What are authentication reflection attacks and Denial of Service (DoS) reflection attacks? How are they perpetrated, and how can we prevent them? In this article, we will discuss the authentication reflection attack and the Denial of Service (DoS) reflection attack in detail.
What is the authentication reflection attack?
When two hosts over the network use the challenge-response-authentication system to authenticate each other, the first host throws a challenge to the second host. The second host sends a response back to the first host. The first host calculates the response in the same manner as the second host does. If the responses match, the second host is authenticated.
But, sometimes, the same protocol is used to authenticate hosts in either direction. That is, the same challenge-response protocol is used to authenticate either of the hosts. To authenticate any host, the first host encrypts the challenge C with encryption key K and sends E(K, C) to the second host.
But, as the same challenge-response authentication protocol is used in either direction, the second host can open another connection to the first host and throw the same challenge E(K, C) to the first host. At this point, if the first host sends a response to the challenge to the second host, the second host can use the same response in the first connection and send it back to the first host. As a result, the second host will be able to fraudulently authenticate to the first host, though it is not authorized to do so. And the attackers use this vulnerability to attack a system and steal data. This is called the authentication reflection attack.
How to prevent the authentication reflection attack?
With a few modifications to the authentication protocol, this vulnerability can be eliminated :
- The first host can include its identifier in the response to the second host. So, if the second host sends the same response to the first host back, the first host can easily identify that and reject the response.
- If the second host opens a second connection to the first host while the first connection from the first host to the second host is already open, the first host can delay its response to the second host over the second connection until the second host is done with responding to the first challenge over the first connection.
- We can also use different keys or protocols for the two directions.
0 Comments