[Hipsec] Progress on HIP DEX

Robert Moskowitz <rgm@htt-consult.com> Thu, 10 June 2010 15:31 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57F4F28C141 for <hipsec@core3.amsl.com>; Thu, 10 Jun 2010 08:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.923
X-Spam-Level:
X-Spam-Status: No, score=0.923 tagged_above=-999 required=5 tests=[AWL=-0.278, BAYES_50=0.001, J_CHICKENPOX_31=0.6, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsgcZRh1hFGX for <hipsec@core3.amsl.com>; Thu, 10 Jun 2010 08:31:16 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 43AAD3A69B6 for <hipsec@ietf.org>; Thu, 10 Jun 2010 08:31:11 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id E938F68B48 for <hipsec@ietf.org>; Thu, 10 Jun 2010 15:23:30 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnZ2Vg+wFz3p for <hipsec@ietf.org>; Thu, 10 Jun 2010 11:23:21 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 8005468B27 for <hipsec@ietf.org>; Thu, 10 Jun 2010 11:23:21 -0400 (EDT)
Message-ID: <4C110528.2030403@htt-consult.com>
Date: Thu, 10 Jun 2010 11:30:48 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-2.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: HIP WG <hipsec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [Hipsec] Progress on HIP DEX
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 15:31:20 -0000

First I have recognized that without a hash, you cannot offer ECDSA.  In 
fact without a hash (or rather a compress function that offers collision 
resistance), a signing with ECC is NOT ECDSA by definition, it is 
something else.

So I have designed HIP DEX to only use:

AES-CCM
CMAC
ECC ElGamel Encryption (is there a nice acronym for this?)

Since there is no signing function, HIP DEX does not use the SIGMA 
model, but I believe that I provide (by the end of the exchange) the 
same proofs.

This protocol is expected to run over networks that lose lots of 
packets, so you need to ensure success by aggressive retransmission of 
packets until you get proof that your packet was received.  To this end 
there is a timer, t, in msec there is also a lifetime (when sender will 
just quit sending) in msec.  Example values of 100,3000.  This 
retransmission also plays an interesting part in completing to exchange, 
so timers are used even when there is no packet loss.

With all of this there are subtle differences between the BEX and DEX 
state machines.

parties are:

I   ::= Initator
R   ::= Responder
MR  ::= Malicious Responder
IR  ::= Malicious Initator

Values are:

PK  ::= Public key of
t   ::= retransmit timer value and lifetime
n   ::= nonce
Pn  ::= Puzzle based on and containing nonce n
Sn  ::= Puzzle solution based on nonce n
x,y ::= random secrets

Functions are:

ECR ::= ECC ElGamal Encryption
MAC ::= CMAC
|   ::= concatination
||  ::= Key expansion extraction

R or MR                                                                I 
or IR
I1 ::= <---  t
R1 ::=               t, Pn, PKr                                ------>
I2 ::= <--- t, Pn, Sn, PKi, ECR(PKr,n|x), MAC(x,(t, Pn, Sn, PKi, 
ECR(PKr,n|x)))
R                                                                      I 
or IR
R2 ::=               n, ECR(PKi,n|y), MAC(x, (n, ECR(PKi,n|y))) ------>
R                                                                      I
<---  Data, MAC(x||y, Data) ------>

I starts sending I1 and continues send it until it receives R1
R sends R1 and continues to send it until it receives I2
I sends I2 and continues send it until it receives R2, then it 
transistions to connected state
R sends R2 and continues send it until it stops receiving I2, then it 
transistions to connected state

R1 and I2 need to be held to check incoming for duplicates.  I am not 
sure what the processing logic should be if there are differences 
between packets.  Process first and drop all duplicates and deviants?  
Process deviants as they may be the actual uncorrupted (by Malice) 
packets?  Note that R1 does NOT have any integrity proof.  MR could get 
mean.

Without this retransmission, there would have to be an extended exchange 
to prove completeness.

After the first datagram is received by R, each party has proved 
ownership of their private key, there is no proof that R is whom I 
**THINKS** R is nor about who I is for R.  That all has to be 
established else how (eg ACLS of PKs).

This lack of proof of I owning PKi until receipt of data is one of the 
key claims that DEX looses.  It would take an I3 to 'fix' this without 
R's HIP 'snooping' into the start of ESP traffic.  The end of I2 packets 
is only an ASSuMption of proof.

Note that DEX does not have PFS.  It does take the theft of both private 
keys to gain x & y of a recorded exchange.

I2 should probably be:

I2 ::= <--- t, Pn, Sn, PKr, PKi, ECR(PKr,n|x), MAC(x,(t, Pn, Sn, PKr, 
PKi, ECR(PKr,n|x)))

The adding of PKr 'helps' R in acting on I2 as it weakens a substitution 
attack on R1 by MR.  I think.

As implied by the datagram, the established key is x||y where || is some 
KEYMAT function built on the
MAC function (thus imposing constraints on x and y).

I feel a bit like diving off into the deep end of the pool without my 
swimming trunks properly tied.  But
I think I have a safe exchange.  And it is the barebones minimum in 
crypto functions.