Hmm, it is interesting if caches would be implemented or not and, more
specifically, how big they would need to be but, just for a second, let's
assume they would be implemented. I'm thinking about the following attack on
any sort of server where a MASS like scheme checks if signatures are valid.
I'm trying to think about the caching properties of the signing credentials
- obviously the selection of the namespace of the things that sign (as
opposed to the namespace of the identities in the email system) has a big
impact on how they cache.
Consider an attacker that harvested say 10^4 email address from the
cisco.com domain. The attacker then generated 10^4 fake emails from each of
these users and sent them to 10^3 email lists. This attack could be done in
a few minutes from a compromised typical web server. If each of these lists
multiplied to 10^3 different people and I make the big assumption that these
lists were well chosen on different topics such that only 10% of the people
only were on more than one of the lists.
This leads to 10^4*10^3*10^3*0.1 = 10^9 hits on the server over a few
minutes. This may be no big deal, it is only a magnification of 100 over the
attackers requests. However, any magnification at all is concerning.
Does anyone have an idea what sort of rate of hits happens when a server
gets "slash dotted"? Clearly many servers can't survive that yet many can.
This attack makes me wonder if we want to consider schemes where one of two
things happen:
1) signing keys are per domain instead of per user so they cache easier
2) the signing public keys, and some way to trace back the chain of trust,
is carried with the message
Perhaps there are other ways to deal with this issue or perhaps it is not a
problem at all.
Cullen
On 10/22/04 9:04 AM, "Cullen Jennings" <fluffy(_at_)cisco(_dot_)com> wrote:
in section 9.1.1 an attack is considered where all the email addresses are
spoofed and sent to many locations to cause an DOS attack on the key server.
I have been thinking about this a bit, and given the magnification of
mailing lists, it seems this might be a practical attack.
Say there were a bunch of list servers that did not check signatures. The
attacker sends a message that is spoofed from flufffy(_at_)cisco(_dot_)com to
say a
10^3 lists that magnifies it to say 10^6 messages which all result in a hit
to the cisco.com KRS.
I'm not sure if this is a problem or not, perhaps they will skew enough to
smooth out over a reasonable time. Perhaps the keys users on the lists will
correlate enough that caching ends up significantly reducing the hits to the
KRS.
Thoughts?