Re: [Hipsec] CLOSE and identical session keys
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 20 October 2010 15:15 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D2A2E3A67D3 for <hipsec@core3.amsl.com>; Wed, 20 Oct 2010 08:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.216
X-Spam-Level:
X-Spam-Status: No, score=-106.216 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0m6842aykRgu for <hipsec@core3.amsl.com>; Wed, 20 Oct 2010 08:15:46 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id DF2C03A683F for <hipsec@ietf.org>; Wed, 20 Oct 2010 08:15:40 -0700 (PDT)
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id o9KFGtfO019948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 20 Oct 2010 08:16:56 -0700 (PDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id o9KFGtrv025639; Wed, 20 Oct 2010 08:16:55 -0700 (PDT)
Received: from XCH-NWHT-04.nw.nos.boeing.com (xch-nwht-04.nw.nos.boeing.com [130.247.64.250]) by slb-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id o9KFGsXo025632 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 20 Oct 2010 08:16:55 -0700 (PDT)
Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.83]) by XCH-NWHT-04.nw.nos.boeing.com ([130.247.64.250]) with mapi; Wed, 20 Oct 2010 08:16:54 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: 'Tobias Heer' <heer@cs.rwth-aachen.de>
Date: Wed, 20 Oct 2010 08:16:54 -0700
Thread-Topic: CLOSE and identical session keys
Thread-Index: ActvsFNuzyy/3uA6TymQIHcrzkoWRgAuVIRA
Message-ID: <7CC566635CFE364D87DC5803D4712A6C4CEC451A22@XCH-NW-10V.nw.nos.boeing.com>
References: <7CC566635CFE364D87DC5803D4712A6C4CEC451A0E@XCH-NW-10V.nw.nos.boeing.com> <C6708DB0-5BEE-430E-B5E5-03B711F19904@cs.rwth-aachen.de>
In-Reply-To: <C6708DB0-5BEE-430E-B5E5-03B711F19904@cs.rwth-aachen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: HIP WG <hipsec@ietf.org>
Subject: Re: [Hipsec] CLOSE and identical session keys
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2010 15:15:50 -0000
> -----Original Message----- > From: Tobias Heer [mailto:heer@cs.rwth-aachen.de] > Sent: Tuesday, October 19, 2010 10:05 AM > To: Henderson, Thomas R > Cc: HIP WG > Subject: CLOSE and identical session keys > > Hello Tom, > > Am 19.10.2010 um 16:55 schrieb Henderson, Thomas R: > > > > > > >> -----Original Message----- > >> From: Tobias Heer [mailto:heer@cs.rwth-aachen.de] > >> Sent: Tuesday, October 19, 2010 7:25 AM > >> To: Henderson, Thomas R > >> Cc: HIP WG > >> Subject: Re: [Hipsec] Completing 5201 state machine > >> > >> Hi Tom, > >> > >> thanks for the clarification. > >> > >> Am 19.10.2010 um 16:04 schrieb Henderson, Thomas R: > >> > >> [...] > >>>>> > >>>>> OpenHIP allows CLOSE in states ESTABLISHED, CLOSING, > >>>> CLOSED, and R2_SENT, but does not process it in this state. > >>>>> > >>> > >>> <snip> > >>> > >>>> > >>>> Above you said that OpenHIP wouldn't process CLOSE messages > >>>> in state R2_SENT. What do you mean by that? Isn't sending a > >>>> CLOSE_ACK (as you mention for 2.) such processing? Am I > >>>> confusing something here? > >>>> > >>> > >>> Sorry for not being clear; the "this state" in the above > >> explanation refers to state I2-sent, not R2-sent. > >>> > >> What is your opinion on processing CLOSE messages in state > >> I2-sent? Do you have reasons why you don't process it in > that state? > >> > > > > I can't recall exactly the reason for this decision, but > another possible scenario: > > > > 1.) remote host sends CLOSE > > 2.) local host sends CLOSE_ACK, moves to CLOSED. CLOSE_ACK lost > > 3.) local host tries to immediately set up the session > again, sends I1, receives (stateless) R1 > > 4.) local host sends I2. Meanwhile, remote host is still > in CLOSING state until it gets I2, which it accepts and moves > back to R2-sent. Here it it more helpful for the local host > to just ignore the (stale) CLOSE from the past asso > > In my opinion it is unlikely that the Initiator confuses the > old CLOSE with a new close for the newly established > association because it is protected with an HMAC that depends > on the DH and puzzle used in the handshake. > Hence, processing of the CLOSE packet will only be successful > if the R1 counter has not advanced and the puzzle solution > was identical. However, the suggestion for generating new > puzzles is "once every few minutes" so identical session keys > could actually be the case and it is not so unlikely at all. > > It might make sense to be able to detect replayed and old > CLOSE packets reliably to avoid vulnerabilities for hosts > that set up and close connections rapidly. Such detection > should probably happen via the HMAC/shared key. Hence, the > key generation should be different. The best option for > varying keys would be the puzzle. > > My suggestion would be: > > a) add a recommendation that a host SHOULD to not send the > same puzzle to a host twice. A host can use the opaque field > in the puzzle to generate unique puzzle parameters (e.g., by > using a counter as input for the generation of I and by using > the opaque field in the puzzle to remember it). > > or > > b) add MUST to use different puzzles. This may be a bit more > costly because a host could deprive the puzzles that can be > indexed with the opaque field with 2^16 I1 packets. In that > case the responder would have to increase the R1 generation > counter (and would possibly generate new DH keys and > signatures for these). > > Any opinions? > I had some similar thoughts when originally replying (about the possible need to detect replayed CLOSE packets) and of the two choices above, I would probably favor a). - Tom
- [Hipsec] (no subject) Tobias Heer
- [Hipsec] (no subject) Henderson, Thomas R
- [Hipsec] CLOSE and identical session keys Tobias Heer
- Re: [Hipsec] CLOSE and identical session keys Miika Komu
- Re: [Hipsec] CLOSE and identical session keys René Hummen
- Re: [Hipsec] CLOSE and identical session keys Henderson, Thomas R
- Re: [Hipsec] CLOSE and identical session keys Tobias Heer
- Re: [Hipsec] CLOSE and identical session keys Ari Keranen