RE: [HOKEY] consensus call: key distribution security requirement
"Narayanan, Vidya" <vidyan@qualcomm.com> Thu, 05 April 2007 17:22 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZVfN-00019k-NM; Thu, 05 Apr 2007 13:22:33 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZVfM-00019d-HM for hokey@ietf.org; Thu, 05 Apr 2007 13:22:32 -0400
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HZVf1-0005R0-Bs for hokey@ietf.org; Thu, 05 Apr 2007 13:22:32 -0400
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id l35HMAWU030067 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 5 Apr 2007 10:22:10 -0700
Received: from sanexcas01.na.qualcomm.com (sanexcas01.qualcomm.com [172.30.36.175]) by totoro.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id l35HM9C2006166; Thu, 5 Apr 2007 10:22:09 -0700 (PDT)
Received: from NAEX13.na.qualcomm.com ([129.46.51.248]) by sanexcas01.na.qualcomm.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 5 Apr 2007 10:22:09 -0700
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [HOKEY] consensus call: key distribution security requirement
Date: Thu, 05 Apr 2007 10:22:09 -0700
Message-ID: <C24CB51D5AA800449982D9BCB9032513575738@NAEX13.na.qualcomm.com>
In-Reply-To: <44325.69.12.173.8.1175792579.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [HOKEY] consensus call: key distribution security requirement
Thread-Index: Acd3pEvugR1dRqz8QB+WaU6/Ey04MQAAncww
References: <460EB36E.5010604@cs.umd.edu> <C24CB51D5AA800449982D9BCB9032513575610@NAEX13.na.qualcomm.com> <20070404024453.GA18289@steelhead> <C24CB51D5AA800449982D9BCB9032513575663@NAEX13.na.qualcomm.com> <7030.12.108.168.179.1175729051.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB90325135756E5@NAEX13.na.qualcomm.com> <44325.69.12.173.8.1175792579.squirrel@www.trepanning.net>
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
To: Dan Harkins <dharkins@lounge.org>
X-OriginalArrivalTime: 05 Apr 2007 17:22:09.0060 (UTC) FILETIME=[F0BDDE40:01C777A6]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8d89ee9312a95de8ee48d1c94511f1bb
Cc: hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
Dan, Context (usage) is additional information that needs to be bound to the key - we have no disagreement there. But, channel binding is of no help for that either. As to scope, the keys must be scoped to a domain and that has also been agreed upon. Vidya > -----Original Message----- > From: Dan Harkins [mailto:dharkins@lounge.org] > Sent: Thursday, April 05, 2007 10:03 AM > To: Narayanan, Vidya > Cc: Dan Harkins; Yoshihiro Ohba; hokey@ietf.org > Subject: RE: [HOKEY] consensus call: key distribution > security requirement > > > Vidya, > > All you're addressing is "preventing the domino effect". > That is not scoping the key or binding context to a key. > > There is context for the key. For instance, "this is for a > particular authenticator." To quote from > draft-housley-aaa-key-mgmt-09.txt: > > The context will include the peer and NAS identities in more > than one form. One (or more) name form is needed to identify > these parties in the authentication exchange and the AAA > protocol. > > In addition if HOKEY is going to have some key hierarchy in > which keys are specific for a particular usage or a > particular domain then that is additional context that has to > be bound to the key. You're just throwing a counter or a > nonce into the mix and thinking that solves all problems. It doesn't. > > Dan. > > On Wed, April 4, 2007 6:20 pm, Narayanan, Vidya wrote: > > Hi Dan, > > As we talked about this before, there is no attack, when every key > > handed out is fresh and unique across any two key fetches from the > > server. So, the scoping of keys necessary is about ensuring > that the > > same key is never ever given out again, even to the > (seemingly) same > > entity. > > > > Vidya > > > >> -----Original Message----- > >> From: Dan Harkins [mailto:dharkins@lounge.org] > >> Sent: Wednesday, April 04, 2007 4:24 PM > >> To: Narayanan, Vidya > >> Cc: Yoshihiro Ohba; hokey@ietf.org > >> Subject: RE: [HOKEY] consensus call: key distribution security > >> requirement > >> > >> > >> Hi Vidya, > >> > >> As I explained to you previously the issue of "peer detects > >> mismatch during secure association protocol" (slide 5 of your > >> deck) doesn't work because these are symmetric keys and > the "middle > >> entity" can impersonate the client now. Every single property that > >> you want to give to the key being distributed is lost. > >> > >> Of course you may not view that as a problem but I think > that has > >> more to do with what you want to do then with whether it's > secure or > >> not. > >> > >> Can you please explain how to ensure that keys are > properly scoped > >> if you do not bind the scoping information to the exchange that > >> distributes the key? How can the peer have any assurance > that the key > >> is "not shared" > >> (one of the qualifiers you mention) if it did not take part in the > >> distribution of its key? > >> > >> Why not just send the EMSK to every entity that the AS thinks it > >> has a security association with? I mean, in many cases as > long as the > >> peer receives a certain level of service and is charged > for same then > >> the identity of the entity receiving the EMSK is irrelevant and > >> channel binding isn't important and as long as we scope the key > >> properly (everyone with whom the AS shares a security > association-- > >> aka "the > >> network") then it's OK. After all, nothing matters as long as the > >> peer is satisfied and "if the peer is not satisfied or there is a > >> billing issue, it contacts its home network and tries to > get service > >> from some other node instead" (to quote from slide #6). > >> > >> Dan. > >> > >> On Wed, April 4, 2007 11:16 am, Narayanan, Vidya wrote: > >> > Hi Yoshi, > >> > > >> >> -----Original Message----- > >> >> From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > >> >> Sent: Tuesday, April 03, 2007 7:45 PM > >> >> To: Narayanan, Vidya > >> >> Cc: Charles Clancy; hokey@ietf.org > >> >> Subject: Re: [HOKEY] consensus call: key distribution security > >> >> requirement > >> >> > >> >> Hi Vidya, > >> >> > >> >> Can you please explain why channel binding information must be > >> >> optional? > >> >> > >> > > >> > Briefly, in many cases, as long as the peer receives a > >> certain level > >> > of service and is charged for the same, the identity of > the network > >> > entity providing the service is irrelevant. In some cases, > >> it may be > >> > relevant and hence, it would be good to have the > capability to do > >> > channel binding. But, for the other cases, there is no need > >> to mandate > >> > the lower layer to advertise identities. > >> > > >> >> Can you also explain in which system there are no adverse > >> effects in > >> >> key distribution without explicit peer consent? > >> >> > >> > > >> > I have not seen any real loss of security properties in > >> distribution > >> > of keys without peer consent, as long as the keys are scoped > >> > correctly, not shared and freshness is always ensured. > >> > > >> > Please see > >> > > >> > http://www.geocities.com/hellovidya/Authenticators_and_Identities.pdf > >> > if you are interested in more details. I had put some > >> slides together > >> > a while ago on this identities issue. > >> > > >> > Vidya > >> > > >> >> Regards, > >> >> Yoshihiro Ohba > >> >> > >> >> > >> >> On Tue, Apr 03, 2007 at 06:25:52PM -0700, Narayanan, > Vidya wrote: > >> >> > I'm barely caught up on all the email after having been > >> on vacation > >> >> > until now, so, pardon me if I'm bringing up stuff that's > >> >> already been > >> >> > discussed here. > >> >> > > >> >> > I share some of Glen's concerns about "requiring" peer > >> >> consent and a > >> >> > 3-party protocol and about how practically deployable that > >> >> is. In my > >> >> > conversations with Dan in Prague, it seemed like we were on > >> >> the same > >> >> > page about including channel binding information in the > >> >> HOKEY protocol > >> >> > between the peer and server. I think such channel binding > >> >> information > >> >> > must be optional and not required. In some systems, > there are no > >> >> > adverse effects of distribution of key material without > >> >> explicit peer > >> >> > consent and there is no reason to place upper layer identity > >> >> > advertisement requirements on the lower layers for such > >> systems. In > >> >> > some other systems, it may be a good idea to do so and > >> having the > >> >> > capability to do that in the protocol would be useful there. > >> >> > > >> >> > To specifically answer your question, I don't believe > we need to > >> >> > update the problem statement. It already captures the > >> >> channel binding > >> >> > stuff and the explicit data that the peer and > authenticator may > >> >> > include is one way of providing channel binding. > >> >> > > >> >> > Vidya > >> >> > > >> >> > > -----Original Message----- > >> >> > > From: Charles Clancy [mailto:clancy@cs.umd.edu] > >> >> > > Sent: Saturday, March 31, 2007 12:16 PM > >> >> > > To: hokey@ietf.org > >> >> > > Subject: [HOKEY] consensus call: key distribution security > >> >> > > requirement > >> >> > > > >> >> > > HOKEY WG, > >> >> > > > >> >> > > The 3-party protocol proposal at IETF 68 listed a > variety of > >> >> > > protocol requirements, some of which went beyond those > >> currently > >> >> > > specified in the problem statements draft. The main > >> >> extension was a > >> >> > > requirement for stronger key distribution security. > >> >> > > > >> >> > > Discussion: The problem statements document > currently requires > >> >> > > channel bindings to allow clients to authenticate the > >> network to > >> >> > > which they are connecting, and prevent the lying > NAS problem. > >> >> > > However one possible implementation of channel bindings > >> >> would allow > >> >> > > keys to be distributed prior to the network being > >> >> authenticated by > >> >> > > the peer. While the peer may decide to not use a network > >> >> after it's > >> >> > > validated its identity, network entities could retain > >> the keying > >> >> > > material. > >> >> > > There has been much debate on the list as to whether or > >> >> not network > >> >> > > entities could maliciously use this keying material, and > >> >> the intent > >> >> > > here is to not rehash all that discussion. > >> >> > > > >> >> > > Question: Should additional text be added to the problem > >> >> statement > >> >> > > draft > >> >> > > to require peer authorization for distributing > >> keying material? > >> >> > > > >> >> > > Protocol Implications: If "yes" then a 3-party > >> protocol would be > >> >> > > need, and would require L2 advertisement of the NAS-ID > >> >> and local AAA > >> >> > > domain name. If "no" then channel bindings where > >> identities are > >> >> > > hashed into the key derivation would be sufficient. > >> >> > > > >> >> > > -- > >> >> > > t. charles clancy, ph.d. <> tcc@umd.edu <> > >> >> > > www.cs.umd.edu/~clancy > >> >> > > > >> >> > > > >> >> > > _______________________________________________ > >> >> > > HOKEY mailing list > >> >> > > HOKEY@ietf.org > >> >> > > https://www1.ietf.org/mailman/listinfo/hokey > >> >> > > > >> >> > > >> >> > _______________________________________________ > >> >> > HOKEY mailing list > >> >> > HOKEY@ietf.org > >> >> > https://www1.ietf.org/mailman/listinfo/hokey > >> >> > > >> >> > > >> >> > >> > > >> > _______________________________________________ > >> > HOKEY mailing list > >> > HOKEY@ietf.org > >> > https://www1.ietf.org/mailman/listinfo/hokey > >> > > >> > >> > >> > > > > > _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] consensus call: key distribution security… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Lakshminath Dondeti
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Joseph Salowey (jsalowey)
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri