Re: [Hipsec] processing review comments on RFC 5201-bis
Robert Moskowitz <rgm@htt-consult.com> Sun, 06 July 2014 10:33 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B8DC1A03A9 for <hipsec@ietfa.amsl.com>; Sun, 6 Jul 2014 03:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5EHZ2mATmh2 for <hipsec@ietfa.amsl.com>; Sun, 6 Jul 2014 03:33:31 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id A0E331A03A6 for <hipsec@ietf.org>; Sun, 6 Jul 2014 03:33:30 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 36A3762A6F; Sun, 6 Jul 2014 10:33:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3sNZ5fATg1c; Sun, 6 Jul 2014 06:33:19 -0400 (EDT)
Received: from lx120e.htt-consult.com (nc4010.htt-consult.com [208.83.67.156]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 6656A62A7E; Sun, 6 Jul 2014 06:33:19 -0400 (EDT)
Message-ID: <53B925EC.5020207@htt-consult.com>
Date: Sun, 06 Jul 2014 06:33:16 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Miika Komu <mkomu@cs.hut.fi>, hipsec@ietf.org
References: <53AF010A.70606@tomh.org> <53B1A282.2060907@gmail.com> <53B416B3.1030307@cs.hut.fi> <53B42614.1070108@cs.hut.fi>
In-Reply-To: <53B42614.1070108@cs.hut.fi>
Content-Type: text/plain; charset="KOI8-R"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/9ErCGNDBESPM2s1ztNy3fEvfH64
Subject: Re: [Hipsec] processing review comments on RFC 5201-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jul 2014 10:33:33 -0000
On 07/02/2014 11:32 AM, Miika Komu wrote: > Hi, > > On 07/02/2014 05:26 PM, Miika Komu wrote: >> Hi, >> >> On 06/30/2014 08:46 PM, Tom Taylor wrote: >>>> 3) Section 5.2.18: given the strict ordering of HIP parameters, the >>>> initial >>>> plaintext for the Encrypted content (type and length of initial >>>> parameter) may be fairly easily guessed. This opens up the minor >>>> possibility of a known plaintext attack. [Comment to be reviewed after >>>> further examination.] [Upon review: I1 packets have fixed type but >>>> variable length due to varying lengths of DH-GROUP-LISTS. The set of >>>> such lengths is limited, however, so it is worth considering whether >>>> known plain-text attacks offer any real threat.] >>>> >>>> Discussion: I don't know how/whether to handle this, or whether other >>>> similar vulnerabilities in other security protocols are addressed. >>>> Changes to address this would likely complicate things or increase the >>>> packet sizes. >>> >>> [PTT] I have to leave it to people more knowledgeable in security to >>> judge whether this is a realistic attack. One point of approach is to >>> find out what sample size is needed for known plain-text attacks for >>> specific algorithms, compare that with the rate at which an attacker >>> could collect encrypted messages in specific scenarios, and decide >>> whether there is a real threat. Mitigation presumably might be through >>> adjustment of the rate of key rollover. >> >> do we actually need the encrypted parameter for something really >> critical (i.e. some extensions rely on it)? If not, we could just remove >> it. Usually the encrypted parameter just contains the HOST_ID of the >> Initiator which does not really offer any real privacy since the HIT is >> in plaintext and actually can interfere with middleboxes (as already >> mentioned in the draft). >> >> If the encrypted parameter is critical, here's a straw-man proposal that >> avoids increasing packet size: XOR the contents of the encrypted >> parameter by iterating through it block-by-block using the encryption >> key. Then, encrypt it with the same key. >> >> If packet size is not a problem, we could include an extra, fixed size >> key for XORing within the encrypted parameter. Or perhaps just encrypt >> the plaintext twice with the encryption key. >> >> (My solutions are presented in chronologically in the order of my >> personal preference) > > on second thought, do we actually have a real problem here? Let us > consider: > > * The encryption key is different for each base exchange, so the roll > over is actually occurring every time, so that observing multiple base > exchanges does not benefit the attacker > * To derive the encryption key, you need a very expensive brute for > search, and the award is (usually) just the public key of the initiator > * If the parameter contains something else in addition to the public > key, the brute force search is still very expensive (exponential) > * The default algo (AES) is resistant against linear and differential > cryptanalysis > > So, I am not convinced that the current mechanism should be changed. Also there is an assumption of what the first type value is? Other uses of it may not contain the Host_ID, but something else. And thus the length would be different according to that something else type. I might point out that HIP DEX uses ENCRYPT parameter. I am sure there are others.
- [Hipsec] processing review comments on RFC 5201-b… Tom Henderson
- Re: [Hipsec] processing review comments on RFC 52… Francis Dupont
- Re: [Hipsec] processing review comments on RFC 52… Tom Taylor
- Re: [Hipsec] processing review comments on RFC 52… Tom Henderson
- Re: [Hipsec] processing review comments on RFC 52… Tom Taylor
- Re: [Hipsec] processing review comments on RFC 52… Tom Henderson
- Re: [Hipsec] processing review comments on RFC 52… Tom Taylor
- Re: [Hipsec] processing review comments on RFC 52… Miika Komu
- Re: [Hipsec] processing review comments on RFC 52… Miika Komu
- Re: [Hipsec] processing review comments on RFC 52… Robert Moskowitz
- Re: [Hipsec] processing review comments on RFC 52… Robert Moskowitz
- Re: [Hipsec] processing review comments on RFC 52… Rene Hummen