Community discussions

MikroTik App
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 921
Joined: Sun Oct 01, 2006 11:44 pm

Winbox "secure mode" host verification

Sun Apr 23, 2017 11:39 pm

How does winbox "secure mode" authenticate the target RouterOS host? The wiki claims it uses TLS but I've never seen it prompt to accept a certificate or show a key fingerprint or similar. This seems like it would be vulnerable to a MITM attack on an unsecure network, kind of defeating the description of "secure mode".
 
andriys
Forum Guru
Forum Guru
Posts: 1344
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 10:44 am

This seems like it would be vulnerable to a MITM attack on an unsecure network.
I guess it definitely would.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24550
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 10:47 am

As the manual says also, "Keys exchanged using DH-1984, encryption using modified and hardened RC4-drop3072".
Just that it doesn't ask you to do this, doesn't mean it doesn't happen.
No answer to your question? How to write posts
 
andriys
Forum Guru
Forum Guru
Posts: 1344
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 11:05 am

Just that it doesn't ask you to do this, doesn't mean it doesn't happen.
What exactly does or doesn't happen? Please check the following list out:
  1. Session traffic encryption - happens (using modified and hardened RC4-drop3072)
  2. Session key exchange - happens (via Diffie Hellman exchange using a (non-standard???) DH group DH-1984)
  3. Server identity validation - does not happen
So, while WinBox session encryption does provide some protection against a passive eavesdropping, it does not in any way protects you from the MITM-style attacks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24550
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 11:11 am

Yes, you have outlined the current mechanism accurately.
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 921
Joined: Sun Oct 01, 2006 11:44 pm

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 6:43 pm

Are there any plans to modernize this so it can be safely used over the internet or other untrusted networks?
  • RC4 is broken and should be replaced with AES or another modern cipher.
  • No mention of HMAC algorithm? Is one even used?
  • I found no references to whatever "DH-1984" is, this should be replaced with a 2048 bit unique prime generated on install.
  • Add host verification.
I'm not sure this even qualifies as TLS - it feels like home-made crypto which is very bad.
 
andriys
Forum Guru
Forum Guru
Posts: 1344
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 7:26 pm

  • No mention of HMAC algorithm? Is one even used?
HMAC is usually only involved in the host verification procedure. No host verification- no HMAC needed/used. Just guessing.
  • I found no references to whatever "DH-1984" is, this should be replaced with a 2048 bit unique prime generated on install.
Generated on install? How is that supposed to be used then? Are you sure you are not mixing DH group and host key up?
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 921
Joined: Sun Oct 01, 2006 11:44 pm

Re: Winbox "secure mode" host verification

Mon Apr 24, 2017 11:29 pm

A HMAC is needed for authenticated encryption, otherwise there is no way to detect ciphertext modification with block ciphers like RC4 in common modes. A MITM could alter the ciphertext without knowing the corresponding input or output plaintext, potentially resulting in security consequences depending on the commands being sent (see https://security.stackexchange.com/ques ... /2206#2206).

DH groups have a pre-computed prime field which is used for DH key negotiation. By using common or weak groups it opens the window for mass computation attacks that would compromise all devices using the same primes (see https://weakdh.org/). Generating a 2048 bit unique prime (DH parameters) at install makes mass computation pointless. Of course the host keys should also be generated at install time too!

This whole thing stinks of homemade crypto which likely hasn't passed any kind of audit from a cryptographer. Get some real TLS in here!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24550
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox "secure mode" host verification

Tue Apr 25, 2017 9:27 am

RC4 is broken and should be replaced
That's why I said "hardened". It is not broken as the standard RC4 is. It is a custom variant.
No answer to your question? How to write posts
 
andriys
Forum Guru
Forum Guru
Posts: 1344
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Winbox "secure mode" host verification

Tue Apr 25, 2017 11:23 am

A HMAC is needed for authenticated encryption, otherwise there is no way to detect ciphertext modification with block ciphers like RC4 in common modes.
Yep, I see your point. You're right here.
DH groups have a pre-computed prime field which is used for DH key negotiation. By using common or weak groups it opens the window for mass computation attacks that would compromise all devices using the same primes (see https://weakdh.org/). Generating a 2048 bit unique prime (DH parameters) at install makes mass computation pointless.
DH group is not a secret, but rather a common knowledge- both sides of the secure connection are supposed to use the same prime+generator pair (DH group) in their key exchange computations. Generating a unique prime on install is rather pointless, and making sure it is cryptographically good enough is almost impossible during install.

But I must agree that using a custom (not independently validated) DH group is not good and should be avoided.
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 921
Joined: Sun Oct 01, 2006 11:44 pm

Re: Winbox "secure mode" host verification

Tue Apr 25, 2017 4:16 pm

RC4 is broken and should be replaced
That's why I said "hardened". It is not broken as the standard RC4 is. It is a custom variant.
There is only one page of Google results for whatever "RC4 drop3072" is. You say it's a custom variant, has it been designed or reviewed by a cryptographer? Why are there no academic papers on it? More importantly, why is Mikrotik designing their own crypto instead of using well tested and secure industry standards like TLS?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24550
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox "secure mode" host verification

Wed Apr 26, 2017 8:58 am

Wikipedia describes this in the section "Fluhrer, Mantin and Shamir attack"

http://www.wikiwand.com/en/RC4#/Fluhrer ... mir_attack
Protocols can defend against this attack by discarding the initial portion of the keystream. Such a modified algorithm is traditionally called "RC4-drop[n]", where n is the number of initial keystream bytes that are dropped. The SCAN default is n = 768 bytes, but a conservative value would be n = 3072 bytes.
We use RC4 because it is much faster when used without hardware acceleration.

Direct source: http://www.users.zetnet.co.uk/hopwood/c ... l#RC4-drop
No answer to your question? How to write posts
 
R1CH
Forum Veteran
Forum Veteran
Topic Author
Posts: 921
Joined: Sun Oct 01, 2006 11:44 pm

Re: Winbox "secure mode" host verification

Fri Apr 28, 2017 4:46 pm

OK, so that protects from one attack from 2001. What about all the other attacks on RC4 on the wiki page you linked, some as recent as 2015? The cipher is just broken at this point. As evidenced by the recent CIA leaks, nation states are interested in the security of Mikrotik devices so it makes no sense to continue using ciphers that are known to be breakable.

If performance is a concern, look into Chacha20-poly1305, it's not only secure but more performant than RC4.
 
Azma
newbie
Posts: 40
Joined: Sat Sep 27, 2014 8:10 am

Re: Winbox "secure mode" host verification

Tue May 02, 2017 7:07 am

Hi All,

i just tried to check self signed ssl using https://cryptoreport.geotrust.com/checker/ for the web service was running on my MikroTik RB750 6.39 and found this vulnerabilities:
RC4: Enabled
Vulnerabilities checked: BEAST
should this vulnerabilities be fixed? i'm waiting for it.

thanks.
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: Winbox "secure mode" host verification

Tue May 02, 2017 9:23 am

Does "checked" mean "failed"?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24550
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox "secure mode" host verification

Tue May 02, 2017 9:26 am

Does "checked" mean "failed"?
Exactly the opposite. The above mentioned site lists the vulnerabilities it checked and passed. FAIL would be indicated clearly.
No answer to your question? How to write posts
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: Winbox "secure mode" host verification

Tue May 02, 2017 9:35 am

Therefore I asked....

Who is online

Users browsing this forum: chris72, eworm, Shqipalb and 72 guests