Re: [CFRG] 16 byte signature
Robert Moskowitz <rgm-sec@htt-consult.com> Wed, 15 June 2022 16:14 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93870C157B3A for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2022 09:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.783
X-Spam-Level:
X-Spam-Status: No, score=-3.783 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWLBMEng1FWq for <cfrg@ietfa.amsl.com>; Wed, 15 Jun 2022 09:14:31 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1705FC157902 for <cfrg@ietf.org>; Wed, 15 Jun 2022 09:14:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 44749626A1; Wed, 15 Jun 2022 12:13:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id W-nN5yVS5mpz; Wed, 15 Jun 2022 12:13:33 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id E31946267D; Wed, 15 Jun 2022 12:13:32 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------Ez12zRENsrLJsUu9H53rHT2O"
Message-ID: <6279d798-3cc9-a335-49a6-eecc0e262c0c@htt-consult.com>
Date: Wed, 15 Jun 2022 12:14:14 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Dan Collins <dcollinsn@gmail.com>
Cc: Natanael <natanael.l@gmail.com>, cfrg@ietf.org
References: <701bdccc-c9d7-c4f6-900e-492233edab57@htt-consult.com> <CAAt2M1-R=ZW1zEhGkXaXTRKCbQhtZzcUqeJXRSiMUpU6bGULXw@mail.gmail.com> <2aa7d431-08ab-fee4-5579-2c13b147cc06@htt-consult.com> <CA+tt54K43mpMWNmpCjep5SExE7U8pA+RsqL2eBJRGFX+iQnypQ@mail.gmail.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <CA+tt54K43mpMWNmpCjep5SExE7U8pA+RsqL2eBJRGFX+iQnypQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eK9cCIKENdhIznXozVMaMkJbsmU>
Subject: Re: [CFRG] 16 byte signature
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 16:14:35 -0000
On 6/15/22 11:12, Dan Collins wrote: > Rob, > > Can I ask where you're getting the 8 bytes per message from? If you're > replacing the 3 byte PI field, are you replacing it with a longer > field in order to fit the 11 bit counter and the 64 bit partial > signature? Or are you sending an additional message using one of the > reserved type codes? The message is effectively 51-bits (lose 5 for the TC). have an 11-bit minute counter to allow for one signed ICAO number per minute. Enough for most RF coverage times. This leaves 40-bits left for the other 5 bytes. > > Also - this may be relevant to the size of your counter as well as the > amount of space you have - the position and velocity fields are > already transmitted twice each per second while airborne. (Other > status and ID fields are transmitted at slower and variable rates.) Yes. To do an effective security over many messages, there would have to be what amounts to a signed hash-block on another channel. Much like the Manifest Authentication Message in draft-ietf-drip-auth for UAS Remote ID. But the idea here is to have an occational proof of ICAO number message. If such a thing is of interest remains to be seen. Interesting thought process at least. > > Regards, > Dan Collins > > On Wed, Jun 15, 2022 at 11:00 AM Robert Moskowitz > <rgm-sec@htt-consult.com> wrote: > > BLS? > > > On 6/15/22 10:24, Natanael wrote: >> >> >> Den ons 15 juni 2022 15:52Robert Moskowitz >> <rgm-sec@htt-consult.com> skrev: >> >> Manned Aviation's ADS-B (what Air Traffic Control and >> flightware.com <http://flightware.com> >> uses) is highly constrained: 112 bits! >> >> https://mode-s.org/decode/content/ads-b/1-basics.html >> >> Now aviation is looking at this oops design with only perhaps >> 60% >> deployment (mostly in major flight areas). It has been >> generally held >> that nothing can be done with this baby to secure it from >> spoofing >> attacks and the like, so I decided to play around. >> >> Here is the frame format: >> >> 1–5 5 DF Downlink Format >> 6–8 3 CA Transponder capability >> 9–32 24 ICAO ICAO aircraft address >> 33–88 56 ME Message, extended squitter >> (33–37) (5) (TC) (Type code) >> 89–112 24 PI Parity/Interrogator ID >> >> >> >> I have worked out a scheme where I could have 8 bytes per >> packet for >> some payload that is able to replace PI (e.g. a sig). Since >> this is >> basically a static message, I put in a 1 min counter of 11 >> bits and use >> a new key pair each day for 1440 signings of the Aircraft >> Address. >> >> Can't do anything with 8 bytes, but 2 approaches for 16 bytes >> by using 2 >> frames are possible. >> >> So is there any signature 'safe' to use for 1440 (or 720) >> sigs of 16 >> bytes length. An attack would have to be during that 24 hour >> period (or >> 12 hour) to spoof that an Aircraft Address is within RF range. >> >> The actual keypairs can be of any practical length. >> >> There would be a whole X.509 PKI behind this to manage the >> usage period >> of a keypair. >> >> Not too concern about International Dateline crossings at >> this point! >> >> BTW, where this is important, over major airports, the RF is >> already >> overused for various messaging, so adding 2 frames per >> aircraft per >> minute is possible, but there will be push back for more. >> >> And to protect the 'real' ADS-B messages that actually have a >> message >> content could only be done via a back channel. And then you >> get into >> the ADS-C mess! >> >> >> BLS seems closest to plausible at a security level evaluated in >> bits estimated to half the signatures size, so at 16 bytes / 128 >> bits you get 64 bits of security. It's absolutely on the low end, >> even smaller organizations are capable of breaking that in short >> time spans. >> >> You'd have to have really fast key rotations, I'm talking about >> key lifetimes of under an hour even if you're optimistic. You >> might just even want to roll a new key for every broadcast. At >> that point verifiers would need to be online to retrieve the most >> recent signing key to confirm the message is both authentic and >> fresh. However, at that point with key rollovers that fast you >> may as well go for a symmetric authentication tag scheme and >> require a request to a trusted server to check validity of the >> message directly, rather than checking the public key. >> >> There's another scheme that claims 80 bits of security at a >> signature length of 110 bits, so it fits in with a solid margin >> in the space available, however I hadn't even heard of it until I >> started looking today and I don't know if it has held up to >> cryptoanalysis; >> >> https://eprint.iacr.org/2016/911 >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] 16 byte signature Robert Moskowitz
- Re: [CFRG] 16 byte signature Natanael
- Re: [CFRG] 16 byte signature Robert Moskowitz
- Re: [CFRG] 16 byte signature Dan Collins
- Re: [CFRG] 16 byte signature Natanael
- Re: [CFRG] 16 byte signature Robert Moskowitz