[Hipsec] The simplest password authentication for HIP

Robert Moskowitz <rgm@htt-consult.com> Thu, 13 May 2010 14:11 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 345BA3A6B3C for <hipsec@core3.amsl.com>; Thu, 13 May 2010 07:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.64
X-Spam-Level:
X-Spam-Status: No, score=-0.64 tagged_above=-999 required=5 tests=[AWL=-0.641, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sxJ8bS3vCHjM for <hipsec@core3.amsl.com>; Thu, 13 May 2010 07:11:34 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 6D7953A6B21 for <hipsec@ietf.org>; Thu, 13 May 2010 07:11:27 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id D857668B73 for <hipsec@ietf.org>; Thu, 13 May 2010 14:04:44 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJMc47vzG7nN for <hipsec@ietf.org>; Thu, 13 May 2010 10:04:35 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id DAD8468B70 for <hipsec@ietf.org>; Thu, 13 May 2010 10:04:35 -0400 (EDT)
Message-ID: <4BEC0879.8030902@htt-consult.com>
Date: Thu, 13 May 2010 10:11:05 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.0.4-1.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: HIP WG <hipsec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [Hipsec] The simplest password authentication for HIP
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 14:11:36 -0000

The scenario is a client needs access to a server when it is not already 
in the server's ACL and the server will ONLY accept ACL listed clients, 
but has a password available.  An example is a grid substation 
controller as the server and a field engineer's tester as the client.  
In this example, the engineer would be able to pull the password for the 
server as part of the service call (as an example).

In I2, ECHO_REQUEST_SIGNED is encrypted using PKCS-5 and the password, 
then placed within the HIP ENCRYPT parameter.

The advantages of this approach are:

The server does not advertise in any manner that it accepts password 
authentication for clients.  If a client is not in its ACL or does not 
provide the proper ENCRYPT parameter, the connection attempt is dropped.

The password is never exposed to dictionary attack to silent listeners, 
as it is encrypted by the DH derived key.

It is EXTREMELY lightweight, not expanding HIP exchange by more than a 
slightly larger ENCRYPT payload.

The disadvantages of this approach are:

The server has to go through most of the I2 processing to determine that 
this is a password-based authentication.  Though perhaps if the client 
is NOT in its ACL it could process the ENCRYPT parameter before it 
checks HIP_MAC and HIP_SIGNATURE?

New use for ECHO_REQUEST_SIGNED and content for ENCRYPT.

I can't come up with much else on a down side  :)