Description of the Attacks

In Bellovin's scenario, secure communication is between hosts. Each pair of hosts shares a key, which is not changed between sessions. Each host has a number of users communicating with it, some of whom are honest, and some of whom are actively trying to subvert the protocol. Cipher block chaining is used to encrypt packets, and IVs are sent in the clear. Each packet contains an unencrypted ESP header, containing a SPI (Security Parameter Index) which corresponds to a key shared between hosts. SPIs and their corresponding keys are one-way, that is, if host A initiates contact with host B, it uses a different SPI than if host B initiates contact with host A. Encrypted packets contain headers that include such information as to who sent the message and for whom it is intended. Depending upon the communication protocol used, different types of header formats may be used.

There are at least two ways in which a dishonest user could subvert the protocol:

1.

He could pass a message from himself as coming from an honest user U by appending a fake header H1 identifying the message as coming from U to its beginning and giving it to the host on which U resides to encrypt. The host would append another header H2 to the message and encrypt it. The dishonest user could then truncate the encrypted message at H1, and pass it off as a message with header H1, using the last block of the encrypted H2 as the IV. Bellovin describes a similar attack in [3].

2.

If the intruder resides at host A, she could learn a message M1 intended for another user U at the same host A as follows. First she would need to find out the host B originating the message. She would take another message M2 from B to A intended for herself, and remove the encrypted header EH2. She would then append the last portion M1' of M1 to EH, so that it is of the expected length. The host would then decrypt the entire message, and return the decrypted M1' to the intruder. Part of M1' could be garbled, but thanks to the self-healing properties of cipher block chaining, the remainder would be readable. Bellovin describes this attack in [3].