Re: [Hipsec] Fwd: Last Call comments on draft-ietf-hip-dex-11

Robert Moskowitz <rgm@htt-consult.com> Sun, 03 November 2019 20:58 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DCE1200C1 for <hipsec@ietfa.amsl.com>; Sun, 3 Nov 2019 12:58:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MsIPoPPK8wRW for <hipsec@ietfa.amsl.com>; Sun, 3 Nov 2019 12:58:39 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB67A12002E for <hipsec@ietf.org>; Sun, 3 Nov 2019 12:58:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id F32796210D for <hipsec@ietf.org>; Sun, 3 Nov 2019 15:58:37 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HnglTnYrM9HD for <hipsec@ietf.org>; Sun, 3 Nov 2019 15:58:25 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id B05D861FDB for <hipsec@ietf.org>; Sun, 3 Nov 2019 15:58:25 -0500 (EST)
To: HIP <hipsec@ietf.org>
References: <CABcZeBNQeT8jiYE=nHFqm57-Z5oq9qm29XDJupFkRDTi+i_pXQ@mail.gmail.com> <CABcZeBMRptoaGhgWYmC8a=9tBjoJxVBYbge7EF1xBY7c0poWXQ@mail.gmail.com>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <c1860193-432e-cde2-28cf-6c7142051dd3@htt-consult.com>
Date: Sun, 3 Nov 2019 15:58:20 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBMRptoaGhgWYmC8a=9tBjoJxVBYbge7EF1xBY7c0poWXQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6ADA6DDF40A4D73B7A2B989A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/0OueCPnrgCjyQAzZF38Hfo66Cfo>
Subject: Re: [Hipsec] Fwd: Last Call comments on draft-ietf-hip-dex-11
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 20:58:41 -0000

Right now I will only reply to the AEAD comment.

I believe this is directed to the HIP_CIPHER parameter and its use in a 
number of HIP parameter objects.  The ECHO may be encrypted with it and 
in DEX we add the PSK.

Since all HIP packets that contain these fields are MACed with HIP_MAC, 
it is deemed that the TLVs within the HIP packet do not need to use an 
AEAD.  In fact RFC already specifies:

         RESERVED           0
         NULL-ENCRYPT       1     ([RFC2410])
         AES-128-CBC        2     ([RFC3602])
         RESERVED           3     (unused value)
         AES-256-CBC        4     ([RFC3602])

This is covered in 7401 and an implementer of DEX will know that the 
whole packet is MACed.

Other responses to come separately.



On 11/3/19 3:31 PM, Eric Rescorla wrote:
> Sorry for the standalone message. I don't seem to be subscribed to
> ietf-announce, so can't reply.
>
> I do not believe that this meets the security standards that we
> currently use for designing protocols at IETF. As a general matter,
> this document seems to cut a large number of corners in the service of
> some unspecified "overhead" goal, yet it never describes what the
> targets are (though presumably this is somehow about computation and
> bandwidth), and so it is not possible to evaluate the document against
> them. At present, I am unable to say whether it's necessary to do a
> new document at all.
>
> The rest of this message details specific deficiencies of this
> protocol which should be addressed. Aside from these, it's fairly
> unfortunate to see a design for a protocol that uses such an unusual
> cryptographic core for no obvious reason. This makes it very hard to
> analyze. It would be far better to use SIGMA or some other
> well-analyzed construction.
>
>
> LACK OF PFS
> The most serious concern here is the lack of Forward Secrecy. This is
> a straightforward static-static DH exchange, but it is not possible to
> provide FS in that scenario, as S 1 acknowledges. I have two concerns
> here: First, FS is simply table stakes in a modern AKE protocol, so I
> don't think we should be publishing a document that doesn't have it
> on the standards track.
>
> Second, even if we were to concede that FS might be optional, the
> design choices here don't make any sense. There are two major costs to
> DH: the cost of doing the DH computations and the bandwidth of sending
> the keys. However, given the wide range of the curves permitted here
> (X25519 to P521), even a full triple-DH protocol will be far more
> efficient on both counts than the existing protocol with P521 (indeed,
> it's probably as or more efficient than the existing protocol with
> P256).
>
> Proposed action: This protocol needs to be revised to have forward
> security.
>
>
> HIT GENERATION
> Previous versions of HIP generated HITs from HIs by computing a secure
> hash on the HI. This document converts them by a novel folding
> procedure. There is no good reason to believe that it is hard to
> generate a key that has a given HIT (indeed there are good reasons to
> believe it *is* reasonably efficient for non-EC algorithms). The
> document sort-of-acknowledges this in Section 9:
>
>    o  The HIP DEX HIT generation may present new attack opportunities.
>       Hence, HIP DEX HITs MUST NOT be used as the only means to identify
>       a peer in an ACL.  Instead, the use of the peer's HI is
>       recommended as explained in Section 3.
>
> However, it's not clear it's sufficient, because nothing strongly
> binds the HI (as opposed to the HIT) to the handshake, so attacks
> may still be possible if the HI is used (via UKS-like attacks). In
> any case, this is a regression from HIPv2.
>
> It's not even clear why this change was made: given that you
> have CMAC, you should be able to use this to produce a hash of
> the key.
>
> Proposed action: generate HITs from HIs securely.
>
>
> WEAK EC GROUPS
> This document specifies the use of SECP160R1. This is not an acceptably
> secure group.
>
> Proposed action: REmove support for SECP160R1.
>
>
> FAILURE TO VALIDATE PUBLIC KEYS
> This document does not require that implementations validate
> the remote public key. With the NIST curves specified here,
> this leads to straightforward key extraction attacks, which
> is a very serious problem when you have a static key.
>
> Proposed action: Require point validation. The TLS 1.3 has
> text you can borrow.
>
>
> AEAD
> This document makes use of non-AEAD symmetric algorithms. This has been
> found to be hazardous in practice.
>
> Proposed action: use only AEAD algorithms.
>
>
> REPLAY ATTACK ON AKE
> The only entropy provided to the AKE is the puzzle, which means
> that it's possible for an attacker to replay the responder's
> messages, leaving the initiator believing that he has created
> a connection when in fact he has not. The attacker will not
> be able to send data messages because the initiator contributes
> data to the eventual keys, but we generally try to avoid this
> property.
>
> More importantly, this is unnecessary, and can be resolved
> by changing the odd "encrypt half the key" mechanism used here
> with a conventional nonce structure in which each side sends
> a random value and then you HKDF it with the DH shared secret.
> This would have the effect of removing the replay attack
> and be easier to analyze.
>
> Proposed action: restructure the AKE to mix nonces + DH
> into the key schedule.
>
> -Ekr