Fw: Another DoS attack. - potantial CMS additon

["Todd Glassey @ GMT" <todd.glassey@xxxxxxxxxxxxx>]

Hi all,  the forwarded letter is regarding a denial of service attack mode
in IPsec negotiations. We also have similar issues in commercial transaction
processing with the same attack vector.

----- Original Message -----
From: Tamir Zegman <zegman@checkpoint.com>
To: ipsec <ipsec@lists.tislabs.com>; ipsra <ietf-ipsra@vpnc.org>
Sent: Thursday, October 28, 1999 01:40 AM
Subject: Another DoS attack.


> I'm posting this message to both mailing lists as this issue concerns
> them both.
>
> An attacker using either aggressive, main or base mode can send a
> certificate whose RSA public key consists of a long modulus (16384) and
> a non trivial exponent.

This is an interesting reazilzation that I believe may have real-world
consequences in the sucessfull operation of commercial PKI systems. The
issue is Denial of Service by flooding the exponetiation engine's input
queue with massive key structures and thus overloading the local processor.

> The responder will be left to do the exponentiation till hell freezes
> unless of course his implementation limits the length of public key
> signatures it is willing to verify.

In a number of the protocols we are working I would suggest that we should
also on address this by allowing a policy control of the maximum size of
expected key structures... this may be something to add to CMS before it
goes final. Also the TS protocol will need some sort of control to prevent
this abuse model.

> A similar attack can be mounted using DSA.
> This attack can be extended to other online protocols that use
> certificates in which the responder is asked to verify a public key
> signature.

anyone else see the light in this tunnel?

Todd