RE: [HOKEY] consensus call: key distribution security requirement
"Dan Harkins" <dharkins@lounge.org> Thu, 05 April 2007 18:19 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZWYm-0000Aw-Tf; Thu, 05 Apr 2007 14:19:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HZWYm-0000Ak-1d for hokey@ietf.org; Thu, 05 Apr 2007 14:19:48 -0400
Received: from colo.trepanning.net ([69.55.226.174] helo=mail1.trepanning.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HZWYk-00062Z-Ac for hokey@ietf.org; Thu, 05 Apr 2007 14:19:48 -0400
Received: from www.trepanning.net (localhost [127.0.0.1]) by mail1.trepanning.net (Postfix) with ESMTP id D48EF1FA6750; Thu, 5 Apr 2007 11:19:43 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 5 Apr 2007 11:19:43 -0700 (PDT)
Message-ID: <33754.69.12.173.8.1175797183.squirrel@www.trepanning.net>
In-Reply-To: <C24CB51D5AA800449982D9BCB9032513575738@NAEX13.na.qualcomm.com>
References: <460EB36E.5010604@cs.umd.edu> <C24CB51D5AA800449982D9BCB9032513575610@NAEX13.na.qualcomm.com> <20070404024453.GA18289@steelhead> <C24CB51D5AA800449982D9BCB9032513575663@NAEX13.na.qualcomm.com> <7030.12.108.168.179.1175729051.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB90325135756E5@NAEX13.na.qualcomm.com> <44325.69.12.173.8.1175792579.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB9032513575738@NAEX13.na.qualcomm.com>
Date: Thu, 05 Apr 2007 11:19:43 -0700
Subject: RE: [HOKEY] consensus call: key distribution security requirement
From: Dan Harkins <dharkins@lounge.org>
To: "Narayanan, Vidya" <vidyan@qualcomm.com>
User-Agent: SquirrelMail/1.4.8
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3 (Normal)
Importance: Normal
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 83867a50fd8f547996ccdaf89af24437
Cc: hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
Vidya, No, it is far from being "no help". Channel binding is the way to bind all necessary context to the key. Dan. On Thu, April 5, 2007 10:22 am, Narayanan, Vidya wrote: > Dan, > Context (usage) is additional information that needs to be bound to the > key - we have no disagreement there. But, channel binding is of no help > for that either. As to scope, the keys must be scoped to a domain and > that has also been agreed upon. > > Vidya > >> -----Original Message----- >> From: Dan Harkins [mailto:dharkins@lounge.org] >> Sent: Thursday, April 05, 2007 10:03 AM >> To: Narayanan, Vidya >> Cc: Dan Harkins; Yoshihiro Ohba; hokey@ietf.org >> Subject: RE: [HOKEY] consensus call: key distribution >> security requirement >> >> >> Vidya, >> >> All you're addressing is "preventing the domino effect". >> That is not scoping the key or binding context to a key. >> >> There is context for the key. For instance, "this is for a >> particular authenticator." To quote from >> draft-housley-aaa-key-mgmt-09.txt: >> >> The context will include the peer and NAS identities in more >> than one form. One (or more) name form is needed to identify >> these parties in the authentication exchange and the AAA >> protocol. >> >> In addition if HOKEY is going to have some key hierarchy in >> which keys are specific for a particular usage or a >> particular domain then that is additional context that has to >> be bound to the key. You're just throwing a counter or a >> nonce into the mix and thinking that solves all problems. It doesn't. >> >> Dan. >> >> On Wed, April 4, 2007 6:20 pm, Narayanan, Vidya wrote: >> > Hi Dan, >> > As we talked about this before, there is no attack, when every key >> > handed out is fresh and unique across any two key fetches from the >> > server. So, the scoping of keys necessary is about ensuring >> that the >> > same key is never ever given out again, even to the >> (seemingly) same >> > entity. >> > >> > Vidya >> > >> >> -----Original Message----- >> >> From: Dan Harkins [mailto:dharkins@lounge.org] >> >> Sent: Wednesday, April 04, 2007 4:24 PM >> >> To: Narayanan, Vidya >> >> Cc: Yoshihiro Ohba; hokey@ietf.org >> >> Subject: RE: [HOKEY] consensus call: key distribution security >> >> requirement >> >> >> >> >> >> Hi Vidya, >> >> >> >> As I explained to you previously the issue of "peer detects >> >> mismatch during secure association protocol" (slide 5 of your >> >> deck) doesn't work because these are symmetric keys and >> the "middle >> >> entity" can impersonate the client now. Every single property that >> >> you want to give to the key being distributed is lost. >> >> >> >> Of course you may not view that as a problem but I think >> that has >> >> more to do with what you want to do then with whether it's >> secure or >> >> not. >> >> >> >> Can you please explain how to ensure that keys are >> properly scoped >> >> if you do not bind the scoping information to the exchange that >> >> distributes the key? How can the peer have any assurance >> that the key >> >> is "not shared" >> >> (one of the qualifiers you mention) if it did not take part in the >> >> distribution of its key? >> >> >> >> Why not just send the EMSK to every entity that the AS thinks it >> >> has a security association with? I mean, in many cases as >> long as the >> >> peer receives a certain level of service and is charged >> for same then >> >> the identity of the entity receiving the EMSK is irrelevant and >> >> channel binding isn't important and as long as we scope the key >> >> properly (everyone with whom the AS shares a security >> association-- >> >> aka "the >> >> network") then it's OK. After all, nothing matters as long as the >> >> peer is satisfied and "if the peer is not satisfied or there is a >> >> billing issue, it contacts its home network and tries to >> get service >> >> from some other node instead" (to quote from slide #6). >> >> >> >> Dan. >> >> >> >> On Wed, April 4, 2007 11:16 am, Narayanan, Vidya wrote: >> >> > Hi Yoshi, >> >> > >> >> >> -----Original Message----- >> >> >> From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] >> >> >> Sent: Tuesday, April 03, 2007 7:45 PM >> >> >> To: Narayanan, Vidya >> >> >> Cc: Charles Clancy; hokey@ietf.org >> >> >> Subject: Re: [HOKEY] consensus call: key distribution security >> >> >> requirement >> >> >> >> >> >> Hi Vidya, >> >> >> >> >> >> Can you please explain why channel binding information must be >> >> >> optional? >> >> >> >> >> > >> >> > Briefly, in many cases, as long as the peer receives a >> >> certain level >> >> > of service and is charged for the same, the identity of >> the network >> >> > entity providing the service is irrelevant. In some cases, >> >> it may be >> >> > relevant and hence, it would be good to have the >> capability to do >> >> > channel binding. But, for the other cases, there is no need >> >> to mandate >> >> > the lower layer to advertise identities. >> >> > >> >> >> Can you also explain in which system there are no adverse >> >> effects in >> >> >> key distribution without explicit peer consent? >> >> >> >> >> > >> >> > I have not seen any real loss of security properties in >> >> distribution >> >> > of keys without peer consent, as long as the keys are scoped >> >> > correctly, not shared and freshness is always ensured. >> >> > >> >> > Please see >> >> > >> >> >> http://www.geocities.com/hellovidya/Authenticators_and_Identities.pdf >> >> > if you are interested in more details. I had put some >> >> slides together >> >> > a while ago on this identities issue. >> >> > >> >> > Vidya >> >> > >> >> >> Regards, >> >> >> Yoshihiro Ohba >> >> >> >> >> >> >> >> >> On Tue, Apr 03, 2007 at 06:25:52PM -0700, Narayanan, >> Vidya wrote: >> >> >> > I'm barely caught up on all the email after having been >> >> on vacation >> >> >> > until now, so, pardon me if I'm bringing up stuff that's >> >> >> already been >> >> >> > discussed here. >> >> >> > >> >> >> > I share some of Glen's concerns about "requiring" peer >> >> >> consent and a >> >> >> > 3-party protocol and about how practically deployable that >> >> >> is. In my >> >> >> > conversations with Dan in Prague, it seemed like we were on >> >> >> the same >> >> >> > page about including channel binding information in the >> >> >> HOKEY protocol >> >> >> > between the peer and server. I think such channel binding >> >> >> information >> >> >> > must be optional and not required. In some systems, >> there are no >> >> >> > adverse effects of distribution of key material without >> >> >> explicit peer >> >> >> > consent and there is no reason to place upper layer identity >> >> >> > advertisement requirements on the lower layers for such >> >> systems. In >> >> >> > some other systems, it may be a good idea to do so and >> >> having the >> >> >> > capability to do that in the protocol would be useful there. >> >> >> > >> >> >> > To specifically answer your question, I don't believe >> we need to >> >> >> > update the problem statement. It already captures the >> >> >> channel binding >> >> >> > stuff and the explicit data that the peer and >> authenticator may >> >> >> > include is one way of providing channel binding. >> >> >> > >> >> >> > Vidya >> >> >> > >> >> >> > > -----Original Message----- >> >> >> > > From: Charles Clancy [mailto:clancy@cs.umd.edu] >> >> >> > > Sent: Saturday, March 31, 2007 12:16 PM >> >> >> > > To: hokey@ietf.org >> >> >> > > Subject: [HOKEY] consensus call: key distribution security >> >> >> > > requirement >> >> >> > > >> >> >> > > HOKEY WG, >> >> >> > > >> >> >> > > The 3-party protocol proposal at IETF 68 listed a >> variety of >> >> >> > > protocol requirements, some of which went beyond those >> >> currently >> >> >> > > specified in the problem statements draft. The main >> >> >> extension was a >> >> >> > > requirement for stronger key distribution security. >> >> >> > > >> >> >> > > Discussion: The problem statements document >> currently requires >> >> >> > > channel bindings to allow clients to authenticate the >> >> network to >> >> >> > > which they are connecting, and prevent the lying >> NAS problem. >> >> >> > > However one possible implementation of channel bindings >> >> >> would allow >> >> >> > > keys to be distributed prior to the network being >> >> >> authenticated by >> >> >> > > the peer. While the peer may decide to not use a network >> >> >> after it's >> >> >> > > validated its identity, network entities could retain >> >> the keying >> >> >> > > material. >> >> >> > > There has been much debate on the list as to whether or >> >> >> not network >> >> >> > > entities could maliciously use this keying material, and >> >> >> the intent >> >> >> > > here is to not rehash all that discussion. >> >> >> > > >> >> >> > > Question: Should additional text be added to the problem >> >> >> statement >> >> >> > > draft >> >> >> > > to require peer authorization for distributing >> >> keying material? >> >> >> > > >> >> >> > > Protocol Implications: If "yes" then a 3-party >> >> protocol would be >> >> >> > > need, and would require L2 advertisement of the NAS-ID >> >> >> and local AAA >> >> >> > > domain name. If "no" then channel bindings where >> >> identities are >> >> >> > > hashed into the key derivation would be sufficient. >> >> >> > > >> >> >> > > -- >> >> >> > > t. charles clancy, ph.d. <> tcc@umd.edu <> >> >> >> > > www.cs.umd.edu/~clancy >> >> >> > > >> >> >> > > >> >> >> > > _______________________________________________ >> >> >> > > HOKEY mailing list >> >> >> > > HOKEY@ietf.org >> >> >> > > https://www1.ietf.org/mailman/listinfo/hokey >> >> >> > > >> >> >> > >> >> >> > _______________________________________________ >> >> >> > HOKEY mailing list >> >> >> > HOKEY@ietf.org >> >> >> > https://www1.ietf.org/mailman/listinfo/hokey >> >> >> > >> >> >> > >> >> >> >> >> > >> >> > _______________________________________________ >> >> > HOKEY mailing list >> >> > HOKEY@ietf.org >> >> > https://www1.ietf.org/mailman/listinfo/hokey >> >> > >> >> >> >> >> >> >> > >> >> >> > _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] consensus call: key distribution security… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Lakshminath Dondeti
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Joseph Salowey (jsalowey)
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri