IETF Logo Mail Archive

Re: [Detnet] DetNet Security Draft Proposed Text - Encryption

"Grossman, Ethan A." <eagros@dolby.com> Sun, 03 March 2019 00:24 UTC

Return-Path: <eagros@dolby.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACE7124408 for <detnet@ietfa.amsl.com>; Sat, 2 Mar 2019 16:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dolby.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnFF_uz5ccHJ for <detnet@ietfa.amsl.com>; Sat, 2 Mar 2019 16:24:02 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740134.outbound.protection.outlook.com [40.107.74.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5E5C1271FF for <detnet@ietf.org>; Sat, 2 Mar 2019 16:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dolby.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L4uvbfmosXez7UPobOQ2LkhNWAcnXhKmPtTwD6nNxLM=; b=cJVzZY/Fc43oZVDbuQFlupvjmA46QEoT3HqKUCdUSJ97IdAp7ayOEWrC5vCSiiFiZNKNEkR/Wj63ChsdJWteO7sT1wr9JE6Ct/Bk2rTJDQ/Mn0ZsmKaEtcNhFdl3835Ql2vv6iJu8m5p+2QyobbSI+DXCgeeFGrjLHG4tig1LP0=
Received: from BYAPR06MB4325.namprd06.prod.outlook.com (52.135.240.140) by BYAPR06MB6279.namprd06.prod.outlook.com (20.178.234.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.16; Sun, 3 Mar 2019 00:23:57 +0000
Received: from BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::a55b:5609:ca77:6500]) by BYAPR06MB4325.namprd06.prod.outlook.com ([fe80::a55b:5609:ca77:6500%6]) with mapi id 15.20.1643.022; Sun, 3 Mar 2019 00:23:57 +0000
From: "Grossman, Ethan A." <eagros@dolby.com>
To: Henrik Austad <henrik@austad.us>, "detnet@ietf.org" <detnet@ietf.org>
Thread-Topic: [Detnet] DetNet Security Draft Proposed Text - Encryption
Thread-Index: AdTCk1I+rewKQpliQKSaD45oyDyx+QA4UwMAA3aSJ+A=
Date: Sun, 03 Mar 2019 00:23:57 +0000
Message-ID: <BYAPR06MB43257CFBE7F0528BC00F9C16C4700@BYAPR06MB4325.namprd06.prod.outlook.com>
References: <BYAPR06MB4325F626B1FAFB7E4B81C827C4650@BYAPR06MB4325.namprd06.prod.outlook.com> <20190213081754.GB11908@sisyphus.home.austad.us>
In-Reply-To: <20190213081754.GB11908@sisyphus.home.austad.us>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dg-ref: PG1ldGE+PGF0IG5tPSJib2R5LnR4dCIgcD0iYzpcdXNlcnNcZWFncm9zXGFwcGRhdGFccm9hbWluZ1wwOWQ4NDliNi0zMmQzLTRhNDAtODVlZS02Yjg0YmEyOWUzNWJcbXNnc1xtc2ctYTEwZmNlMGMtM2Q0YS0xMWU5LWFlM2MtYWNiYzMyN2E1MWM2XGFtZS10ZXN0XGExMGZjZTBkLTNkNGEtMTFlOS1hZTNjLWFjYmMzMjdhNTFjNmJvZHkudHh0IiBzej0iODY1MCIgdD0iMTMxOTYwNDYyMzYwODY0Njg3IiBoPSJFWGZFY3J2Wk1vNmgxL3lDS0EzeW9LRVJZekU9IiBpZD0iIiBibD0iMCIgYm89IjEiLz48L21ldGE+
authentication-results: spf=none (sender IP is ) smtp.mailfrom=eagros@dolby.com;
x-originating-ip: [73.162.193.175]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b7f321f0-4934-4f0f-e4fd-08d69f6e86f7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR06MB6279;
x-ms-traffictypediagnostic: BYAPR06MB6279:
x-microsoft-exchange-diagnostics: 1; BYAPR06MB6279; 23:QLdwnwy1YB+KnEuK0pKbFAfg/7kubZ0kXennP1G6Z1XIFRy+vIog51d2RbyQE6EoJnvgLX0+dDk0UAaAaDWx9rH/x1NnSEFiDYJzimqgtEu/tfOQIprXUM6wRVevSZSGm8FM7PYKJuUG7yC+GqEWiSF9QXqVKOxm14hTGLTz1OSdEsECzyOWisX3g7HqZawyXuqBEuIQ/gJIy2SH9yXtAX8XeMhMC4LNLhfs2Z4RNtqqT9HAROKsaKa3WUOk0AbrBCMfVoXfvaTXwjI0L1peVbI/mCUjZoNYOvJzWklhmXwg2+mc+6f3wq6pBEEDwa/wqpvBYg6fN3ltr1Ev7KzBWn/748ctK4nMIxDr9MMeC4vrQsiVIcTnEDvP9c1fmXn7S7VBfRgMESu6ghoX+bHb6QL20varl7R/p5L/56t5AbtLb4mwGMFQ1oJQwGJkGQ2ZltBIvyKj4yW98LHgT//LLFSIB9BtMXe6NiGgXFEyJuc4mzwYgvQbmh6Oq6DMMnNM8V3/r01gji1WaOSWJJj59MwOyueuQ80bG9EI+1SB3cVjcBhco06YUaGWZoMD/UilBCL9dLem/U+ruYMsFq8OBZJa0BeEw7k/lf9kpIuPNk5P9NVIIchITDBkM7o63M0NjL2zaNQztn0jVwankRDoxhj0hawfgan5uWt5eQrT1e1zSylAF3i9gIZRcDwuhqIBj538I1HdgHTHGqsfV0Slj6xOxeOPukKqZCBwbuYNEe1ZRyTJEKdVspNVhaTMArLR1uRcddIUELOSpxPkOtNm/Yzt0b+DaMvsygiMc5fE8xWg0uliUb/+HqRptLUHmULVL795LSH4AYgPqbxrae8v3v9vcQ6kE1l7cf6YDGOzQaNP05VPtjzGvyVlm1HfmLzsi/KS57hd1z2ZhYIEFF9z3AWyyQwYW7EkWefYn58CvcwX4Po0xP9SzZ6dSyOt8U7D99tXsCMpp0lM6DyNcaJgoIFyU4c5Z4WeghhWd2QZkWHn70yHIAtNQ0cQa9cat6hJlyO4ebFxFjrPIypjNwAKufrlc2z+btwe2u7eJcC++Ud25r2vvgq8WRyBEFRO+HNmK+Dubu9Yh3gEvRD6tMdPhkEnHL2/zCkXbhKpI7xG7jOpbcNXfWd1mFzj+UxEHQAqLgeuKPtfbKUhK2ojiFxLIJDTnVABAGEgYxYRkcwVDuWwDOyfNUClRaHwXOwPXszWWgMc6MFy0hyfjio95aQVhnAuicBMmZcz0oJiH13lUSehbDJRDpPpGBo8Rs3ji9PqpFzV2KUvubgMk86S+XJUlapaDF7PTvIAOGwNqdoQ2aU=
x-microsoft-antispam-prvs: <BYAPR06MB6279B5C76410033A03C848C3C4700@BYAPR06MB6279.namprd06.prod.outlook.com>
x-forefront-prvs: 096507C068
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(39850400004)(376002)(346002)(136003)(53754006)(13464003)(189003)(199004)(2906002)(81156014)(15650500001)(2501003)(14454004)(81166006)(52536013)(97736004)(86362001)(9686003)(68736007)(8676002)(66066001)(256004)(316002)(14444005)(11346002)(229853002)(110136005)(53546011)(446003)(6506007)(76176011)(476003)(7696005)(486006)(5660300002)(99286004)(25786009)(71200400001)(71190400001)(102836004)(106356001)(6436002)(55016002)(26005)(105586002)(305945005)(3846002)(33656002)(74316002)(6246003)(7736002)(6116002)(8936002)(186003)(478600001)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR06MB6279; H:BYAPR06MB4325.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: dolby.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: BzZLZkQEStr1oPgxKVndipVfbrHQYCjcJGf36WrYIG9BhpI+lgoaF3VrZIarTyPlV7tVwgEBvP2pQLZLYd4F9HtZ7Lsfe2XzItPOgre+OSGrwGdreFCuoxudSXAxh9jabqDTHLkTb94qw+dwfr1egaxDBw+6UeIp7QW5FwO9dEhIoA5ae41fRt2fuHb/cBq13l5laF5C/gr5bB24ShYZBsK7HK9O6VQNZTLoBXdPlBTd5pHKIF8g95Oa/2HSw1QkYcCMRqjGUM2Ef1UlGc5ANqkjvDy/rxYsutaAO/mmm5d/t2LnwcetmhgFRcZHPG8Jyb4noj5218A7wJPdX7om0/hnDgYM1GjkXNdXHq02cyWEWW+5PDBMFMiqlRQxIqgBBny9aCVv0KXj4NUuHjzJ7EdSsqyZ8xnW7pfmHInKNxw=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: dolby.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b7f321f0-4934-4f0f-e4fd-08d69f6e86f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2019 00:23:57.7544 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 05408d25-cd0d-40c8-8962-5462de64a318
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB6279
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/QhflyQrVDIMSAFwf_W2qaW9K7hc>
Subject: Re: [Detnet] DetNet Security Draft Proposed Text - Encryption
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2019 00:24:05 -0000

Hi Henrik,
Oops, my turn to be sorry - until now I missed your notes that were inline with my text below. I just went through them and put my comments inline below (prefixed EAG:). I also noted the resulting changes I will make in my text for this update to the DetNet Security draft. Some points are certainly worth further discussion; for now I am limiting my scope of revision to the current proposed section text. Others on the list are encouraged to add their thoughts to this thread, and I can incorporate them into the next revision. 
Thanks again for your contribution,
Ethan.

-----Original Message-----
From: Henrik Austad <henrik@austad.us> 
Sent: Wednesday, February 13, 2019 12:18 AM
To: Grossman, Ethan A. <eagros@dolby.com>
Cc: detnet@ietf.org; ekr@rtfm.com
Subject: Re: [Detnet] DetNet Security Draft Proposed Text - Encryption

On Tue, Feb 12, 2019 at 05:25:40AM +0000, Grossman, Ethan A. wrote:
> Hi All,

Hi Ethan,

> I have consolidated the list discussion about the pros and cons of 
> encryption algorithms into the Mitigation-Encryption section of the 
> security draft (text of the section as it now reads is below). I would 
> like the WG to review it before I publish it in a new version of the 
> Security draft.

I must have missed that discussion - sorry!
(If this means that I'm covering old, settled points below, please just ignore my ramblings)

Question (relevant for my points below):

Do we plan to *encrypt* the header of the DetNet flows in transit, or will it be sufficient that the header is cryptographically signed?

EAG: My understanding is that this would depend on the requirements of the use case, i.e. the design/implementation of a given DetNet. That is, some use cases that require very high levels of security might want to encrypt the header, and be willing to accept the performance hit. Others might require minimum latency and not require that the headers be encrypted, or perhaps even signed. However I think this would make a good discussion for the list to see if there is anything we can agree on that would apply to all DetNets. Having said that, you already sent this email to the list and we got no further discussion on the topic, but maybe this will revive the discussion. 

Follow up; if we go with signing, will intermidate nodes have a need to update the DetNet header, and if so, how do we solve the key-management problem for a per-flow set of signing keys to all relevant nodes?

EAG: Referring back to my comment above, I hope that this level of specificity can be left as an exercise to the DetNet designer. If you are saying that this is something that has to be resolved at the DetNet Architecture level, please let us know so that we can address it. 

-H

> Thanks,
> Ethan (as editor of the DetNet Security draft)
> --------------------------------------------------------------------
> 5.    Security Threat Mitigation
> 5.4.         Encryption
> Description
>                DetNet flows can be forwarded in encrypted form.
> Related attacks

> Encryption can be used to mitigate recon attacks (Section 3.2.7). 
> However, for the DetNet to give differentiated quality of service on a 
> flow-by-flow basis, it must be able to identify the flows individually.
> This implies that in a recon attack the attacker may also be able to 
> track individual flows to learn more about the system.
>
> Encryption can also provide traffic origin verification, i.e. to 
> verify that each packet in a DetNet flow is from a verified source, 
> for example as part of ingress filtering.

Since this covers more than 1 vector, perhaps it would be worthwhile to distinguish between confidentiality (encrypting the payload of the stream, preferrably in an end-to-end manner) and integrity (of the header itself using some sort of HMAC). As Maik pointed out in another email, we must make a point about crypto agility.

The payload itself should be end-to-end encrypted, the nodes should not have any need to inspect the payload itself. We can probably push the responsibility of this to the DetNet-application, the protocol should be data-agnostic.

EAG: I am trying hard to limit the scope of the DetNet Security draft to security considerations related specifically to time-sensitive aspects of DetNet. It seems to me that the discussion about confidentially vs integrity is a very good point, as is the point about crypto-agility, but I'm hoping that these are generic enough to be "considered to be covered elsewhere". Do you agree?  

> 5.4.1.     Encryption Considerations for DetNet
>
> Any time spent on encryption and decryption processing ("crypto") must 
> be included in the flow latency calculations. Thus, crypto algorithms 
> used in a DetNet must have bounded execution times. Some crypto 
> algorithms are symmetric in encode/decode time (such as AES and SHA-2) 
> and others are asymmetric (such as public key algorithms).

Nitpick SHA-2 is a hashing algorithm, not a crypto-algorithm.

Also, Since SHA-2 is very similar to SHA-1 (which is considered broken),
SHA-3 was born. As with crypto agility, we should make a note about hash-function agility.

EAG: OK I will remove the reference to SHA-2, it isn't necessary to have a second example there. 

> There are advantages and disadvantages to the use of either type in a 
> given DetNet context. Asymmetrical crypto is typically not used in 
> networks on a packet-by-packet basis due to its computational cost. 
> For example, if only endpoint checks or checks at a small number of 
> intermediate points are required, one can use asymmetric crypto to 
> authenticate distribution or exchange of a secret symmetric crypto 
> key; a successful check based on that key will provide traffic origin 
> verification as long as the key is kept secret by the participants. 
> Both TLS and IKE (for IPsec) are examples of this for endpoint checks.

Not only TLS and IKE; this is pretty much how asymmetric crypto works. You create a symmetric key and you use asymmetrci crypto to share that secret between Alice and Bob.

EAG: OK, I suppose I can leave my existing text as it is. 

Then you also re-generate the symmetric keys periodically. This is perhaps something we should make a not of, as that will add some additional cost, thus affecting the determinstic behaviour.

EAG: This is a highly relevant point. I added the following:  "If crypto keys are to be regenerated over the duration of the flow then the time required to accomplish this must be accounted for in the latency calculations."

> However, if we use secret symmetrical keys for this purpose we must 
> give the key to all relays, which increases the probability of a 
> secret key being leaked. Also, if any relay is compromised or 
> misbehaving it may inject traffic into the flow.

Hence the need to split the header from the payload, regenerate symmetric keys etc.

EAG: Right. Again I think this is a generic consideration? 

> Alternatively, asymmetric crypto can provide traffic origin 
> verification at every intermediate node.

Signature verification using public keys is a pretty deterministic operation I think, generate the hash, verify the signature. I need to dig through some books to be sure.

EAG: I don't think we want to make any particular claims about specific algorithms or processes here, just a general comparison between technologies. 

> For example, a DetNet flow can be associated with an (asymmetric) 
> keypair, such that the private key is available to the source of the 
> flow and the public key is distributed with the flow information, 
> allowing verification at every node for every packet. However, this is 
> more computationally expensive. In either case, origin verification 
> also requires replay detection mechanism as part of the security 
> protocol to prevent an attacker from recording and resending traffic, 
> e.g., as a denial of service attack on flow forwarding resources.

There are ways to avoid replay-attacks when you have secure hashes, but you must store some state on each node. Since each frame contains both a sequence-number and a stream-id, what we need are available to detect replays. This means that the header must either be transported in the clear, or that we can decrypt it in transit though.

EAG: I believe that this is covered by the phrase "also requires replay detection" - your comments are about how to implement such a mechanism, right? 

-- 
Henrik Austad

v2.23.0 | Report a Bug | By Email