[babel] Some open HMAC issues
Juliusz Chroboczek <jch@irif.fr> Sat, 30 June 2018 13:04 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C73D130E09 for <babel@ietfa.amsl.com>; Sat, 30 Jun 2018 06:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zD9hdeZUAqmL for <babel@ietfa.amsl.com>; Sat, 30 Jun 2018 06:04:45 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE8F1274D0 for <babel@ietf.org>; Sat, 30 Jun 2018 06:04:44 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id w5UD400S000951 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 30 Jun 2018 15:04:00 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/75695) with ESMTP id w5UD4DWZ004644; Sat, 30 Jun 2018 15:04:13 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 25D4BEB279; Sat, 30 Jun 2018 15:04:42 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id Z-l-U0uhgokF; Sat, 30 Jun 2018 15:04:40 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id B1CE9EB22E; Sat, 30 Jun 2018 15:04:40 +0200 (CEST)
Date: Sat, 30 Jun 2018 15:04:40 +0200
Message-ID: <87sh545st3.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
CC: Clara Dô <clarado_perso@yahoo.fr>, Weronika Kołodziejak <weronika.kolodziejak@gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Sat, 30 Jun 2018 15:04:00 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Sat, 30 Jun 2018 15:04:14 +0200 (CEST)
X-Miltered: at korolev with ID 5B377FC0.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5B377FCD.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5B377FC0.002 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5B377FCD.002 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5B377FC0.002 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5B377FCD.002 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/hg5wC__BrVjGEm2c6eD2pRqVop4>
Subject: [babel] Some open HMAC issues
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2018 13:04:49 -0000
0. Explicit vs. implicit Indices The discussion between explicit (DKC variant) and implicit (Stenberg variant) indices is still open. Just because we've made DKC code available doesn't mean the WG needs to follow our idiosyncrasies. (I'll try to find the inner strength to summarise the discussion at some point.) 1. Implemented and MTI HMACs We've followed Denis' text, and implemented SHA1 and RIPEMD160. Could any security specialists please advise: - which algorithms should be implemented; - which algorithms should we propose to the WG as Mandatory to Implement (MTI)? On a related note, should we be looking at algorithms other than HMAC? The challenge mechanism is fairly generic, and the actual hashing is just a tiny part of the protocol. 2. Should the HMAC cover the packet header? The Babel packet header has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Magic | Version | Body length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Right now, Version is fixed at 2, but if we ever define Babel version 3, we might become susceptible to downgrade attacks. I don't recall why we skipped the header in HMAC computation, but I think it's a bug. (As far as I can tell, 7298bis hashes the whole packet, including the packet trailer.) 3. Packet format There are three new TLVs (HMAC, Challenge, Challenge Reply). They are variable-length and therefore non-terminating in the sense of rfc6126bis Section 4.4, which means that they cannot carry sub-TLVs. This follows Denis' original design, and I think it's the right thing to do since it makes the packet format simpler. Does anyone envision a need to carry sub-TLVs on these TLVs? 4. Challenge timeout How long does a receiver have to reply to a challenge? We see no vulnerability here, but we feel that a challenge reply coming a few hours late is at the very least suspicious. (Our code apparently uses 300ms, but I think it's a bug -- it should be on the order of tens of seconds, since a peer is allowed to aggregate its challenge reply with other unicast TLVs -- that's the first time I see a convincing use-case for Unicast Hellos, by the way. Note that we don't necessarily know the peer's Hello and IHU intervals when we challenge. Perhaps we should make the timeout explicit in the challenge TLV?) 5. Use of the packet trailer The HMAC TLV is carried in the packet trailer, which makes it clear which part of the packet is protected by HMAC and avoids the need to clear parts of the packet body before hashing. (Think about extensibility -- there might be other TLVs in the future that must not be protected, and if different extensions require clearing different parts of the packet, we're going to end up with some pretty enjoyable code obfuscation.) Does anyone have technical arguments against the use of the packet trailer? For the record, Denis didn't use a packet trailer, and David has expressed some mild reservations about its use (he feels that we're trading specification simplicity for implementation simplicity and extensibility, and while I agree with this, I happen to think it's the right tradeoff in this particular case). If we keep the trailer, well need to add something to 6126bis. I suggest the following RFCese: - the packet trailer is a sequence of TLVs, just like the packet body, and the TLV number space is the same; - a TLV that appears in the packet trailer MUST be ignored on reception unless its definition explicitly states that it is allowed in the packet trailer; - the mandatory bit MUST NOT be acted upon when it appears in the packet trailer; as a consequence, an implementation that doesn't grok any TLVs that can appear in the trailer MAY simply ignore the packet trailer without ever parsing it. 6. Cryptographic Seqno increase A peer is allowed to increase its Cryptographic Seqno by an arbitrary value (more than 1). This allows the use of fast-running counters, for example based on a hardware clock. For example, an implementation might encode a 1µs-granularity clock in the Cryptographic Seqno, end encode the top-order 16 bits in the Index. There would be a spurious challenge every 72 minutes, and the Index would overflow every 9 years (meaning you'd need to perform key rotation at least that often). Does anyone see a problem with that? 7. Cryptographic Seqno size The Cryptographic Seqno is of a fixed size; if it overflows, the sender must pick a new index and suffer packet loss during at least one RTT (while it's waiting for a new challenge). The Cryptographic Seqno is currently 32 bits long. Does it make sense to reduce it to 16 bits? That would shave 2 octets from each packet, at the cost of more frequent challenges. I think it should stay at 32 bits, since it makes it possible for people to use a fast-running counter (see point 5 above). (In a stable network with 1000 nodes and the default parameters, babeld should be sending on the order of 1.2 packets per second. A 16-bit counter will overflow after 15 hours, a 32-bit counter will overflow after 113 years. All bets are off if you use a fast-running counter, of course.) 8. Index and Nonce size Indices and Nonces are of variable size (up to the maximum TLV size): our implementation selects 80-bit values, but it will handle values of up to 251 resp. 255 octets (as much as fits in a TLV). While having variable-length values slightly complicates the implementation, I think it's a good idea: - an implementation might want to encode a cookie in the Nonce in order to have stronger DoS protection, thus needing a larger Nonce; - an implementation with a stable clock might want to use a tiny Index (see point 5 above). I suggest we should limit indices and nonces to 192 octets, indices and nonces larger than that MUST NOT be sent. This gives enough margin to carry a nonce or index in a sub-TLV (which we're not currently planning to do, but what the heck). (This means we allow 0-octet Nonces. Haha.) 9. Lack of an ANM Since the new protocol is not vulnerable to replay, we don't use a separate ANM, but keep all the per-peer state in the ordinary Neighbours Table -- if a neighbour entry expires, we'll need to challenge again. We intend to put this in the spec, and add an implementation note to explain that implementations that wish to avoid spurious challenges may use a persistent ANM to keep the neighbour state. Does anyone see a problem with that? -- Juliusz
- Re: [babel] Some open HMAC issues Markus Stenberg
- [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Dave Taht
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues David Schinazi
- [babel] Packet trailer [was: Some open HMAC issue… Juliusz Chroboczek
- Re: [babel] Packet trailer [was: Some open HMAC i… David Schinazi
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen
- Re: [babel] Packet trailer [was: Some open HMAC i… Toke Høiland-Jørgensen
- Re: [babel] Some open HMAC issues Juliusz Chroboczek
- Re: [babel] Some open HMAC issues Toke Høiland-Jørgensen