English

Off-Path Hacking: The Illusion of Challenge-Response Authentication

Cryptography and Security 2013-05-07 v1

Abstract

Everyone is concerned about the Internet security, yet most traffic is not cryptographically protected. The usual justification is that most attackers are only off-path and cannot intercept traffic; hence, challenge-response mechanisms suffice to ensure authenticity. Usually, the challenges re-use existing `unpredictable' header fields to protect widely-deployed protocols such as TCP and DNS. We argue that this practice may often only give an illusion of security. We present recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet very efficient and practical. The attacks foil widely deployed security mechanisms, such as the Same Origin Policy, and allow a wide range of exploits, e.g., long-term caching of malicious objects and scripts. We hope that this article will motivate adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, and of correct, secure challenge-response mechanisms.

Keywords

Cite

@article{arxiv.1305.0854,
  title  = {Off-Path Hacking: The Illusion of Challenge-Response Authentication},
  author = {Yossi Gilad and Amir Herzberg and Haya Shulman},
  journal= {arXiv preprint arXiv:1305.0854},
  year   = {2013}
}
R2 v1 2026-06-22T00:11:20.062Z