1、Report No. 40a Supplement toTechnical Report No. 40June 1998 on SecurityRequirementsfor Electronic BondingBetween Two TMNsPrepared byT1M1.5Working GrouponOAM&P Architecture,Interfaces and ProtocolsCommittee T1 is sponsored by the Alliance for Telecommunications Industry SolutionsAccredited by Americ
2、an National Standards InstituteCopyright 1998 by Alliance for Telecommunications IndustrySolutions All rights reserved.No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission of the publisher.Addenda to T1 Techni
3、cal Report No 40This document provides addenda to T1 TR 40 that reflect changes in ElectronicBonding security procedures well as some clarifications.Addendum 1Change to the syntax of the authenticatorTR 40 proposes to use a specific authenticator (defined in section 4.2 of the TR) tobe carried in th
4、e access control field of CMIP management operations PDUs. Inorder to conform with ANSI Standard T1.228 the “VisibleString” in theauthenticator is changed to “GraphicString”.Addendum 2Vulnerability of the authenticator and remedy1. BackgroundThis addendum describes a security weakness in the EB auth
5、enticator and providesa remedy.2. ProblemThe EB security authenticator consists of an Initialization Vector (IV) and a DESencrypted ASCII representation of GeneralizedTime, optionally followed by asequence number, as well as some other information not relevant to this discussion.The problem is first
6、 introduced assuming that no sequence number is used, then thecase that includes the sequence number is discussed.2.1 No sequence numberAn intruder can make copies of EB authenticators transmitted in the course of oneor more days on a given association. For each copy the intruder notes the timewhen
7、the authenticator has been transmitted and the ID of the encryption key. Onany subsequent day, while the same encryption key is used, the intruder can replay acaptured authenticator at the exact time of day when it was initially transmitted,with an appropriately designed IV as follows: For the initi
8、al authenticator the intruder knows the IV and the first 8 bytes of GeneralizedTime: YYYYMMDD (i.e., 4 bytes for the year, 2 for the month, and 2 for the day), therefore the intruderalso knows IV XOR YYYYMMDD (the exclusive OR of the IV and the first 8bytes of the GeneralizedTime that went into the
9、DES encryption in the first roundof the CBC mode). When the intruder replays the authenticator on dateYYYYMMDD the IV will be changed toIV=(IV XOR YYYYMMDD) XOR YYYYMMDDthis wayTECHNICAL REPORT NO. 40aIV XOR YYYYMMDD = IV XOR YYYYMMDDthus, the input into the first round of DES encryption is the same
10、 in both cases. Allcommunications after the first day the association is established, and for theduration of the usage of the key, are vulnerable to this attack.2.2 With sequence numberIf the sequence number is used the intruder can mount this attack only if the samekey is used across different asso
11、ciations. The intruder makes copies of all theauthenticators in the course of one association, noting the time, sequence number(deduced by counting messages) and key for each authenticator. The intruder canreplay an authenticator, with an IV constructed as in the previous case, during anew associati
12、on, at a time of day corresponding to the time of day of the originalauthenticator, and with a sequence number that matches the sequence number in thenew association. The intruder will then have to delete the next message in theassociation to avoid detection.3. SolutionThe encryption key shall be ch
13、anged at least once every 24 hours. Since the list ofkeys, that must be refreshed at least once a year, contains 1000 keys, this does notpose any problem.Addendum 3The use of the authenticator defined in TR 40The purpose of this addendum is to clarify an item in TR 40 that might bemisinterpreted by
14、users. This addendum does not modify in any way the proceduresand syntax provided in TR 40.TR 40 proposes to use a specific authenticator (defined in section 4.2 of the TR) tobe carried in the access control field of CMIP management operations PDUs. Theproposed syntax for the authenticator does not
15、replace the CMIP syntax for accesscontrol which remains EXTERNAL. When the authenticator is used, the CMIPaccess control field will contain a pointer (as specified in the ASN.1 definition ofEXTERNAL in X.208) to the authenticators syntax, as well as the authenticatorsvalue that conforms to that syntax.It is recommended that the abstract syntax be negotiated during the presentationcontext establishment.