Saturday, May 15, 2004
Let's do something nasty. . .
Thinking about IPSec, I came up with a funny thought. What if you had a database of known keys on each host, of any size, and could use them at random? That'd be a hell of a thing to crack, right? Well here's the idea in a nutshell.
First, we'll do a quick header. It'll look like the following:
First let's note how this works in theory.
PSN is the PhysicalSequenceNumber, the number of the packet.
ESN is the EncryptionSequenceNumber. The packets are encrypted based on a cascading encryption which depends on having ALL of the packets and decrypting from ESN0 forward.
SourceAddr and DestAddr are for routing. They tell where it came from, who it goes to. These are also critical.
Len tells the length in some way. For our purposes, it doesn't matter if they mean the length of the following data, the length of the whole packet, or some odd thing, as long as from this we get the last thing we need for routing.
Now, here's the fun part. KEYSIG identifies the key to be used, which has to be indexed in an identical database on each side. BUT! KEYSIG is encrypted by the key in [ESN]-1 AND THEN by the key in [ESN]-2 (not encrypted for ESN 0, encrypted with only ESN 0's key for ESN 1). So, you miss the KEYSIG for any sequence, you're screwed. Period.
The rest of the data is encrypted first by the key identified by KEYSIG, then by the key for [ESN]-1 (just KEYSIG for ESN 0). So, you have an O(N^2) probability of getting KEYSIG, or a O(N^N) probability of getting the actual data, assuming you know ALL of the keys, for any given packet. Missing the key for a KEYSIG? Your man-in-the-middle attack ends.
If your host doesn't have the KEYSIG, you can send back a packet which requests the key for KEYSIG using the signatures from the ESN immediately preceeding it. Question arises here: With a perfect man-in-the-middle, can we ensure that this is possible without letting a M-I-T-M fake it?
The idea here is that each host would have hundreds of keys acquired at different times. The cascading application of keys one atop the other from the past 2 packets and the encryption of KEYSIG itself makes it impossible to miss a packet and decrypt the rest of them, even if you posess ALL keys.
The KEYSIG for each packet should be completely random.