[hiprg] clarification of identity privacy properties of HIP base exchange
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 16 February 2011 04:46 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0EABF3A6B8E for <hiprg@core3.amsl.com>; Tue, 15 Feb 2011 20:46:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBvhpvUmboNX for <hiprg@core3.amsl.com>; Tue, 15 Feb 2011 20:46:51 -0800 (PST)
Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id C74163A6A86 for <hiprg@irtf.org>; Tue, 15 Feb 2011 20:46:51 -0800 (PST)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by stl-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p1G4lBSX017894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:16 -0600 (CST)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p1G4lB74012396 for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:11 -0600 (CST)
Received: from XCH-NWHT-09.nw.nos.boeing.com (xch-nwht-09.nw.nos.boeing.com [130.247.25.115]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p1G4lARw012390 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK) for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:10 -0600 (CST)
Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.85]) by XCH-NWHT-09.nw.nos.boeing.com ([130.247.25.115]) with mapi; Tue, 15 Feb 2011 20:47:10 -0800
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "hiprg@irtf.org" <hiprg@irtf.org>
Date: Tue, 15 Feb 2011 20:47:08 -0800
Thread-Topic: clarification of identity privacy properties of HIP base exchange
Thread-Index: AcvNlJCBUejaJYxoSfSJxdGfYgk4wA==
Message-ID: <7CC566635CFE364D87DC5803D4712A6C4CED25AE6E@XCH-NW-10V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [hiprg] clarification of identity privacy properties of HIP base exchange
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 04:46:53 -0000
There is a paragraph in the HIP experiment report, Section 8: http://tools.ietf.org/html/draft-irtf-hip-experiment-10 for which I am wondering whether it is completely correct. All two-round-trip variations of the Diffie Hellman key exchange using public keys for authentication are vulnerable to identity theft. The Responder must not generate the shared session key before receiving two messages from the Initiator, to avoid DoS attacks. If the Responder sends its public key in the first reply message (R1) to the Initiator, the Responder's identity will be revealed to third parties. The Initiator cannot determine the identity of the Responder until after receiving the last message (R2) of the key exchange. As a result, an active attacker can find out the public key and identity of the Initiator by pretending to be a trusted correspondent host. The Initiator's public key is sent encrypted in the third message of the Diffie Hellman key exchange and can be decrypted by an attacker based on the established session key. Some questions: 1) (fourth sentence) The R1 sends HOST_ID and is signed, so can't the Initiator learn the identity in the first reply message? Or is this referring to possible R1 replay by an adversary? 2) (fifth and sixth sentence) In what situations can an active attacker learn the key and identity of the Initiator (if the Initiator chooses to encrypt HOST_ID)? Opportunistic mode may be one, but are there others? Tom
- [hiprg] clarification of identity privacy propert… Henderson, Thomas R
- Re: [hiprg] clarification of identity privacy pro… Andrei Gurtov
- Re: [hiprg] clarification of identity privacy pro… Tobias Heer
- Re: [hiprg] clarification of identity privacy pro… Tobias Heer
- Re: [hiprg] clarification of identity privacy pro… Henderson, Thomas R