[Hipsec] CLOSE and identical session keys
Tobias Heer <heer@cs.rwth-aachen.de> Tue, 19 October 2010 17:03 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7124B3A6905 for <hipsec@core3.amsl.com>; Tue, 19 Oct 2010 10:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.468
X-Spam-Level:
X-Spam-Status: No, score=-4.468 tagged_above=-999 required=5 tests=[AWL=0.333, BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KQmanaeAACR for <hipsec@core3.amsl.com>; Tue, 19 Oct 2010 10:03:24 -0700 (PDT)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id DF2533A68E1 for <hipsec@ietf.org>; Tue, 19 Oct 2010 10:03:23 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.5.41]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0LAJ00DY5RG6ANG0@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Tue, 19 Oct 2010 19:04:54 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.57,351,1283724000"; d="scan'208";a="41351417"
Received: from relay-auth-2.ms.rz.rwth-aachen.de (HELO relay-auth-2) ([134.130.7.79]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Tue, 19 Oct 2010 19:04:55 +0200
Received: from umic-i4-137-226-45-90.nn.rwth-aachen.de ([unknown] [137.226.45.90]) by relay-auth-2.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0LAJ00IA2RG6QR10@relay-auth-2.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Tue, 19 Oct 2010 19:04:54 +0200 (CEST)
From: Tobias Heer <heer@cs.rwth-aachen.de>
In-reply-to: <7CC566635CFE364D87DC5803D4712A6C4CEC451A0E@XCH-NW-10V.nw.nos.boeing.com>
Date: Tue, 19 Oct 2010 19:04:53 +0200
Message-id: <C6708DB0-5BEE-430E-B5E5-03B711F19904@cs.rwth-aachen.de>
References: <7CC566635CFE364D87DC5803D4712A6C4CEC451A0E@XCH-NW-10V.nw.nos.boeing.com>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
X-Mailer: Apple Mail (2.1081)
Cc: HIP WG <hipsec@ietf.org>
Subject: [Hipsec] CLOSE and identical session keys
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 17:03:25 -0000
Hello Tom, Am 19.10.2010 um 16:55 schrieb Henderson, Thomas R: > > >> -----Original Message----- >> From: Tobias Heer [mailto:heer@cs.rwth-aachen.de] >> Sent: Tuesday, October 19, 2010 7:25 AM >> To: Henderson, Thomas R >> Cc: HIP WG >> Subject: Re: [Hipsec] Completing 5201 state machine >> >> Hi Tom, >> >> thanks for the clarification. >> >> Am 19.10.2010 um 16:04 schrieb Henderson, Thomas R: >> >> [...] >>>>> >>>>> OpenHIP allows CLOSE in states ESTABLISHED, CLOSING, >>>> CLOSED, and R2_SENT, but does not process it in this state. >>>>> >>> >>> <snip> >>> >>>> >>>> Above you said that OpenHIP wouldn't process CLOSE messages >>>> in state R2_SENT. What do you mean by that? Isn't sending a >>>> CLOSE_ACK (as you mention for 2.) such processing? Am I >>>> confusing something here? >>>> >>> >>> Sorry for not being clear; the "this state" in the above >> explanation refers to state I2-sent, not R2-sent. >>> >> What is your opinion on processing CLOSE messages in state >> I2-sent? Do you have reasons why you don't process it in that state? >> > > I can't recall exactly the reason for this decision, but another possible scenario: > > 1.) remote host sends CLOSE > 2.) local host sends CLOSE_ACK, moves to CLOSED. CLOSE_ACK lost > 3.) local host tries to immediately set up the session again, sends I1, receives (stateless) R1 > 4.) local host sends I2. Meanwhile, remote host is still in CLOSING state until it gets I2, which it accepts and moves back to R2-sent. Here it it more helpful for the local host to just ignore the (stale) CLOSE from the past asso In my opinion it is unlikely that the Initiator confuses the old CLOSE with a new close for the newly established association because it is protected with an HMAC that depends on the DH and puzzle used in the handshake. Hence, processing of the CLOSE packet will only be successful if the R1 counter has not advanced and the puzzle solution was identical. However, the suggestion for generating new puzzles is "once every few minutes" so identical session keys could actually be the case and it is not so unlikely at all. It might make sense to be able to detect replayed and old CLOSE packets reliably to avoid vulnerabilities for hosts that set up and close connections rapidly. Such detection should probably happen via the HMAC/shared key. Hence, the key generation should be different. The best option for varying keys would be the puzzle. My suggestion would be: a) add a recommendation that a host SHOULD to not send the same puzzle to a host twice. A host can use the opaque field in the puzzle to generate unique puzzle parameters (e.g., by using a counter as input for the generation of I and by using the opaque field in the puzzle to remember it). or b) add MUST to use different puzzles. This may be a bit more costly because a host could deprive the puzzles that can be indexed with the opaque field with 2^16 I1 packets. In that case the responder would have to increase the R1 generation counter (and would possibly generate new DH keys and signatures for these). Any opinions? Tobias > ciation > > Again, this is somewhat of a contrived scenario. I am fairly neutral as to how to handle this since these seem to be unlikely scenarios, and would be willing to adopt your suggestion. > > - Tom -- Dipl.-Inform. Tobias Heer, Ph.D. Student Chair of Communication and Distributed Systems - comsys RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer blog: http://dtobi.wordpress.com/ card: http://card.ly/dtobi
- [Hipsec] (no subject) Tobias Heer
- [Hipsec] (no subject) Henderson, Thomas R
- [Hipsec] CLOSE and identical session keys Tobias Heer
- Re: [Hipsec] CLOSE and identical session keys Miika Komu
- Re: [Hipsec] CLOSE and identical session keys René Hummen
- Re: [Hipsec] CLOSE and identical session keys Henderson, Thomas R
- Re: [Hipsec] CLOSE and identical session keys Tobias Heer
- Re: [Hipsec] CLOSE and identical session keys Ari Keranen