Security gaps identified in Internet protocol 'IPsec'

                                                                                       

Materials provided by Ruhr-University Bochum

In collaboration with colleagues from Opole University in Poland, researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) have demonstrated that the Internet protocol "IPsec" is vulnerable to attacks. The Internet Key Exchange protocol "IKEv1," which is part of the protocol family, has vulnerabilities that enable potential attackers to interfere with the communication process and intercept specific information.

The research results are published by Dennis Felsch, Martin Grothe and Prof Dr Jörg Schwenk from the Chair for Network and Data Security at RUB as well as Adam Czubak and Marcin Szymanek from Opole University on 16 August 2018 at the Usenix Security Symposium.

Secure and encrypted communication

As an enhancement of Internet protocol (IP), "IPsec" has been developed to ensure cryptographically secure communication via publicly accessible resp. insecure networks, such as the Internet, by using encryption and authentication mechanisms. This type of communication is often relevant for enterprises whose employees operate from decentralised workplaces -- for example as sales reps or from home office -- and have to access company resources. The protocol can, moreover, be utilised to set up virtual private networks, or VPNs.

In order to enable an encrypted connection with "IPsec," both parties must authenticate and define shared keys that are necessary for communication. Automated key management and authentication, for example via passwords or digital signatures, can be conducted via the Internet Key Exchange protocol "IKEv1."

"Even though the protocol is considered obsolete and a newer version, namely IKEv2, has been long available in the market, we see in real-life applications that it is still being implemented in operating systems and still enjoys great popularity, even on newer devices," explains Dennis Felsch. But it is precisely this protocol that has vulnerabilities, as the researchers found out during their analysis.

Bleichenbacher's attack successful

In the course of their project, the researchers attacked the encryption-based logon mode of "IPsec" by deploying the so-called Bleichenbacher's attack, which had been invented in 1998. Its principle is: errors are deliberately incorporated into an encoded message, which is then repeatedly sent to a server. Based on the server's replies to the corrupted message, an attacker can gradually draw better and better conclusions about the encrypted contents.

"Thus, the attacker approaches the target step by step until he reaches his goal," says Martin Grothe and adds: "It is like a tunnel with two ends. It's enough if one of the two parties is vulnerable. Eventually, the vulnerability permits the attacker to interfere with the communication process, to assume the identity of one of the communication partners, and to actively commit data theft."

Bleichenbacher's attack proved effective against the hardware of four network equipment providers. The affected parties were Clavister, Zyxel, Cisco, and Huawei. All four manufacturers have been notified and have now eliminated the security gaps.

Passwords under scrutiny

In addition to the encryption-base logon mode, the researchers have also been looking into password-based login. "Authentication via passwords is carried out with hash values, which are similar to a fingerprint. During our attack, we demonstrated that both IKEv1 and the current IKEv2 present vulnerabilities and may be easily attacked -- especially if the password is weak. Accordingly, a highly complex password provides the best protection if IPsec is deployed in this mode," concludes Martin Grothe. The vulnerability was also communicated to the Computer Emergency Response Team (CERT), as it coordinates the response to actual IT security incidents and provided assistance to the researchers as they notified the industry about the vulnerability.

All-clear for users and network equipment providers

The identified Bleichenbacher vulnerability is not a bug in the standard but rather an implementation error that can be avoided -- it all depends on how manufacturers integrate the protocol in their devices. Moreover, the attacker has to enter the network first, before he can do anything. Nevertheless, the researchers' successful attack has demonstrated that established protocols such as "IPsec" still include the Bleichenbacher gap that makes them potentially vulnerable to attack.

 

Blood test may identify gestational diabetes risk in first trimester, NIH study indicates

Early screening could allow for lifestyle changes before condition develops

 

Source of Information: NIH/Eunice Kennedy Shriver National Institute of Child Health and Human Development

A blood test conducted as early as the 10th week of pregnancy may help identify women at risk for gestational diabetes, a pregnancy-related condition that poses potentially serious health risks for mothers and infants, according to researchers at the National Institutes of Health and other institutions. The study appears in Scientific Reports.

Gestational diabetes occurs only in pregnancy and results when the level of blood sugar, or glucose, rises too high. Gestational diabetes increases the mother's chances for high blood pressure disorders of pregnancy and the need for cesarean delivery, and the risk for cardiovascular disease and type 2 diabetes later in life. For infants, gestational diabetes increases the risk for large birth size. Unless they have a known risk factor, such as obesity, women typically are screened for gestational diabetes between 24 and 28 weeks of pregnancy.

In the current study, researchers evaluated whether the HbA1c test (also called the A1C test), commonly used to diagnose type 2 diabetes, could identify signs of gestational diabetes in the first trimester of pregnancy. The test approximates the average blood glucose levels over the previous 2 or 3 months, based on the amount of glucose that has accumulated on the surface of red blood cells. According to the authors, comparatively few studies have examined whether the HbA1c test could help identify the risk for gestational diabetes, and these studies have been limited to women already at high risk for the condition. The test is not currently recommended to diagnose gestational diabetes at any point in pregnancy.

The researchers analyzed records from the NICHD Fetal Growth Study, a large observational study that recruited more than 2,000 low-risk pregnant women from 12 U.S. clinical sites between 2009 and 2013. The researchers compared HbA1c test results from 107 women who later developed gestational diabetes to test results from 214 women who did not develop the condition. Most of the women had tests at four intervals during pregnancy: early (weeks 8-13), middle (weeks 16-22 and 24-29) and late (weeks 34-37).

Women who went on to develop gestational diabetes had higher HbA1c levels (an average of 5.3 percent), compared to those without gestational diabetes (an average HbA1c level of 5.1 percent). Each .1 percent increase in HbA1c above 5.1 percent in early pregnancy was associated with a 22-percent higher risk for gestational diabetes.

In middle pregnancy, HbA1c levels declined for both groups. However, HbA1c levels increased in the final third of pregnancy, which is consistent with the decrease in sensitivity to insulin that often occurs during this time period.

"Our results suggest that the HbA1C test potentially could help identify women at risk for gestational diabetes early in pregnancy, when lifestyle changes may be more effective in reducing their risk," said the study's senior author, Cuilin Zhang, Ph.D., of the Epidemiology Branch at NIH's Eunice Kennedy Shriver National Institute of Child Health and Human Development.

Exercise and a healthy diet may lower blood glucose levels during pregnancy. If these measures are not successful, physicians may prescribe insulin to bring blood glucose under control.

The authors noted that further studies are needed to confirm whether measuring HbA1c levels in early pregnancy could determine a woman's later risk for gestational diabetes. Similarly, research is needed to determine whether lowering HbA1c with lifestyle changes, either in early pregnancy or before pregnancy, could reduce the risk for the condition.