attacking the ipv6 privacy extension

Privacy is Not an Op�on:A�acking the IPv6 Privacy

ExtensionJohanna Ullrich, Edgar WeipplSBA Research, Vienna, Austria

Mo�va�on

• Correla�on of a person’s different ac�vi�es on theInternet

• General strategies fail for address-based correla�on

• Address-based correla�on heavily depends on theprotocol

2/17

IPv6 Addressingand the Modified EUI-64 Format

3/17

IPv6 Addressingand the Privacy Extension

4/17

Security Analysisof the Privacy Extension

5/17

A�ack DesignPredictability of Future Iden�fiers

• Infer interface iden�fier in modified EUI-64 format• Concatena�on of history value with this interfaceiden�fier

• MD5 digest calcula�on• Extrac�on of first 64 bits for temporary interface iden�fier• Extrac�on of remainder bits for next history value

An adversary aware of a vic�m’s history value and MACaddress is able to compute all future interface iden�fiers! 6/17

A�ack DesignSynchroniza�on to the Current State

7/17

A�ack Scenario

8/17

Feasibility

• Minimum number of address observa�on,

• Time expenditure for brute-forcing,

• and storage capacity to save the candidate set for thenext day.

9/17

FeasibilityNumber of Address Observa�onsWith p being the ra�o of rejected candidates per day, the sizeof the candidate set Ct on day t is

|Ct| = 264 · (1− p)t (1)

Eve has to repeat the reduc�on step un�l a single candidateremains, i. e., |Ct| = 1. Thus, the minimum number of days Tminis

Tmin = ceillog(264)log(p− 1)

(2)10/17

FeasibilityTime Expenditure for Brute-ForcingAssuming a hash rate r, the total �me TBrute for brute-forcing is

TBrute =1r

Tmin∑i=0

|Ci| =264

r

Tmin∑i=0

(1− p)i (3)

Bounding the equa�on allows an es�ma�on of the total �mefor brute-forcing

TBrute <264

r

∞∑i=0

(1− p)i =264

r· 1p

(4)

11/17

FeasibilityStorage of Candidate Set

History values are of 8 byte and the storage demand St isdependent on the size of the candidate set

St = |Ct| · 8 byte = 264 · (1− p)t · 8 byte (5)

12/17

FeasibilityStorage of Candidate SetHistory values are of 8 byte and the storage demand St isdependent on the size of the candidate set

St = |Ct| · 8 byte = 264 · (1− p)t · 8 byte (5)

Alterna�ve: retroac�vely performed a�ack12/17

Opera�ng SystemsTemporary Address Characteris�cs

• Determinis�c sequence,

• Time invariance,

• Prefix invariance,

• Restart invariance, and

• MAC variance.13/17

Opera�ng SystemsResults

Determ

inis�

c Sequence

Time-Invariance

Prefix-Invariance

Restart-Invariance

MAC

-Variance

Windows 8 3 3 3 7 3

Ubuntu 14.10 7

Mac OS 10.10 7

14/17

Mi�ga�onChanges to the Current Specifica�on

15/17

Mi�ga�onChanges to the Current Specifica�on

Alterna�ve: Randomly Assigned Numbers

15/17

Conclusion• The presented a�ack ques�ons the privacy extension’scapability of protec�on.

◦ An adversary that is aware of the internal state is able topredict future interface iden�fiers.

◦ An adversary can synchronize to this internal state by observingthe vic�m.

• Proper mi�ga�on within current defini�ons appearsimprac�cal, and revision is necessary.

• Opera�ng systems are less vulnerable than originallyassumed due silently disobeying the standard.

16/17

Thank you!

Ques�ons?

Johanna UllrichSBA Research, Vienna, Austriajullrich@sba-research.org

17/17