[Hipsec] HI Parameter (was: HIP parameters critical flag)
Tobias Heer <heer@cs.rwth-aachen.de> Tue, 12 January 2010 21:24 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A1C93A68A0 for <hipsec@core3.amsl.com>; Tue, 12 Jan 2010 13:24:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bbh5rEyXdFpK for <hipsec@core3.amsl.com>; Tue, 12 Jan 2010 13:24:51 -0800 (PST)
Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id 0E20A3A6895 for <hipsec@ietf.org>; Tue, 12 Jan 2010 13:24:50 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KW500KUVKTBOB40@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Tue, 12 Jan 2010 22:24:47 +0100 (CET)
X-IronPort-AV: E=Sophos;i="4.49,264,1262559600"; d="scan'208";a="40645874"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Tue, 12 Jan 2010 22:24:47 +0100
Received: from [192.168.3.237] ([unknown] [87.65.8.186]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KW5009MVKTAA500@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Tue, 12 Jan 2010 22:24:47 +0100 (CET)
From: Tobias Heer <heer@cs.rwth-aachen.de>
In-reply-to: <FD98F9C3CBABA74E89B5D4B5DE0263B937813030CE@XCH-NW-12V.nw.nos.boeing.com>
Date: Tue, 12 Jan 2010 22:24:47 +0100
Message-id: <C0913308-450E-4ED6-9E62-D3736ADCA0F0@cs.rwth-aachen.de>
References: <4B4C9C1F.7050309@htt-consult.com> <"AC120305-F2D2-428D-BFCB-CB12A 4114598"@cs.rwth-aachen.de> <4B4CB807.5090707@htt-consult.com> <"FD98F9C3CBABA74E 89B5D4B5DE0263B937813030CA"@XCH-NW-12V.nw.nos.boeing.com> <4B4CC351.9010804@htt-consult.com> <FD98F9C3CBABA74E89B5D4B5DE0263B937813030CD@XCH-NW-12V.nw.nos.boeing.com> <FD98F9C3CBABA74E89B5D4B5DE0263B937813030CE@XCH-NW-12V.nw.nos.boeing.com>
To: "Ahrenholz, Jeffrey M" <jeffrey.m.ahrenholz@boeing.com>
X-Mailer: Apple Mail (2.1077)
Cc: "hipsec@ietf.org" <hipsec@ietf.org>
Subject: [Hipsec] HI Parameter (was: HIP parameters critical flag)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2010 21:24:52 -0000
Hi Jeff, Am 12.01.2010 um 20:56 schrieb Ahrenholz, Jeffrey M: >> Again, I'd say make the value 715 if you plan to include it >> in ENCRYPTED, otherwise you may want to leave that value open >> for future parameters to be included in ENCRYPTED. > > looking more carefully at that previous message, I guess there is no ENCRYPTED in the I1 packet that will include this info: > > "I1 packet has to be modified to include the hash, public keys and > diffie-hellman algorithms supported by the Initiator in a new "algo" > parameter. The parameter should indicate which hash and public key > algorithm the Initiator used to generate its HIT." > > -Jeff > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec The purpose of the HIH parameter is to convey which hash function was used to generate the HIT used by a host. It is needed to verify the relation between HI and HIT because multiple algorithms. As far as I can see, there are four options to transfer the information: a) as part of the HIT - this option takes bits from the HIT that could otherwise be used for cryptographic purposes. It raised serious concerns about security and extendability. b) as part of the HIP header (close to the HIT itself) - this would make sense from a conceptual point but the information is only needed when verifying the HI/HIT relationship. Putting it into every packet would be overkill. c) as part of the HI parameter - this would make sense from a usage point of view but conceptually, the HIH is not part of the HI. Mixing these two might confuse people. Depending on the HIT in the HIP header, different HIs would be used. d) as extra parameter - this provides a distinction between HOST_ID and HIH. However, the space requirements for an own TLV are slightly higher than for options a, b, and c. I agree that c) and d) are valid and (in my opinion) good options. In which packets do we need the HIH parameter? In my opinion, we need the parameter in all packets that may trigger a verification of the HI-HIT relationship. This means R1 and I2 during the BEX. In general every packet that contains a HI should probably have a HIH parameter. However, I am not sure if there are any extension for which this rule of thumb fails. The list that Bob mentions is not necessarily a collections of HIH parameters. The HIH contains an index to the hash function used, the list contains several indexes. The list could be a separate parameter to avoid confusion and context-sensitive interpretation of the HIH. I will include some thoughts about crypto agility for the HIH below. The following text contains some thoughts for a BEX in which the Initiator does not know the HIHs supported by the Responder before the BEX: The Initiator initiates the BEX with an I1 packet. The Initiator picks source HIT and HIH based on local policies. The Responder responds to the I1 with an ordinary R1 with the exception that the R1 contains a list of supported HIH hash functions in the signed part of the R1. When receiving the R1, the Initiator verifies the signature in the R1 packet. If the signature is valid, it looks at the list of HIHs. If the previously selected initiator source HIT is amongst the supported HIHs, the Initiator continues with an I2 packet. If not it may restart the BEX with an I1 and a different source HIT. An attacker could try to launch a downgrade attack here but this will not be successful. I will explain the attack anyway. The attacker could store a old R1 message containing a HIH list with weak algorithms and replay it to the initiator even if the Responder upgrades its algorithms to stronger ones. The initiator would restart its BEX after receiving this replayed R1 - using the weaker algorithms. It sends a new I1 with a weaker HIT. So far the attack seems to be working. The next step is where it fails. The Responder will send an R1 message as response to the weaker source HI in the I1. This fresh R1 contains the HIH list (with the stronger algorithms) in the signed part of the packet, thereby revealing the attack. Moreover, the R1 counters will not match (huge gaps). This can even be noticed by security middleboxes. If the Attacker would decide to continue replaying the old R1 to the new (downgraded I1), the initiator would send a I2 with an invalid R1 counter and a wrong HMAC because the DH public key in the replayed R1 are not valid any more. -> No successful downgrade due to the list in the R1. I hope this gives enough context to understand my perception of the HIH parameter and the need for the HIH list. Best regards, Tobias -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer
- [Hipsec] HIP parameters critical flag Robert Moskowitz
- Re: [Hipsec] HIP parameters critical flag Tobias Heer
- Re: [Hipsec] HIP parameters critical flag Tobias Heer
- Re: [Hipsec] HIP parameters critical flag Ahrenholz, Jeffrey M
- Re: [Hipsec] HIP parameters critical flag Robert Moskowitz
- Re: [Hipsec] HIP parameters critical flag Ahrenholz, Jeffrey M
- Re: [Hipsec] HIP parameters critical flag Robert Moskowitz
- Re: [Hipsec] HIP parameters critical flag Ahrenholz, Jeffrey M
- Re: [Hipsec] HIP parameters critical flag Ahrenholz, Jeffrey M
- Re: [Hipsec] HIP parameters critical flag Robert Moskowitz
- [Hipsec] HI Parameter (was: HIP parameters critic… Tobias Heer