On the (in)security of IPsec in MAC-then-encrypt configurations

Authors:
Jean Paul Degabriele;Kenneth G. Paterson
Affiliations:
Royal Holloway, University of London, Egham, United Kingdom;Royal Holloway, University of London, Egham, United Kingdom
Venue:
Proceedings of the 17th ACM conference on Computer and communications security
Year:
2010

Citing 10
Cited 3

The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)

CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Network Security Essentials: Applications and Standards (3rd Edition)

Network Security Essentials: Applications and Standards (3rd Edition)
Attacking the IPsec Standards in Encryption-only Configurations

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Analysis of the SSL 3.0 protocol

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Problem areas for the IP security protocols

SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Authentication without Elision: Partially Specified Protocols, Associated Data, and Cryptographic Models Described by Code

CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Cryptography in theory and practice: the case of encryption in IPsec

EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques

Composition theorems without pre-established session identifiers

Proceedings of the 18th ACM conference on Computer and communications security
How to break XML encryption

Proceedings of the 18th ACM conference on Computer and communications security
Authenticated-Encryption with padding: a formal security treatment

Cryptography and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

IPsec allows a huge amount of flexibility in the ways in which its component cryptographic mechanisms can be combined to build a secure communications service. This may be good for supporting different security requirements but is potentially bad for security. We demonstrate the reality of this by describing efficient, plaintext-recovering attacks against all configurations of IPsec in which integrity protection is applied {\em prior} to encryption -- so-called MAC-then-encrypt configurations. We report on the implementation of our attacks against a specific IPsec implementation, and reflect on the implications of our attacks for real-world IPsec deployments as well as for theoretical cryptography.