;

CRYPTOGRAPHY; TRAFFIC SURVEYS;

NETWORK SECURITY;

EID: 78650015837     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866363     Document Type: Conference Paper

References (23)

1. S. Bellovin, "Problem Areas for the IP Security Protocols." In Proceedings of the Sixth Usenix Unix Security Symposium, pp. 1-16, San Jose, CA, July 1996.
2. M. Bellare and C. Namprempre, "Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm." In T. Okamoto, ed., Asiacrypt 2000, LNCS Vol. 1976, Springer, 2000, pp. 531-545.
3. R. Braden, editor, "Requirements for Internet Hosts - Communication Layers", RFC 1122, Oct. 1989.
4. B. Canvel, A.P. Hiltgen, S. Vaudenay and M. Vuagnoux, "Password Interception in a SSL/TLS Channel." In D. Boneh (ed.), CRYPTO 2003, LNCS Vol. 2729, Springer, 2003, pp. 583-599.
5. J.P. Degabriele and K.G. Paterson, "Attacking the IPsec Standards in Encryption-only Configurations." In IEEE Symposium on Privacy and Security, IEEE Computer Society, 2007, pp. 335-349.
6. N. Ferguson and B. Schneier, "A Cryptographic Evaluation of IPsec", 2003. Available from http://www.schneier.com/paper-ipsec.pdf
7. N. Ferguson, B. Schneier and T. Kohno. Cryptography Engineering. John Wiley & Sons, 2010.
8. R. Housely, "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, Jan. 2004.
9. C. Kaufman, editor, "Internet Key Exchange (IKEv2) Protocol", RFC 4306, Dec. 2005.
10. S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, Nov. 1998.
11. S. Kent and R. Atkinson, "IP Authentication Header", RFC 2402 (obsoletes RFC 1826), Nov. 1998.
12. S. Kent and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, Nov. 1998.
13. S. Kent and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301 (obsoletes RFC 2401), Dec. 2005.
14. S. Kent, "IP Authentication Header", RFC 4302 (obsoletes RFC 2402), Dec. 2005.
15. S. Kent, "IP Encapsulating Security Payload (ESP)", RFC 4303 (obsoletes RFC 2406), Dec. 2005.
16. H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In J. Kilian, ed., CRYPTO 2001, LNCS Vol. 2139, Springer, 2001, pp. 310-331.
17. V. Manral, "Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)", RFC 4835, April 2007.
18. K.G. Paterson and A.K.L. Yau, "Cryptography in Theory and Practice: The Case of Encryption in IPsec." In S. Vaudenay (ed.), EUROCRYPT 2006, LNCS Vol. 4004, Springer, 2006, pp. 12-29.
19. K.G. Paterson and G.J. Watson, "Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR." In H. Gilbert (ed.), EUROCRYPT 2010, LNCS Vol. 6110, Springer 2010, pp. 345-361. Full version available from http://eprint.iacr.org/2010/095.
20. P. Rogaway and T. Stegers, "Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code." In CSF 2009, IEEE Computer Society, pp. 26-39.
21. W. Stallings. Network Security Essentials: Applications and Standards, 3rd edition. Pearson Education, 2008.
22. S. Vaudenay, "Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS..." In L.R. Knudsen (ed.), EUROCRYPT 2002, LNCS Vol. 2332, Springer, 2002, pp. 534-545.
23. D. Wagner and B. Schneier, "Analysis of the SSL 3.0 Protocol." In The Second USENIX Workshop on Electronic Commerce, USENIX press, 1996.