15

If I am a remote user, connecting to my firm from home, using IPSec VPN tunnel or through SSL, and an attacker is intercepting all of my traffic, will he be able to watch my VPN session on the clear (he is there before the IKE phases and all of the exchanges). And will it differ on SSL and IPSec?

[MY Firm]--->[My Firm's Firewall]--->[Internet]--->[Attacker]<---[Me]

Franko
  • 1,530
  • 5
  • 18
  • 30

1 Answers1

24

The cryptography involved in the VPN is designed precisely to keep your data safe even in the situation of an attacker who can intercept all traffic; the best an attacker could do in that situation is to disrupt traffic (namely, cutting off the wires).

Both SSL, and IPsec-with-IKE, use cryptography in proper ways, so there should be no qualitative difference between the two.

A few points are noteworthy:

  • Both SSL and IPsec (in the "handshake" and "IKE", respectively) rely on certificates to make sure that they use the "right" public key (the key of the peer). So the safety of the certification authority that you trust is paramount (these correspond to the "root certificates" aka "trust anchors"). If a CA is corrupted by the attacker, then he can emit fake certificates and, through interception, build a successful Man-in-the-Middle attack.

  • The crypto is sound, but you still have to deal with implementations. Implementations can have exploitable bugs, leading to leak of confidential data or even downright buffer overflows and the like. Most SSL and IPsec implementations have suffered from this. The usual rules of keeping the systems fully up-to-date and patched apply here.

  • Side-channel attacks are attacks which try to take advantage of data unwillingly leaked by implementations; in the case of a VPN over the Internet, the main leakage channel would be time: the attacker might try to deduce things on the involved cryptographic keys based on the average time taken to perform some computations. SSL is the protocol which has been most often used to demonstrate side-channel attacks, so good implementations of SSL are now aware of what they must do to avoid such leakage. While side-channel attacks may apply to both SSL and IPsec, I would personally trust slightly more a random SSL implementation than a random IPsec implementation to have included the necessary protections, just because of that tradition of using SSL as main example.

  • In all cases, the attacker will be able to observe the amount of data exchanged over the VPN. That observation may be a bit blurred because of padding, depending on the used symmetric cipher. Nevertheless, the attacker will be able to deduce things such as the exact time at which you read your emails, and also the individual size of each email, and other similar information. This is traffic analysis. This may or may not be a problem in your particular situation.

  • If the mighty attacker is really after you, specifically, he will steal your laptop and/or break into your house and plant a keylogger on it, at which point the VPN protection disappears.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I'm not sure the VPN protection necessarily disappears just because of a keylogger. This will depend on the authentication mechanism used by the VPN. The attacker may also need to capture cryptography keys which could be stored offline (i.e.: Smart Card), or serial numbers and/or token codes from OTP generators (i.e.: RSA SecurID). Depending on where those devices are kept, physical access to the machine does not necessarily grant the attacker access to these resources. – Iszi Jan 06 '12 at 15:07
  • @Iszi: if the attacker runs a keylogger, he can capture much more than keys. E.g., if you write a document with Word, the keylogger will record all the text you enter -- nevermind cracking passwords, the keylogger yields the sensitive data directly. We tend to think about password of keys because they are highly valuable target (keys _concentrate_ secrecy), but that does not mean that keys are the _only_ targets. – Thomas Pornin Jan 06 '12 at 15:35
  • @ThomasPornin - While I would agree that a RSA SecureID does not help when somebody is a victim of a MiTM attack. A Smart Card which provides the certificate would be much harder to get. If there are OTP generators, or digital certification cards, then what you point out is valid. – Ramhound Jan 06 '12 at 16:03