Embed Size (px)
Citation preview
Privacy is Not an Op�on:A�acking the IPv6 Privacy
ExtensionJohanna Ullrich, Edgar WeipplSBA Research, Vienna, Austria
Mo�va�on
• Correla�on of a person’s different ac�vi�es on theInternet
• General strategies fail for address-based correla�on
• Address-based correla�on heavily depends on theprotocol
2/17
IPv6 Addressingand the Modified EUI-64 Format
3/17
IPv6 Addressingand the Privacy Extension
4/17
Security Analysisof the Privacy Extension
5/17
A�ack DesignPredictability of Future Iden�fiers
• Infer interface iden�fier in modified EUI-64 format• Concatena�on of history value with this interfaceiden�fier
• MD5 digest calcula�on• Extrac�on of first 64 bits for temporary interface iden�fier• Extrac�on of remainder bits for next history value
An adversary aware of a vic�m’s history value and MACaddress is able to compute all future interface iden�fiers! 6/17
A�ack DesignSynchroniza�on to the Current State
7/17
A�ack Scenario
8/17
Feasibility
• Minimum number of address observa�on,
• Time expenditure for brute-forcing,
• and storage capacity to save the candidate set for thenext day.
9/17
FeasibilityNumber of Address Observa�onsWith p being the ra�o of rejected candidates per day, the sizeof the candidate set Ct on day t is
|Ct| = 264 · (1− p)t (1)
Eve has to repeat the reduc�on step un�l a single candidateremains, i. e., |Ct| = 1. Thus, the minimum number of days Tminis
Tmin = ceillog(264)log(p− 1)
(2)10/17
FeasibilityTime Expenditure for Brute-ForcingAssuming a hash rate r, the total �me TBrute for brute-forcing is
TBrute =1r
Tmin∑i=0
|Ci| =264
r
Tmin∑i=0
(1− p)i (3)
Bounding the equa�on allows an es�ma�on of the total �mefor brute-forcing
TBrute <264
r
∞∑i=0
(1− p)i =264
r· 1p
(4)
11/17
FeasibilityStorage of Candidate Set
History values are of 8 byte and the storage demand St isdependent on the size of the candidate set
St = |Ct| · 8 byte = 264 · (1− p)t · 8 byte (5)
12/17
FeasibilityStorage of Candidate SetHistory values are of 8 byte and the storage demand St isdependent on the size of the candidate set
St = |Ct| · 8 byte = 264 · (1− p)t · 8 byte (5)
Alterna�ve: retroac�vely performed a�ack12/17
Opera�ng SystemsTemporary Address Characteris�cs
• Determinis�c sequence,
• Time invariance,
• Prefix invariance,
• Restart invariance, and
• MAC variance.13/17
Opera�ng SystemsResults
Determ
inis�
c Sequence
Time-Invariance
Prefix-Invariance
Restart-Invariance
MAC
-Variance
Windows 8 3 3 3 7 3
Ubuntu 14.10 7
Mac OS 10.10 7
14/17
Mi�ga�onChanges to the Current Specifica�on
15/17
Mi�ga�onChanges to the Current Specifica�on
Alterna�ve: Randomly Assigned Numbers
15/17
Conclusion• The presented a�ack ques�ons the privacy extension’scapability of protec�on.
◦ An adversary that is aware of the internal state is able topredict future interface iden�fiers.
◦ An adversary can synchronize to this internal state by observingthe vic�m.
• Proper mi�ga�on within current defini�ons appearsimprac�cal, and revision is necessary.
• Opera�ng systems are less vulnerable than originallyassumed due silently disobeying the standard.
16/17
