Re: [babel] Minor clarification to HMAC
Juliusz Chroboczek <jch@irif.fr> Sat, 29 June 2019 09:41 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3B6120121 for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQ_FDJXG8h0p for <babel@ietfa.amsl.com>; Sat, 29 Jun 2019 02:41:48 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1455120047 for <babel@ietf.org>; Sat, 29 Jun 2019 02:41:47 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x5T9feRx004589; Sat, 29 Jun 2019 11:41:40 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 3514B4C428; Sat, 29 Jun 2019 11:41:43 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id nGkUHI2c1gmm; Sat, 29 Jun 2019 11:41:42 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 7BF2D4C426; Sat, 29 Jun 2019 11:41:38 +0200 (CEST)
Date: Sat, 29 Jun 2019 11:41:38 +0200
Message-ID: <87ef3c20fh.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Markus Stenberg <markus.stenberg@iki.fi>
Cc: babel@ietf.org
In-Reply-To: <6C3AA518-8EF8-493A-835D-DE096E75D07B@iki.fi>
References: <874l49j158.wl-jch@irif.fr> <6C3AA518-8EF8-493A-835D-DE096E75D07B@iki.fi>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sat, 29 Jun 2019 11:41:43 +0200 (CEST)
X-Miltered: at korolev with ID 5D173254.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5D173254.002 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5D173254.002 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/ZnpxDoG42NY8WphW7D_VDcC9TXY>
Subject: Re: [babel] Minor clarification to HMAC
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 09:41:50 -0000
> In terms of security properties, notably resource exhaustion/contention, > I am bit leery of creating entry before validity of remote party is > actually verified (= challenge response received). I prefer the old > text. I initially thought like you, but Sawssen and Étienne convinced me that creating the entry late does not add any security. Suppose that the packet passes HMAC. Then one of the possible cases is possible: - the neighbour entry already exists; - the neighbour entry doesn't exist, and we're going to send a challenge. In the first case, the point is moot. In the second case, we're going to create a neighbour entry anyway, so we might as well create it immediately. (Note that the data structures of the protocol are conceptual, not prescriptive -- an implementation is allowed e.g. to use an "incomplete neighbour" data structure that is smaller than a full neighbour structure for holding uncompleted challenges, as long as the effect is identical to what is described in the protocol. > I am not quite sure why the second 'may need to be created' is there.. I was hoping nobody would notice ;-) For the challenge to be successful, the neighbour entry must exist -- there's no way we could have sent a challenge if no neighbour entry exists. (It could be the case of course that the challenge reply is an attack, and no neighbour entry exists, so the implementation must still check for the existence of the neighbour entry.) I didn't want to mention that right now, in order to limit the amount of confusion. > I guess naive implementation would just remember specific nonces it has > sent/freceived, but for new peers you can also just use e.g. nonce that > contains timestamp (+ peer address (+- something))[1], which allows > challenge sender to remain stateless until challenge responder proves > they have the key. Yes. The protocol is designed to make it possible to encode a cookie in the Nonce (that's why Nonces can be as much as 192 octets long). However, the draft does not specify how to implement it with cookies, so the point is somewhat moot. (Note that even with cookies, you still need to rate-limit challenges. A global challenge counter should be enough, but I haven't given it any serious thought. Which is why I won't attempt to specify the cookie variant of the protocol in this revision of the protocol.) > So -1 from me. (Yes, I do wear my tinfoil hat even during summer.) Please reconsider in light of the above. -- Juliusz
- [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC STARK, BARBARA H
- Re: [babel] Minor clarification to HMAC Toke Høiland-Jørgensen
- Re: [babel] Minor clarification to HMAC Markus Stenberg
- Re: [babel] Minor clarification to HMAC David Schinazi
- Re: [babel] Minor clarification to HMAC Mahesh Jethanandani
- Re: [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC Markus Stenberg
- Re: [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC Markus Stenberg
- Re: [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC Markus Stenberg
- Re: [babel] Minor clarification to HMAC Juliusz Chroboczek
- Re: [babel] Minor clarification to HMAC Markus Stenberg
- Re: [babel] Minor clarification to HMAC Mahesh Jethanandani