Re: [Cfrg] Analysis of ipcrypt?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 February 2018 23:59 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0201270AC for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2018 15:59:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0ZA8z6oi8ZR for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2018 15:59:26 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01684126C26 for <cfrg@irtf.org>; Thu, 22 Feb 2018 15:59:26 -0800 (PST)
Received: from fifthhorseman.net (cpe-76-91-54-61.socal.res.rr.com [76.91.54.61]) by che.mayfirst.org (Postfix) with ESMTPSA id 80A66F99A; Thu, 22 Feb 2018 18:58:53 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id DADC020269; Thu, 22 Feb 2018 18:58:49 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Russ Housley <housley@vigilsec.com>, Paul Hoffman <paul.hoffman@icann.org>
Cc: Samuel Neves <sneves@dei.uc.pt>, IRTF CFRG <cfrg@irtf.org>
In-Reply-To: <D13E3BE0-45AB-481B-885A-35853EFE2A86@vigilsec.com>
References: <18C83761-E442-45D9-BDBF-71DC7F751007@icann.org> <CAHmME9r3awwZxjEU-HWnOCyARhBx54VOcUOFJB4opmneKdZsyA@mail.gmail.com> <D13E3BE0-45AB-481B-885A-35853EFE2A86@vigilsec.com>
Date: Thu, 22 Feb 2018 15:58:49 -0800
Message-ID: <87a7w0h8zq.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NehYLvdmbncSDDz_hnorcc6JGXU>
Subject: Re: [Cfrg] Analysis of ipcrypt?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 23:59:27 -0000
On Thu 2018-02-22 18:30:36 -0500, Russ Housley wrote: > > It sounds like you want a simple and straightforward way to obfuscate IPv4 addresses. > > AES is very widely implemented. You can find libraries for every platform. So, something like this may do it for you: > > k = rand() /* 128 bits; fresh key for each dataset */ > > for each ipv4addr in dataset: > plain = ipv4addr || ipv4addr || ipv4addr || ipv4addr > obfuscated_ipv4addr = trunc32(AES_128_Encrypt(k, plain)) This approach doesn't allow inverting the address if needed. aiui, the use case for ipcrypt and other format-preserving encryption is attack detection and mitigation via anomaly detection, based on packet captures, but with phased destruction of the IP addresses. In this case, it's possible that the pcaps will persist for a while longer (e.g. as inputs to statistical processing that provides baselines for anomaly detection) than the IP address itself will need to be available (e.g. for identifing a current attacking address). --dkg
- [Cfrg] Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] Analysis of ipcrypt? Jason A. Donenfeld
- Re: [Cfrg] Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] Analysis of ipcrypt? Russ Housley
- Re: [Cfrg] Analysis of ipcrypt? Daniel Kahn Gillmor
- Re: [Cfrg] Analysis of ipcrypt? Daniel Kahn Gillmor
- Re: [Cfrg] Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] Analysis of ipcrypt? Martin Thomson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? David McGrew (mcgrew)
- Re: [Cfrg] Analysis of ipcrypt? Russ Housley
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] Analysis of ipcrypt? Tim Hollebeek