Bugtraq mailing list archives

preventing sequence number guessing

From: dawagner () phoenix Princeton EDU (David A. Wagner)
Date: Tue, 24 Jan 1995 23:40:37 -0500 (EST)


I'm certainly no security expert, but I had a fairly simple idea
for fixing the sequence number guessing vulnerability.  Hopefully
someone can tell me whether it's worthless or not.  Hunting season's
open -- shoot it down at will. :-)

When OS boots up, grab lots of entropy and use MD5 to hash it
into a 32 bit seed; initialize tcp_iss with it.  Now let the
kernel do its normal "increment tcp_iss a little for every new
connection and every couple of clock ticks" schtick as always.
I've only got one novel idea: instead of using tcp_iss directly
for the SYN everytime a new TCP/IP connection is opened, send
MD5(tcp_iss) [or maybe MD5(tcp_iss, time(NULL), ...)].

This implements a cryptographically strong random number generator
for the sequence numbers; then attackers would have to invert
MD5 to predict sequence numbers.  MD5 is quite fast (is it fast
enough?) and is completely exportable.  Code for MD5 is available
for anonymous ftp on ripem.msu.edu /pub/crypt/other/md5.zip.

To nitpick, tcp_iss should be a full 64 bit (or even larger :-)
data type; this is easy enough to change in the kernel: (right?)

unsigned long tcp_iss_a[2];

void increment_iss(void)
{
        if (++tcp_iss_a[1] == 0)
                tcp_iss_a[0]++;
}

[When tcp_iss is only a 32 bit int, the attacker could conceivably
predict the next sequence number with 2^32 MD5 calculations by
brute force inversion of MD5 -- while this threat is not worrisome
if tcp_iss cycles around in less than the time it takes for the
attacker to exhaustively invert MD5, 64 bits is really a better
solution, and doesn't cost ya anything.]

To nitpick, tcp_iss should be never be incremented by an even number.
[If it's incremented by 128, you effectively reduce tcp_iss from a
n bit data type to a n-7 bit data type, etc.]

To nitpick, grabbing enough entropy at bootup time isn't completely
trivial; but you can do it with a little effort by hashing in access
times on /dev/null, /dev/zero, /bin/ls, /bin/tcsh, ... and by hashing
things like the current time [though note: this is accessible to
everyone who can run uptime(1)].

This is similar to the suggestion Steve Bellovin suggested in his
ipext.ps paper, except MD5 is faster than DES, and exportable to
boot, and I added some obvious (to me -- which means they may be
questionable:-) details.

So, am I missing some important kernel feature which shoots this
all down?  Or is this actually a worthwhile technique?  [If it
is worthwhile, it seems like it'd be pretty easy to code -- but
I have no experience at kernel programming, so I haven't done it
myself. <sigh>]

-------------------------------------------------------------------------------
David Wagner                                             dawagner () princeton edu

Current thread:

Re: Recent troubles der Mouse (Jan 24)
- Re: Recent troubles Darren Reed (Jan 24)
- preventing sequence number guessing David A. Wagner (Jan 24)
  - Re: preventing sequence number guessing Darren Reed (Jan 24)
  - accpet(3n) under SOlaris 2.4 Jas (Jan 25)
    - Re: accpet(3n) under SOlaris 2.4 Casper Dik (Jan 25)
  - Re: preventing sequence number guessing Timothy Newsham (Jan 25)
    - IP Spoofing and Vendors' attitude Christopher Klaus (May 12)
    - Re: IP Spoofing and Vendors' attitude Oliver Friedrichs (Jan 25)
    - Re: IP Spoofing and Vendors' attitude Mark (Jan 26)
    - Re: preventing sequence number guessing David A. Wagner (Jan 25)
    - Re: preventing sequence number guessing Perry E. Metzger (Jan 25)
- <Possible follow-ups>
- Re: Recent troubles der Mouse (Jan 25)