On the (In)Security of IPsec in MAC-Then-Encrypt Configurations
IPSec allows a huge amount of flexibility in the ways in which its component cryptographic mechanisms can be combined to build a secure communications service. This may be good for supporting different security requirements but is potentially bad for security. The authors demonstrate the reality of this by describing efficient, plaintext-recovering attacks against all configurations of IPSec in which integrity protection is applied prior to encryption - so-called MAC-then-encrypt configurations. They report on the implementation of the attacks against a specific IPsec implementation, and reflect on the implications of the attacks for real-world IPsec deployments as well as for theoretical cryptography.