[dtn-interest] [Fwd: Fwd: Nits on draft-irtf-dtnrg-bundle-security]
Elwyn Davies <elwynd@dial.pipex.com> Thu, 17 February 2011 21:23 UTC
Received: from b.painless.aaisp.net.uk (b.painless.aaisp.net.uk [81.187.30.52]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id p1HLNvH2004208 for <dtn-interest@mailman.dtnrg.org>; Thu, 17 Feb 2011 13:23:58 -0800
Received: from 251.254.187.81.in-addr.arpa ([81.187.254.251]) by b.painless.aaisp.net.uk with esmtp (Exim 4.72) (envelope-from <elwynd@dial.pipex.com>) id 1PqBL3-00053W-Er for dtn-interest@mailman.dtnrg.org; Thu, 17 Feb 2011 21:24:40 +0000
Message-ID: <4D5D9212.1090102@dial.pipex.com>
Date: Thu, 17 Feb 2011 21:24:34 +0000
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20081209)
MIME-Version: 1.0
To: DTN <dtn-interest@mailman.dtnrg.org>
Content-Type: multipart/mixed; boundary="------------000602010102030909030309"
Subject: [dtn-interest] [Fwd: Fwd: Nits on draft-irtf-dtnrg-bundle-security]
X-BeenThere: dtn-interest@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: elwynd@dial.pipex.com
List-Id: Delay Tolerant Networking Interest List <dtn-interest.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-interest>
List-Post: <mailto:dtn-interest@maillists.intel-research.net>
List-Help: <mailto:dtn-interest-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2011 21:23:58 -0000
Comments received during IESG review
--- Begin Message ---Aaron and Elwyn, I should have cced you on this. That'll teach me to not read the history before I send these out. spt -------- Original Message -------- Subject: Nits on draft-irtf-dtnrg-bundle-security Date: Sat, 29 Jan 2011 17:23:28 -0500 From: Sean Turner <turners@ieca.com> To: draft-irtf-dtnrg-bundle-security@tools.ietf.org CC: kfall@intel.com, The IESG <iesg@ietf.org> Hi, Here's some comments/questions I have on this document (note this isn't my RFC 5742 review): - No 'Intended status' indicated for this document; I'm assuming Experimental as per the datatracker. I think you should probably add the header line to make sure though. - There are two unused references: RFC 3370 and RFC 4106. I think 3370 could we worked in somewhere when describing the CMS bits. For the 4106 I think the checker is barfing on the following from Section 4.3 and 4.4: [Note: parts of the following description are borrowed from RFC 4106]. Maybe replace it with: Note: parts of the following description is borrowed from [RFC4106]. - Obsolete reference to [RFC3280]. Should be to [RFC5280]. - Couldn't find the [DTNRB] reference. Did the document die a graceful death? - Expand DTN, EID, SDNV, BA, and PI on first use - Authentication is mentioned for the first time in Sec 2 when discussing the PIB. Wouldn't it be better to mention it earlier? - Section 2.1: When describing the two EIDs and cipher suite flags as "(optional)" they should be "(OPTIONAL)" if conveying 2119 requirements. Same for the Figure 3 description (i.e., the paragraph before the figure). - Section 2.3: r/the key information item Section 2.6 is optional, and if not provided then the key should be/the key information item Section 2.6 is OPTIONAL, and if not provided then the key SHOULD be - Sections 2.4 & 2.5: r/and that encryption-only ciphersuites NOT be used/and it is NOT RECOMMENDED that encryption-only ciphersuites be used Using NOT so far after the RECOMMENDED isn't "NOT RECOMMENDED". Also if you do this need to add "NOT RECOMMENDED" to the first para in section 1 like the errata 499: http://www.rfc-editor.org/errata_search.php?rfc=2119 - Section 2.4: Some "SHOULDs": It is RECOMMENDED to apply a Payload Confidentiality ciphersuite to non-payload blocks only if these SHOULD be super-encrypted with the payload. If super-encryption of ^^^^^^ the block is not desired then protection of the block SHOULD be done ^^^^^^ using the Extension Security Block mechanism rather than PCB. - Section 2.4: "SHOULD NOT" instead of "should not": These multiple PCB instances, are not "related" and SHOULD NOT contain correlators. ^^^^^^^^^^ - Section 2.8: In the paragraph about authenticated and encrypted bundles, I think the last sentence should be "RECOMMENDED". It's interesting to note that you'd prefer encrypt then sign as opposed to sign and then encrypt. Looking forward to the security consideration about why. - Section 3.2: r/MUST not/MUST NOT ? - Section 3.2: r/No other blocks are required to follow the payload block and it is RECOMMENDED that they NOT do so./No other blocks are required to follow the payload block and it is NOT RECOMMENDED that they do so. - Section 3.4.2: r/This algorithm is intended to protect parts of the bundle which should not be changed in-transit./This algorithm is intended to protect parts of the bundle which SHOULD NOT be changed in-transit. - Sections 3.4.1 & 3.4.2: Need a reference for URI. - Sections 4.1-4.4: What's the OIDs for these "eContents"? I assume id-data, but you should probably be explicit about it. - Section 4.1: r/Security parameters are optional with this scheme/Security parameters are OPTIONAL with this scheme - Section 4.1: A couple of comments/questions on the following: Implementations MUST support use of "AuthenticatedData" type as defined in [RFC5652] section 9.1, with RecipientInfo type KeyTransRecipientInfo containing the issuer and serial number of a suitable certificate. They MAY support additional RecipientInfo types. They MAY additionally use the "SignedData" type described in [RFC5652] Section 5.1. In either case, the "eContent" field in EncapsulatedContentInfo contains the encrypted HMAC key. 1. Normally, we'd use the SKI instead of the issuer/serial # combo. Any reason you chose differently? Most certificates have SKIs (now) and it's probably smaller than the issuer/serial # combo. 2. How is SignedData used here? It says it MAY be used - is that in addition to? There's no RecipientInfo with SignedData so I am a little confused. - Section 4.1 and 4.2: Should probably say something about whether you'd recommend no unsigned/unauthenticated and signed/authenticated attributes. I'm assuming you're not recommending any ;) - Sections 4.2, 4.3, & 4.4: Normally, we'd use the SKI instead of the issuer/serial # combo. Any reason you chose differently? Most certificates have SKIs and it's probably smaller than the issuer/serial # combo. - Section 4.2: Had the following: RSA is used with SHA256 as specified for the id-sha256 PKCSv2.1 signature scheme in [RFC4055]. Is this RSA with SHA-256 PKCS#1 Version 1.5 or RSA with SHA-256 using RSASSA-PSS? If it's the later is the id-sha256 the hashAlgorithm in the RSASSA-PSS-params or something else. Also wouldn't you have to say more like what's the hashAlgorithm, maskGenAlgorithm, whether RSASSA-PSS-params is included in certificates? Also r/RSA with SHA256/RSA with SHA-256 - Sections 4.1-4.4: The eContent values for the CMS content types threw me for a loop. You're not using them to protect the BAB, PIB, etc. it's just the encrypted HMAC key, signed checksum, and encrypted BEK. It reads like there are two sets of operation for each of the four Block Types. You do one for the BAB, PIB, etc. values and then another for the CMS structures? Am I reading that right? The parts about the "eContent" e.g.,: The "eContent" field in EncapsulatedContentInfo contains the signed checksum (SignatureValue) of the data. That tells me the CMS processing generates a message digest over the PIB SignatureValue and then signs the output of the message digest and put it in the SignerInfo.signature value field. Couldn't you just omit all the eContents? They're optional in all cases and can be gotten from elsewhere in the CMS blobs. - Section 7: You should point to [RFC5652]/[RFC5280] for it's security considerations when using CMS/certificates. This save you recreating text about keeping keys secret, etc. Need some additional motherhood and apple pie statements about randomly generating keys and point to [RFC4106]. And a pointer to [RFC5084] for concerns about AES-GCM. - Section 7: I didn't see a security consideration that addresses why you'd prefer to encrypt then authenticate. The text earlier implied and attack of some kind. RFC 5751 also had something to say about this: There are security ramifications to choosing whether to sign first or encrypt first. A recipient of a message that is encrypted and then signed can validate that the encrypted block was unaltered, but cannot determine any relationship between the signer and the unencrypted contents of the message. A recipient of a message that is signed then encrypted can assume that the signed message itself has not been altered, but that a careful attacker could have changed the unauthenticated portions of the encrypted message. - IANA Considerations: When defining an IANA controlled registry the document needs to indicate how the registry is updated (e.g., RFC required, expert review, etc.). See Section 4 of RFC 5226. Cheers, spt--- End Message ---
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Stephen Farrell
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Elwyn Davies
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Stephen Farrell
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Elwyn Davies
- [dtn-interest] [Fwd: Fwd: Nits on draft-irtf-dtnr… Elwyn Davies
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Stephen Farrell
- Re: [dtn-interest] Fwd: Nits on draft-irtf-dtnrg-… Elwyn Davies