[babel] HMAC and DTLS cryptographic state can be maintained indefinitely
Juliusz Chroboczek <jch@irif.fr> Sat, 22 December 2018 15:45 UTC
Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCC0F12785F for <babel@ietfa.amsl.com>; Sat, 22 Dec 2018 07:45:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Eir7eJoIlmX for <babel@ietfa.amsl.com>; Sat, 22 Dec 2018 07:45:27 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA70A1277CC for <babel@ietf.org>; Sat, 22 Dec 2018 07:45:26 -0800 (PST)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id wBMFjJI9019350 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <babel@ietf.org>; Sat, 22 Dec 2018 16:45:19 +0100
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id wBMFjLMn006875 for <babel@ietf.org>; Sat, 22 Dec 2018 16:45:21 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 33A0985933 for <babel@ietf.org>; Sat, 22 Dec 2018 16:45:25 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id Mw9IDfZ9n_LF for <babel@ietf.org>; Sat, 22 Dec 2018 16:45:23 +0100 (CET)
Received: from pirx.irif.fr (user-46-112-148-30.play-internet.pl [46.112.148.30]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 1243285926 for <babel@ietf.org>; Sat, 22 Dec 2018 16:45:17 +0100 (CET)
Date: Sat, 22 Dec 2018 16:45:15 +0100
Message-ID: <87lg4hlg50.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Sat, 22 Dec 2018 16:45:19 +0100 (CET)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Sat, 22 Dec 2018 16:45:21 +0100 (CET)
X-Miltered: at korolev with ID 5C1E5C0F.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5C1E5C11.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5C1E5C0F.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5C1E5C11.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5C1E5C0F.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5C1E5C11.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/mwEv5Ojx_fjAL3kvPMyIZRfuvzQ>
Subject: [babel] HMAC and DTLS cryptographic state can be maintained indefinitely
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2018 15:45:29 -0000
Hi. I think I have a nit against both Babel security drafts (HMAC and DTLS). The fix is easy, but I'd like to hear the list's opinion first. Executive summary: both security mechanisms associate the cryptographic state with the neighbour entry. In both mechanisms, an attacker may prevent the neighbour entry from expiriting, thus maintaining the cryptographic state for an arbitrary time. While this does not lead to any obvious vulnerability, it is worrying, and should be fixed. Fortunately, the fix is easy. 1. The issue Both security mechanisms rely on a pairwise exchange that leads to both peers estabilishing cryptographic state in their neighbour tables. In the case of HMAC, the cryptographic exchange is called the "challenge", and the state is the current index and seqno. In the case of DTLS, the exchange is the DTLS handshake, and the state is the current DTLS state. If A has a neighbour entry for a peer B, and the peer B leaves the network, then A's neighbour entry for B will eventually expire. However, in some cases an attacker C can prevent the neighour entry for B from expiring, as described below. 1.1 HMAC In HMAC, an attacker can replay a correctly signed packet with an index different from A's current index. This causes B to send a challenge, and keep the challenge data in the neighbour entry; if replayed packets are sent often enough, the neighbour entry will never expire, and the cryptographic state will live forever. 1.2 DTLS In DTLS, Hellos are unauthentified. Hence, it is enough for the attacker to send fake Hellos to prevent the neighbour entry from expiring. 2. What can an attacker do? The issue outlined above does not cause an obvious vulnerability -- the cryptographic state does not allow any obvious replay attacks. There is one troubling case, though. Suppose that just before B leaves the network, it sends an announcement that is not received by A (due to packet loss), but is captured by an attacker C. Then C may choose to maintain A's cryptographic state for a long time, then replay B's announcement. It can do that only once -- if it attempts to replay it twice, then A's replay detection mechanism will trigger. It's not obvious if delaying a single announcement by an arbitrary amount of time is a vulnerability, but I'm sure I'm not the only person it makes feel uncomfortable. 3. The fix The obvious fix is to require that A discards its cryptographic state after a bounded amount of time. In HMAC, Hellos are authentified, so it is an easy matter to simply discard the cryptographic state (but not the neighbour entry) whenever the Hello history becomes empty. I am planning to add wording to that effect to Section 4.1 of the draft: The receiver MUST ensure that the cryptographic state (index and seqno) is discarded after no packet has been accepted for the sender for a bounded time. A simple solution is to discard the index and seqno whenever the both hello histories in the neighbour entry becomes empty (see Appendix A of RFC6126bis); another solution is to discard the index and seqno after a fixed time interval (e.g. 5 minutes) has elapsed since the last accepted packet. In DTLS, Hellos are not authentified, so the above solution won't work. I suggest requiring that the DTLS state be discarded whenever the IHU timer expires. 4. Please comment I'm going to update the DTLS draft pretty soon, so please comment. 5. Acknowledgments Thanks to Pierre Letouzey and Yann Régis-Gianas for the discussion that lead to the issue described in this mail.
- [babel] HMAC and DTLS cryptographic state can be … Juliusz Chroboczek
- Re: [babel] HMAC and DTLS cryptographic state can… Toke Høiland-Jørgensen
- Re: [babel] HMAC and DTLS cryptographic state can… David Schinazi
- Re: [babel] HMAC and DTLS cryptographic state can… Juliusz Chroboczek