Re: [hiprg] A question of the identity privacy

Miika Komu <miika.komu@hiit.fi> Thu, 04 February 2010 05:11 UTC

Return-Path: <miika.komu@hiit.fi>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B22B3A6BB7 for <hiprg@core3.amsl.com>; Wed, 3 Feb 2010 21:11:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUMUfkvnk43G for <hiprg@core3.amsl.com>; Wed, 3 Feb 2010 21:11:52 -0800 (PST)
Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id D98893A6774 for <hiprg@irtf.org>; Wed, 3 Feb 2010 21:11:47 -0800 (PST)
Received: from [192.168.0.2] (cs27096138.pp.htv.fi [89.27.96.138]) by argo.otaverkko.fi (Postfix) with ESMTP id 29BEE25ED06 for <hiprg@irtf.org>; Thu, 4 Feb 2010 07:12:32 +0200 (EET)
Message-ID: <4B6A574D.7040306@hiit.fi>
Date: Thu, 04 Feb 2010 07:12:45 +0200
From: Miika Komu <miika.komu@hiit.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8pre) Gecko/20100131 Shredder/3.0.2pre
MIME-Version: 1.0
To: hiprg@irtf.org
References: <7CC566635CFE364D87DC5803D4712A6C4C1F48A6F2@XCH-NW-10V.nw.nos.boeing.com> <006101caa550$38c6a670$070d6f0a@china.huawei.com>
In-Reply-To: <006101caa550$38c6a670$070d6f0a@china.huawei.com>
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: 8bit
Subject: Re: [hiprg] A question of the identity privacy
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: miika.komu@hiit.fi
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 05:11:58 -0000

On 04/02/10 06:12, Dacheng Zhang wrote:

Hi,

> Hello, everyone:
> 
> I just read a paper “BLIND: A Complete Identity Protection Framework for
> End-points” which proposes a solution to protect the privacy of HITs of
> both communicating hosts. I believe that the privacy protection of HITs is
> desired in many scenarios. But, I am a bit concerned whether BLIND is
> suitable in a client/server model. Normally, a server should public its
> access information to DNS, and it may not make a big sense to protect the
> identity and location privacy of a server. Apart from Blind, I didn't find
> any other papers about the identity privacy issues with HIP.

Please have a look at:

Janne Lindqvist and Laura Takkinen, Privacy Management for Secure
Mobility (short paper), in Proceedings of the 5th ACM CCS Workshop on
Privacy in Electronic Society - WPES 2006, Alexandria, Virginia, USA,
October 30, 2006. [Online (ACM)]

> Here, I have three questions. First, do you think the identity privacy
> protection can be desired for HIP? If it is, do you think it is a good idea
> to propose a simplified protocol as a complement of BLIND, which only
> protects the identity privacy of the initiator? In addition, do you know
> whether there is any other related work?

I believe BLIND is already as simple as it gets and the code changes to
existing HIP software are quite small. You can have a look at the code
changes in HIPL or hip4inter.net (if Ericsson's BLIND is publicly
available). I think it would be useful to complement BLIND with:

1. Blind negotiation (Initiator uses, Responder uses, both use) that is
not prone to downgrade attack. Probably the best way is just to use
control header flags.
2. UPDATE extensions
3. Middlebox analysis (see draft-heer-hip-middle-auth)
4. Comparison of disposable identities vs. blind

I believe the first one is pretty close to what you originally asked but
I don't know exactly what you have in mind.