Paper 2013/623

Off-Path Hacking: The Illusion of Challenge-Response Authentication

Yossi Gilad, Amir Herzberg, and Haya Shulman

Abstract

Everyone is concerned about Internet security, yet most traffic is not cryptographically protected. Typical justification is that most attackers are off-path and cannot intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges re-use existing header fields to protect widelydeployed protocols such as TCP and DNS. We argue that this practice may often give an illusion of security. We review recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet practical. The attacks foil widely deployed security mechanisms, and allow a wide range of exploits, such as long-term caching of malicious objects and scripts. We hope that this review article will help improve defenses against off-path attackers. In particular, we hope to motivate, when feasible, adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, providing security even against stronger Man-in-the-Middle attackers.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. IEEE Security and Privacy Magazine
Keywords
challenge-response defensescryptographic protocolsoff-path attacksDNS cache poisoningTCP injections.
Contact author(s)
haya shulman @ gmail com
History
2013-09-28: received
Short URL
https://ia.cr/2013/623
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/623,
      author = {Yossi Gilad and Amir Herzberg and Haya Shulman},
      title = {Off-Path Hacking: The Illusion of Challenge-Response Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2013/623},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/623}},
      url = {https://eprint.iacr.org/2013/623}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.