Re: [babel] HMAC and DTLS cryptographic state can be maintained indefinitely
David Schinazi <dschinazi.ietf@gmail.com> Sun, 23 December 2018 11:18 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9542112D4F1 for <babel@ietfa.amsl.com>; Sun, 23 Dec 2018 03:18:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FyHOQByzku8 for <babel@ietfa.amsl.com>; Sun, 23 Dec 2018 03:18:06 -0800 (PST)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F072E12958B for <babel@ietf.org>; Sun, 23 Dec 2018 03:18:05 -0800 (PST)
Received: by mail-pf1-x431.google.com with SMTP id b85so4691481pfc.3 for <babel@ietf.org>; Sun, 23 Dec 2018 03:18:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jl6AoOkBOQ8fU+sUE+EoZ1z3IVsF2Gu3Dv4ftchER/o=; b=jVFEH9mm7CtiNfe+0x1tnhqHsQGvhqX5GTi3tOMs0g4lcrP8kKNBuHWciGCP97Xgtd uLuWpajgmWbKeIFDfJVbbqQhCnTkv+rGydXMRCdmy60PY7yECegz8oaSskHlGrmv3Zl2 5ixx7wLqoZun4+yM3dTmQDBHk7q43nJ/V2PikMgZ9DvGs/+UmcKihDfOtWwVAcVjw6wj /4XaD9K5riC5ARLL/7dfRd4CBFQ/YSVQJEhXyGEIEyKzLz0dXamglRsGSvY1o/WiZjDa T3pDj/iDHzgHaVEBdyAKLqgiwjGsVOufrZ3MK0jL7ofnVH/e5vSYCtsp4zj37PwQ7avg p+Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jl6AoOkBOQ8fU+sUE+EoZ1z3IVsF2Gu3Dv4ftchER/o=; b=IntZTGNh+4cLb4Xo5YQiB2iu2MQeB83Iz5J5gn5Fi5svR/t1bQ3EY6VtJqAf1WDBL+ QUu+Q37oLAoZ9WTk+zwWXZZ2bEORzm4NGHFn7ZvE7465E9ZOX9acwVj2XwIuNXMQVAHT sLVbn3vBy/y/lc9a9b5v+LexCIYCIkJmzol6r+jBVmQ9Zc69H8JclebiCX9PXrfsNIVd CkpQyQHN0Wbm3/Gk4mvZuPpOU3tb5ojHlex6w+wYtmRmTAg87znrJQA9Jqgf/Q1PKBVK 5iC1zASa7QRknghbmAB9B0t1EAzT8+ItiFXz3bF91IXaJZW/YbIeL8j6ZHXfEDVXE/kr z+Sw==
X-Gm-Message-State: AJcUukfd+uRVAIwaNVhDV+GX5NnfGAxjZ1ctmbfr5sWY0ZfpNvUjT6Pj P2JKtbnmuxaUeW38fMhzzB2lRHz4yype47XXxV4kMg==
X-Google-Smtp-Source: ALg8bN4FsqemVy9ga+5t4mjpamexGzmX29yekpuUCBdzKaa6y8jqPRWtD0uAqo1kLSveEiPiXLI/xwkK4lE7wL4MqEY=
X-Received: by 2002:a63:4f20:: with SMTP id d32mr8843130pgb.47.1545563885426; Sun, 23 Dec 2018 03:18:05 -0800 (PST)
MIME-Version: 1.0
References: <87lg4hlg50.wl-jch@irif.fr> <87y38hftes.fsf@toke.dk>
In-Reply-To: <87y38hftes.fsf@toke.dk>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Sun, 23 Dec 2018 03:17:54 -0800
Message-ID: <CAPDSy+5M2dFSLp2TFqa+TY9si0Qhm8ff2fScfxTn7-aAUKONFA@mail.gmail.com>
To: Toke Høiland-Jørgensen <toke@toke.dk>
Cc: Juliusz Chroboczek <jch@irif.fr>, Babel at IETF <babel@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e5f9e057daea28a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/OmXZabMcIBR2CXtIsLnF_tq9WQk>
Subject: Re: [babel] HMAC and DTLS cryptographic state can be maintained indefinitely
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Dec 2018 11:18:08 -0000
I agree with the attack and the solution. Can we also add your analysis to the Security Considerations section of both drafts? That way someone reading the text about when to discard this state has a pointer to what would happen if they don't - my thinking is that the consequences here are very minor so I wouldn't want a reader to start worrying about a much worse attack that they're not seeing. David On Sat, Dec 22, 2018 at 7:55 AM Toke Høiland-Jørgensen <toke@toke.dk> wrote: > Juliusz Chroboczek <jch@irif.fr> writes: > > > In HMAC, Hellos are authentified, so it is an easy matter to simply > > discard the cryptographic state (but not the neighbour entry) whenever > the > > Hello history becomes empty. I am planning to add wording to that effect > > to Section 4.1 of the draft: > > > > The receiver MUST ensure that the cryptographic state (index and seqno) > > is discarded after no packet has been accepted for the sender for > > a bounded time. A simple solution is to discard the index and seqno > > whenever the both hello histories in the neighbour entry becomes empty > > (see Appendix A of RFC6126bis); another solution is to discard the > index > > and seqno after a fixed time interval (e.g. 5 minutes) has elapsed > since > > the last accepted packet. > > I have no objections to this :) > > -Toke > > _______________________________________________ > babel mailing list > babel@ietf.org > https://www.ietf.org/mailman/listinfo/babel >
- [babel] HMAC and DTLS cryptographic state can be … Juliusz Chroboczek
- Re: [babel] HMAC and DTLS cryptographic state can… Toke Høiland-Jørgensen
- Re: [babel] HMAC and DTLS cryptographic state can… David Schinazi
- Re: [babel] HMAC and DTLS cryptographic state can… Juliusz Chroboczek