Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Attacking the IPv6 Privacy Extension

919 views

Published on

Presentation from our paper at RAID 2015

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Attacking the IPv6 Privacy Extension

  1. 1. Privacy is Not an Option: Attacking the IPv6 Privacy Extension Johanna Ullrich, Edgar Weippl SBA Research, Vienna, Austria
  2. 2. Motivation • Correlation of a person’s different activities on the Internet • General strategies fail for address-based correlation • Address-based correlation heavily depends on the protocol 2/17
  3. 3. IPv6 Addressing and the Modified EUI-64 Format 3/17
  4. 4. IPv6 Addressing and the Privacy Extension 4/17
  5. 5. Security Analysis of the Privacy Extension 5/17
  6. 6. Attack Design Predictability of Future Identifiers • Infer interface identifier in modified EUI-64 format • Concatenation of history value with this interface identifier • MD5 digest calculation • Extraction of first 64 bits for temporary interface identifier • Extraction of remainder bits for next history value An adversary aware of a victim’s history value and MAC address is able to compute all future interface identifiers! 6/17
  7. 7. Attack Design Synchronization to the Current State 7/17
  8. 8. Attack Scenario 8/17
  9. 9. Feasibility • Minimum number of address observation, • Time expenditure for brute-forcing, • and storage capacity to save the candidate set for the next day. 9/17
  10. 10. Feasibility Number of Address Observations With p being the ratio of rejected candidates per day, the size of the candidate set Ct on day t is |Ct| = 264 · (1 − p)t (1) Eve has to repeat the reduction step until a single candidate remains, i. e., |Ct| = 1. Thus, the minimum number of days Tmin is Tmin = ceil log(264 ) log(p − 1) (2) 10/17
  11. 11. Feasibility Time Expenditure for Brute-Forcing Assuming a hash rate r, the total time TBrute for brute-forcing is TBrute = 1 r Tmin i=0 |Ci| = 264 r Tmin i=0 (1 − p)i (3) Bounding the equation allows an estimation of the total time for brute-forcing TBrute < 264 r ∞ i=0 (1 − p)i = 264 r · 1 p (4) 11/17
  12. 12. Feasibility Storage of Candidate Set History values are of 8 byte and the storage demand St is dependent on the size of the candidate set St = |Ct| · 8 byte = 264 · (1 − p)t · 8 byte (5) 12/17
  13. 13. Feasibility Storage of Candidate Set History values are of 8 byte and the storage demand St is dependent on the size of the candidate set St = |Ct| · 8 byte = 264 · (1 − p)t · 8 byte (5) Alternative: retroactively performed attack 12/17
  14. 14. Operating Systems Temporary Address Characteristics • Deterministic sequence, • Time invariance, • Prefix invariance, • Restart invariance, and • MAC variance. 13/17
  15. 15. Operating Systems Results DeterministicSequence Time-Invariance Prefix-Invariance Restart-Invariance MAC-Variance Windows 8 Ubuntu 14.10 Mac OS 10.10 14/17
  16. 16. Mitigation Changes to the Current Specification 15/17
  17. 17. Mitigation Changes to the Current Specification Alternative: Randomly Assigned Numbers 15/17
  18. 18. Conclusion • The presented attack questions the privacy extension’s capability of protection. ◦ An adversary that is aware of the internal state is able to predict future interface identifiers. ◦ An adversary can synchronize to this internal state by observing the victim. • Proper mitigation within current definitions appears impractical, and revision is necessary. • Operating systems are less vulnerable than originally assumed due silently disobeying the standard. 16/17
  19. 19. Thank you! Questions? Johanna Ullrich SBA Research, Vienna, Austria jullrich@sba-research.org 17/17

×