Re: [hiprg] clarification of identity privacy properties of HIP base exchange
Tobias Heer <heer@cs.rwth-aachen.de> Wed, 16 February 2011 08:51 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F7623A6ABA for <hiprg@core3.amsl.com>; Wed, 16 Feb 2011 00:51:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2b+2yPAVj2DJ for <hiprg@core3.amsl.com>; Wed, 16 Feb 2011 00:51:07 -0800 (PST)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 160923A6B5F for <hiprg@irtf.org>; Wed, 16 Feb 2011 00:51:06 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.5.41]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0LGP00MFXCLXTJ10@mta-1.ms.rz.RWTH-Aachen.de> for hiprg@irtf.org; Wed, 16 Feb 2011 09:51:33 +0100 (CET)
X-IronPort-AV: E=Sophos;i="4.60,479,1291590000"; d="scan'208";a="49070337"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Wed, 16 Feb 2011 09:51:34 +0100
Received: from umic-i4-137-226-45-197.nn.rwth-aachen.de ([unknown] [137.226.45.197]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0LGP008JQCLX7N20@relay-auth-1.ms.rz.rwth-aachen.de> for hiprg@irtf.org; Wed, 16 Feb 2011 09:51:33 +0100 (CET)
From: Tobias Heer <heer@cs.rwth-aachen.de>
In-reply-to: <4D5B8982.6040306@hiit.fi>
Date: Wed, 16 Feb 2011 09:51:29 +0100
Message-id: <A547342C-0202-4600-83AB-4F355E9B29C8@cs.rwth-aachen.de>
References: <7CC566635CFE364D87DC5803D4712A6C4CED25AE6E@XCH-NW-10V.nw.nos.boeing.com> <4D5B8982.6040306@hiit.fi>
To: hiprg@irtf.org
X-Pgp-Agent: GPGMail 1.3.1
X-Mailer: Apple Mail (2.1082)
Subject: Re: [hiprg] clarification of identity privacy properties of HIP base exchange
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 08:51:08 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Am 16.02.2011 um 09:23 schrieb Andrei Gurtov: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Henderson, Thomas R wrote: >> There is a paragraph in the HIP experiment report, Section 8: >> http://tools.ietf.org/html/draft-irtf-hip-experiment-10 >> for which I am wondering whether it is completely correct. >> >> >> All two-round-trip variations of the Diffie Hellman key exchange >> using public keys for authentication are vulnerable to identity >> theft. The Responder must not generate the shared session key before >> receiving two messages from the Initiator, to avoid DoS attacks. If >> the Responder sends its public key in the first reply message (R1) to >> the Initiator, the Responder's identity will be revealed to third >> parties. The Initiator cannot determine the identity of the >> Responder until after receiving the last message (R2) of the key >> exchange. As a result, an active attacker can find out the public >> key and identity of the Initiator by pretending to be a trusted >> correspondent host. The Initiator's public key is sent encrypted in >> the third message of the Diffie Hellman key exchange and can be >> decrypted by an attacker based on the established session key. >> >> Some questions: >> 1) (fourth sentence) The R1 sends HOST_ID and is signed, so can't the Initiator learn the identity in the first reply message? Or is this referring to possible R1 replay by an adversary? > > - From the content of R1 packet it indeed looks like Initiator can > identify the Responder based on the public key. Replays are a > possibility, but still the attacker wouldn't be able to alter the packet > or misuse the responder's identity, just resend the same packet. > For what I can say, the Responder cannot stay anonymous during the exchange. This is mentioned in RFC5201 and there is text on policies: some hosts may not act as responders because of this issue. RFC5201 says, that the BEX can be reversed. The Responder would become the Initiator then -- with a possible deadlock situation of both hosts would implement that policy. > A related question is how R1s can be pre-generated (I think RFC5201 > refers to this possibility). R1 includes at least the destination HIT so > how the signature can be constructed in advance? Also the puzzle can > have expiration lifetime. There is SIGNATURE_2 the HITs as well as Puzzle I and K are excluded from the signature. I quote: "Within the R1 packet that contains the HIP_SIGNATURE_2 parameter, the Initiator's HIT, the checksum field, and the Opaque and Random #I fields in the PUZZLE parameter MUST be set to zero while computing the HIP_SIGNATURE_2 signature." > >> 2) (fifth and sixth sentence) In what situations can an active attacker learn the key and identity of the Initiator (if the Initiator chooses to encrypt HOST_ID)? Opportunistic mode may be one, but are there others? > > I guess in any case when the public key of the recipient is not > authenticated (e.g. by DNSSEC) and when the initiator attempts > connecting without taking the ID of Responder from a trusted source. > (e.g. someone storing own public key in DHT under domain name google.com) > The anonymous bit and the concept of pseudonym HIs is useful here. If these are not used, the Initiator authenticates to the public key/ host identity of the host, and thus, knows the HI. An interesting question is what the "identity" of the Initiator is. Is it its real-word identity? You need more information to figure this out? Is it the HOST identity? This one is revealed without pseudonyms. BR, Tobias -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk1bkBgACgkQf4eSaa7spb8DegCfWV6bCoDfVyj9bPauPBEaXpWV dj0AoKAFLezZHvHxmcbiC/444GV8oBeV =1mX5 -----END PGP SIGNATURE-----
- [hiprg] clarification of identity privacy propert… Henderson, Thomas R
- Re: [hiprg] clarification of identity privacy pro… Andrei Gurtov
- Re: [hiprg] clarification of identity privacy pro… Tobias Heer
- Re: [hiprg] clarification of identity privacy pro… Tobias Heer
- Re: [hiprg] clarification of identity privacy pro… Henderson, Thomas R