1996-04-11 - Re: No matter where you go, there they are.
Header Data
From: “Peter Trei” <trei@process.com>
To: cypherpunks@toad.com
Message Hash: 828bf0d5f1652e3040553b0320c83a0b6f245f8a5d948ed63a1cde4135665b85
Message ID: <199604111412.HAA07137@toad.com>
Reply To: N/A
UTC Datetime: 1996-04-11 20:07:20 UTC
Raw Date: Fri, 12 Apr 1996 04:07:20 +0800
Raw message
From: "Peter Trei" <trei@process.com>
Date: Fri, 12 Apr 1996 04:07:20 +0800
To: cypherpunks@toad.com
Subject: Re: No matter where you go, there they are.
Message-ID: <199604111412.HAA07137@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
Well, we've pretty throughly convinced ourselves that Denning's scheme can be
spoofed (I'm convinced, anyway.)
It's actually worse than useless - it's a substantial security breach.
To spoof being at a location, Mallory needs to know the location he is trying to spoof.
With S/A off (as I understand it is now), he need to know the location within a couple
meters, in three dimensions.
Such precise location data is usually difficult to obtain, without actually visiting the
site and recording the location using GPS. Mallory might be able to work out, for example,
the location of the desk in the Oval office to that precision by triangulation (though
setting up theodolites on Massachusetts Avenue may attract some attention :-)
However, I defy him to find the location of a specific PC in NSA headquarters, or in a
secured communications facility without actually visiting the desk
carrying a GPS receiver (which he won't be allowed to do, unless he's got a
damn good reason).
However, since the protocol requires that Alice send out location data, once
she starts using it she reveals her physical location to Eve, Mallory, and anyone ese
who can see the packets. Since the nature of the protocol is that Alice's location does
not change frequently (and needs to transmitted via a trusted channel to Bob when it
does), after the first usage Mallory *knows* the physical location he is trying to
simulate, and can use this information for future spoofing.
The upshot of this is that Denning's scheme not only provides no security against
spoofing, and leaks potentially sensitive data about locations.
If Sadaam Huissain (sp?) had used this scheme during the Gulf War, we'd have been
able to send a cruise missile directly to his keyboard.
[These flaws in the protocol seem so obvious that I can't help but wonder if we're
missing something - Dorothy isn't *that* stupid.]
Peter Trei
trei@Process.com
Thread
Return to April 1996
Return to ““Peter Trei” <trei@process.com>”
1996-04-11 (Fri, 12 Apr 1996 04:07:20 +0800) - Re: No matter where you go, there they are. - “Peter Trei” <trei@process.com>