Re: [dtn-security] BSP mutable canonicalization of CBHE

"Zoller, David A. (MSFC-EO50)[HOSC SERVICES CONTRACT]" <david.a.zoller@nasa.gov> Fri, 10 May 2013 17:55 UTC

Return-Path: <david.a.zoller@nasa.gov>
X-Original-To: dtn-security@ietfa.amsl.com
Delivered-To: dtn-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF0821F86D8 for <dtn-security@ietfa.amsl.com>; Fri, 10 May 2013 10:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUBG3A5ETxIS for <dtn-security@ietfa.amsl.com>; Fri, 10 May 2013 10:55:29 -0700 (PDT)
Received: from ndmsnpf02.ndc.nasa.gov (ndmsnpf02.ndc.nasa.gov [IPv6:2001:4d0:8302:1100::102]) by ietfa.amsl.com (Postfix) with ESMTP id 4E2E921F86DD for <dtn-security@irtf.org>; Fri, 10 May 2013 10:55:28 -0700 (PDT)
Received: from ndmsppt104.ndc.nasa.gov (NDMSPPT104.ndc.nasa.gov [198.117.0.69]) by ndmsnpf02.ndc.nasa.gov (Postfix) with ESMTP id 53844D0043; Fri, 10 May 2013 12:55:24 -0500 (CDT)
Received: from ndmshub05.ndc.nasa.gov (ndmshub05.ndc.nasa.gov [198.117.2.164]) by ndmsppt104.ndc.nasa.gov (8.14.5/8.14.5) with ESMTP id r4AHtO7v013154; Fri, 10 May 2013 12:55:24 -0500
Received: from NDMSSCC05.ndc.nasa.gov ([198.117.2.175]) by ndmshub05.ndc.nasa.gov ([198.117.2.164]) with mapi; Fri, 10 May 2013 12:55:24 -0500
From: "Zoller, David A. (MSFC-EO50)[HOSC SERVICES CONTRACT]" <david.a.zoller@nasa.gov>
To: "Burleigh, Scott C (JPL-313B)[Jet Propulsion Laboratory]" <scott.c.burleigh@jpl.nasa.gov>, dtn-security <dtn-security@irtf.org>
Date: Fri, 10 May 2013 12:55:23 -0500
Thread-Topic: BSP mutable canonicalization of CBHE
Thread-Index: Ac5NjSKhKlX5lVhbTO6In/E8TlBZPAABGsPAAAM/VlA=
Message-ID: <04E3D99A62496240BCD6A576813E6E31E0C7167843@NDMSSCC05.ndc.nasa.gov>
References: <04E3D99A62496240BCD6A576813E6E31E0C71676EC@NDMSSCC05.ndc.nasa.gov> <A5BEAD028815CB40A32A5669CF737C3B235CACE0@ap-embx-sp40.RES.AD.JPL>
In-Reply-To: <A5BEAD028815CB40A32A5669CF737C3B235CACE0@ap-embx-sp40.RES.AD.JPL>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_04E3D99A62496240BCD6A576813E6E31E0C7167843NDMSSCC05ndcn_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-05-10_04:2013-05-10, 2013-05-10, 1970-01-01 signatures=0
Subject: Re: [dtn-security] BSP mutable canonicalization of CBHE
X-BeenThere: dtn-security@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The Delay-Tolerant Networking Research Group \(DTNRG\) - Security." <dtn-security.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/dtn-security>
List-Post: <mailto:dtn-security@irtf.org>
List-Help: <mailto:dtn-security-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2013 17:55:35 -0000

Agreed. I believe this may have uncovered a non-conformant implementation of 6260 in DTN2. The CBHE is done at the block processing level instead of the CLA and in the receive processing does not re-create the uncompressed primary block needed for BSP validation.
Thanks and I'll investigate further,
DZ

From: Burleigh, Scott C (313B) [mailto:scott.c.burleigh@jpl.nasa.gov]
Sent: Friday, May 10, 2013 10:26 AM
To: Zoller, David A. (MSFC-EO50)[HOSC SERVICES CONTRACT]; dtn-security
Subject: RE: BSP mutable canonicalization of CBHE

Interesting question, David.  I would say there's no problem, though, because the CBHE specification says that (formally) the compression happens at the convergence layer, after the bundle has been queued for forwarding.  All of the BSP signing and encryption procedures should already have been performed prior to this time - i.e., on the original uncompressed bundle - when all EIDs still existed in string form to support canonicalization.

Scott

From: dtn-security-bounces@irtf.org<mailto:dtn-security-bounces@irtf.org> [mailto:dtn-security-bounces@irtf.org] On Behalf Of Zoller, David A. (MSFC-EO50)[HOSC SERVICES CONTRACT]
Sent: Friday, May 10, 2013 8:05 AM
To: dtn-security
Subject: [dtn-security] BSP mutable canonicalization of CBHE

Noticed while looking through the new DTN2 ciphersuite code...
Is there a specification of the BSP mutable canonicalization of a primary header in Compressed Bundle Header Encoding format (RFC 6260)?
Would you generate the string "ipn:<scheme offset>:<ssp offset>" and use that for the EIDs and lengths?
And use "dtn:none" for the case where the offsets are both zero?
Thanks,
DZ