[hiprg] clarification of identity privacy properties of HIP base exchange

"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 16 February 2011 04:46 UTC

Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0EABF3A6B8E for <hiprg@core3.amsl.com>; Tue, 15 Feb 2011 20:46:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBvhpvUmboNX for <hiprg@core3.amsl.com>; Tue, 15 Feb 2011 20:46:51 -0800 (PST)
Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id C74163A6A86 for <hiprg@irtf.org>; Tue, 15 Feb 2011 20:46:51 -0800 (PST)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by stl-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p1G4lBSX017894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:16 -0600 (CST)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p1G4lB74012396 for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:11 -0600 (CST)
Received: from XCH-NWHT-09.nw.nos.boeing.com (xch-nwht-09.nw.nos.boeing.com [130.247.25.115]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p1G4lARw012390 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK) for <hiprg@irtf.org>; Tue, 15 Feb 2011 22:47:10 -0600 (CST)
Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.85]) by XCH-NWHT-09.nw.nos.boeing.com ([130.247.25.115]) with mapi; Tue, 15 Feb 2011 20:47:10 -0800
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "hiprg@irtf.org" <hiprg@irtf.org>
Date: Tue, 15 Feb 2011 20:47:08 -0800
Thread-Topic: clarification of identity privacy properties of HIP base exchange
Thread-Index: AcvNlJCBUejaJYxoSfSJxdGfYgk4wA==
Message-ID: <7CC566635CFE364D87DC5803D4712A6C4CED25AE6E@XCH-NW-10V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [hiprg] clarification of identity privacy properties of HIP base exchange
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 04:46:53 -0000

There is a paragraph in the HIP experiment report, Section 8:
http://tools.ietf.org/html/draft-irtf-hip-experiment-10
for which I am wondering whether it is completely correct.


   All two-round-trip variations of the Diffie Hellman key exchange
   using public keys for authentication are vulnerable to identity
   theft.  The Responder must not generate the shared session key before
   receiving two messages from the Initiator, to avoid DoS attacks.  If
   the Responder sends its public key in the first reply message (R1) to
   the Initiator, the Responder's identity will be revealed to third
   parties.  The Initiator cannot determine the identity of the
   Responder until after receiving the last message (R2) of the key
   exchange.  As a result, an active attacker can find out the public
   key and identity of the Initiator by pretending to be a trusted
   correspondent host.  The Initiator's public key is sent encrypted in
   the third message of the Diffie Hellman key exchange and can be
   decrypted by an attacker based on the established session key.

Some questions:
1) (fourth sentence) The R1 sends HOST_ID and is signed, so can't the Initiator learn the identity in the first reply message?  Or is this referring to possible R1 replay by an adversary?
2) (fifth and sixth sentence) In what situations can an active attacker learn the key and identity of the Initiator (if the Initiator chooses to encrypt HOST_ID)?   Opportunistic mode may be one, but are there others?

Tom