On Sun, Oct 02, 2005 at 04:00:52PM +0200, Pavel Cahyna wrote:
> On Tue, 27 Sep 2005 09:14:31 -0400, Steven M. Bellovin wrote:
> 
> Hello,
> 
> > Lack of integrity-checking in a crypto protocol is indeed serious.  For 
> > telnet, it's' slightly worse for CFB than for CBC, but both are 
> > seriously flawed against replay attacks.
> 
> Is this flaw a problem in practice? If the connection data are encrypted
> with a secret key, how can an attacker replace them with different data
> without producing just uncontrollable garbage?

This was the typical naive point of view of most smart people who weren't
cryptographers when these protocols were designed about 20 years ago.  We
were wrong.

For a trivial example, think about a network tunnel that's encrypted with
a stream cipher.  You can flip bits in the ciphertext in a programmatic
way and be pretty sure you'll eventually change the addresses of some of
the packets to send them to a destination other than the original intended
one -- even if you *aren't* smart about where a packet starts, and in
practice it's very easy to be smart about that.

For an example of a much more sophisticated attack allowing the insertion
of arbitrary data in CBC-encrypted conversations see the paper on the
compensation attack against SSHv1.  There are many related attacks against
protocols that naively use encryption when they wanted integrity protection.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky