RE: [HOKEY] consensus call: key distribution security requirement
"Narayanan, Vidya" <vidyan@qualcomm.com> Tue, 10 April 2007 01:00 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hb4iV-00007H-HA; Mon, 09 Apr 2007 21:00:15 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hb4iT-000070-P9 for hokey@ietf.org; Mon, 09 Apr 2007 21:00:13 -0400
Received: from ithilien.qualcomm.com ([129.46.51.59]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hb4iR-0001ck-Ql for hokey@ietf.org; Mon, 09 Apr 2007 21:00:13 -0400
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by ithilien.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id l3A10677024013 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 9 Apr 2007 18:00:06 -0700
Received: from SANEXCAS03.na.qualcomm.com (sanexcas03.qualcomm.com [172.30.32.65]) by totoro.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id l3A105oj015657; Mon, 9 Apr 2007 18:00:05 -0700 (PDT)
Received: from NAEX13.na.qualcomm.com ([129.46.51.248]) by SANEXCAS03.na.qualcomm.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 9 Apr 2007 18:00:05 -0700
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [HOKEY] consensus call: key distribution security requirement
Date: Mon, 09 Apr 2007 18:00:00 -0700
Message-ID: <C24CB51D5AA800449982D9BCB9032513575997@NAEX13.na.qualcomm.com>
In-Reply-To: <46386.69.12.173.8.1175877985.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [HOKEY] consensus call: key distribution security requirement
Thread-Index: Acd4ayYX3feI+pDhSqSKgnvJE4yaygCndpEw
References: <460EB36E.5010604@cs.umd.edu> <C24CB51D5AA800449982D9BCB9032513575610@NAEX13.na.qualcomm.com> <20070404024453.GA18289@steelhead> <C24CB51D5AA800449982D9BCB9032513575663@NAEX13.na.qualcomm.com> <7030.12.108.168.179.1175729051.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB90325135756E5@NAEX13.na.qualcomm.com> <44325.69.12.173.8.1175792579.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB9032513575738@NAEX13.na.qualcomm.com> <33754.69.12.173.8.1175797183.squirrel@www.trepanning.net> <C24CB51D5AA800449982D9BCB90325135757C3@NAEX13.na.qualcomm.com> <46386.69.12.173.8.1175877985.squirrel@www.trepanning.net>
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
To: Dan Harkins <dharkins@lounge.org>
X-OriginalArrivalTime: 10 Apr 2007 01:00:05.0635 (UTC) FILETIME=[93B57D30:01C77B0B]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4ec3642ae9025e273a4a263d640f3300
Cc: hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
Hi Dan, Some notes inline. > -----Original Message----- > From: Dan Harkins [mailto:dharkins@lounge.org] > Sent: Friday, April 06, 2007 9:46 AM > To: Narayanan, Vidya > Cc: Dan Harkins; Yoshihiro Ohba; hokey@ietf.org > Subject: RE: [HOKEY] consensus call: key distribution > security requirement > > > Hi Vidya, > > When EAP is used in "pass-thru" mode there is a problem. As > you note that problem, and a solution to it, is described in > RFC3748 under the heading of "Channel Binding". We have that > same sort of problem in spades here in HOKEY because we're > distributing keys that must be for a specific authenticator, > for a specific usage, and I guess for a specific domain. > There is context that constrains who can use a key and how > that key can be used. So we need to solve that same sort of > problem that EAP has when used in "pass-thru" mode. > > Perhaps "Channel Binding" isn't a good term to use since it > implies something specific (RFC3748). How about "protected > exchange"? That is how RFC3748 describes "Channel Binding" > anyway. So would something along the lines of this be agreeable? > > HOKEY MUST include a protected exchange of context, usage, and What is the difference between context and usage? > identities On identities, I believe the exchange may be needed in some cases and not in other cases. So, having an optional exchange of identities would be sufficient in my view. Vidya > that are bound to, and constrain, a key including but > not limited to [enumerate the things needed]. This will make it > possible to match the same properties provided by the authenticator > via an out-of-band mechanism (like AAA) against those in > the protected > exchange in the HOKEY protocol. > > To plagiarize^H^H^H^H^H^H paraphrase RFC3748. > > Dan. > > On Thu, April 5, 2007 4:23 pm, Narayanan, Vidya wrote: > > Dan, > > I think we simply have been using different definitions of channel > > binding. I've been using the definitions present in RFC3748 and the > > EAP keying document, which don't quite include binding of > context and such. > > I do, however, agree, that the definition of channel > binding is rather > > loose and we don't have one unified view on that. > > > > Having said that, let me try another way of making progress here: > > > > * Keys should be bound to the correct context/usage > > * Keys should be scoped to the entities that need to use it > > * Keys should be fresh > > * Domino effect must be prevented > > > > I'm on board with all of the above. Are we on the same page? > > > > Vidya > > > >> -----Original Message----- > >> From: Dan Harkins [mailto:dharkins@lounge.org] > >> Sent: Thursday, April 05, 2007 11:20 AM > >> To: Narayanan, Vidya > >> Cc: Dan Harkins; Yoshihiro Ohba; hokey@ietf.org > >> Subject: RE: [HOKEY] consensus call: key distribution security > >> requirement > >> > >> > >> Vidya, > >> > >> No, it is far from being "no help". Channel binding is > the way to > >> bind all necessary context to the key. > >> > >> Dan. > >> > >> On Thu, April 5, 2007 10:22 am, Narayanan, Vidya wrote: > >> > Dan, > >> > Context (usage) is additional information that needs to > be bound to > >> > the key - we have no disagreement there. But, channel > >> binding is of no > >> > help for that either. As to scope, the keys must be scoped > >> to a domain > >> > and that has also been agreed upon. > >> > > >> > Vidya > >> > > >> >> -----Original Message----- > >> >> From: Dan Harkins [mailto:dharkins@lounge.org] > >> >> Sent: Thursday, April 05, 2007 10:03 AM > >> >> To: Narayanan, Vidya > >> >> Cc: Dan Harkins; Yoshihiro Ohba; hokey@ietf.org > >> >> Subject: RE: [HOKEY] consensus call: key distribution security > >> >> requirement > >> >> > >> >> > >> >> Vidya, > >> >> > >> >> All you're addressing is "preventing the domino effect". > >> >> That is not scoping the key or binding context to a key. > >> >> > >> >> There is context for the key. For instance, "this is for a > >> >> particular authenticator." To quote from > >> >> draft-housley-aaa-key-mgmt-09.txt: > >> >> > >> >> The context will include the peer and NAS > >> identities in more > >> >> than one form. One (or more) name form is needed > >> to identify > >> >> these parties in the authentication exchange > and the AAA > >> >> protocol. > >> >> > >> >> In addition if HOKEY is going to have some key > hierarchy in which > >> >> keys are specific for a particular usage or a particular > >> domain then > >> >> that is additional context that has to be bound to the > key. You're > >> >> just throwing a counter or a nonce into the mix and > thinking that > >> >> solves all problems. It doesn't. > >> >> > >> >> Dan. > >> >> > >> >> On Wed, April 4, 2007 6:20 pm, Narayanan, Vidya wrote: > >> >> > Hi Dan, > >> >> > As we talked about this before, there is no attack, when > >> every key > >> >> > handed out is fresh and unique across any two key > >> fetches from the > >> >> > server. So, the scoping of keys necessary is about ensuring > >> >> that the > >> >> > same key is never ever given out again, even to the > >> >> (seemingly) same > >> >> > entity. > >> >> > > >> >> > Vidya > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: Dan Harkins [mailto:dharkins@lounge.org] > >> >> >> Sent: Wednesday, April 04, 2007 4:24 PM > >> >> >> To: Narayanan, Vidya > >> >> >> Cc: Yoshihiro Ohba; hokey@ietf.org > >> >> >> Subject: RE: [HOKEY] consensus call: key > distribution security > >> >> >> requirement > >> >> >> > >> >> >> > >> >> >> Hi Vidya, > >> >> >> > >> >> >> As I explained to you previously the issue of > "peer detects > >> >> >> mismatch during secure association protocol" (slide 5 of your > >> >> >> deck) doesn't work because these are symmetric keys and > >> >> the "middle > >> >> >> entity" can impersonate the client now. Every single > >> property that > >> >> >> you want to give to the key being distributed is lost. > >> >> >> > >> >> >> Of course you may not view that as a problem but I think > >> >> that has > >> >> >> more to do with what you want to do then with whether it's > >> >> secure or > >> >> >> not. > >> >> >> > >> >> >> Can you please explain how to ensure that keys are > >> >> properly scoped > >> >> >> if you do not bind the scoping information to the > exchange that > >> >> >> distributes the key? How can the peer have any assurance > >> >> that the key > >> >> >> is "not shared" > >> >> >> (one of the qualifiers you mention) if it did not take > >> part in the > >> >> >> distribution of its key? > >> >> >> > >> >> >> Why not just send the EMSK to every entity that the > >> AS thinks it > >> >> >> has a security association with? I mean, in many cases as > >> >> long as the > >> >> >> peer receives a certain level of service and is charged > >> >> for same then > >> >> >> the identity of the entity receiving the EMSK is > irrelevant and > >> >> >> channel binding isn't important and as long as we > scope the key > >> >> >> properly (everyone with whom the AS shares a security > >> >> association-- > >> >> >> aka "the > >> >> >> network") then it's OK. After all, nothing matters as > >> long as the > >> >> >> peer is satisfied and "if the peer is not satisfied or > >> there is a > >> >> >> billing issue, it contacts its home network and tries to > >> >> get service > >> >> >> from some other node instead" (to quote from slide #6). > >> >> >> > >> >> >> Dan. > >> >> >> > >> >> >> On Wed, April 4, 2007 11:16 am, Narayanan, Vidya wrote: > >> >> >> > Hi Yoshi, > >> >> >> > > >> >> >> >> -----Original Message----- > >> >> >> >> From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > >> >> >> >> Sent: Tuesday, April 03, 2007 7:45 PM > >> >> >> >> To: Narayanan, Vidya > >> >> >> >> Cc: Charles Clancy; hokey@ietf.org > >> >> >> >> Subject: Re: [HOKEY] consensus call: key > >> distribution security > >> >> >> >> requirement > >> >> >> >> > >> >> >> >> Hi Vidya, > >> >> >> >> > >> >> >> >> Can you please explain why channel binding > >> information must be > >> >> >> >> optional? > >> >> >> >> > >> >> >> > > >> >> >> > Briefly, in many cases, as long as the peer receives a > >> >> >> certain level > >> >> >> > of service and is charged for the same, the identity of > >> >> the network > >> >> >> > entity providing the service is irrelevant. In some cases, > >> >> >> it may be > >> >> >> > relevant and hence, it would be good to have the > >> >> capability to do > >> >> >> > channel binding. But, for the other cases, there is no need > >> >> >> to mandate > >> >> >> > the lower layer to advertise identities. > >> >> >> > > >> >> >> >> Can you also explain in which system there are no adverse > >> >> >> effects in > >> >> >> >> key distribution without explicit peer consent? > >> >> >> >> > >> >> >> > > >> >> >> > I have not seen any real loss of security properties in > >> >> >> distribution > >> >> >> > of keys without peer consent, as long as the keys > are scoped > >> >> >> > correctly, not shared and freshness is always ensured. > >> >> >> > > >> >> >> > Please see > >> >> >> > > >> >> >> > >> >> > >> > http://www.geocities.com/hellovidya/Authenticators_and_Identities.pdf > >> >> >> > if you are interested in more details. I had put some > >> >> >> slides together > >> >> >> > a while ago on this identities issue. > >> >> >> > > >> >> >> > Vidya > >> >> >> > > >> >> >> >> Regards, > >> >> >> >> Yoshihiro Ohba > >> >> >> >> > >> >> >> >> > >> >> >> >> On Tue, Apr 03, 2007 at 06:25:52PM -0700, Narayanan, > >> >> Vidya wrote: > >> >> >> >> > I'm barely caught up on all the email after having been > >> >> >> on vacation > >> >> >> >> > until now, so, pardon me if I'm bringing up stuff that's > >> >> >> >> already been > >> >> >> >> > discussed here. > >> >> >> >> > > >> >> >> >> > I share some of Glen's concerns about "requiring" peer > >> >> >> >> consent and a > >> >> >> >> > 3-party protocol and about how practically > deployable that > >> >> >> >> is. In my > >> >> >> >> > conversations with Dan in Prague, it seemed > like we were > >> >> >> >> > on > >> >> >> >> the same > >> >> >> >> > page about including channel binding information in the > >> >> >> >> HOKEY protocol > >> >> >> >> > between the peer and server. I think such > channel binding > >> >> >> >> information > >> >> >> >> > must be optional and not required. In some systems, > >> >> there are no > >> >> >> >> > adverse effects of distribution of key material without > >> >> >> >> explicit peer > >> >> >> >> > consent and there is no reason to place upper > >> layer identity > >> >> >> >> > advertisement requirements on the lower layers for such > >> >> >> systems. In > >> >> >> >> > some other systems, it may be a good idea to do so and > >> >> >> having the > >> >> >> >> > capability to do that in the protocol would be > >> useful there. > >> >> >> >> > > >> >> >> >> > To specifically answer your question, I don't believe > >> >> we need to > >> >> >> >> > update the problem statement. It already captures the > >> >> >> >> channel binding > >> >> >> >> > stuff and the explicit data that the peer and > >> >> authenticator may > >> >> >> >> > include is one way of providing channel binding. > >> >> >> >> > > >> >> >> >> > Vidya > >> >> >> >> > > >> >> >> >> > > -----Original Message----- > >> >> >> >> > > From: Charles Clancy [mailto:clancy@cs.umd.edu] > >> >> >> >> > > Sent: Saturday, March 31, 2007 12:16 PM > >> >> >> >> > > To: hokey@ietf.org > >> >> >> >> > > Subject: [HOKEY] consensus call: key > >> distribution security > >> >> >> >> > > requirement > >> >> >> >> > > > >> >> >> >> > > HOKEY WG, > >> >> >> >> > > > >> >> >> >> > > The 3-party protocol proposal at IETF 68 listed a > >> >> variety of > >> >> >> >> > > protocol requirements, some of which went beyond those > >> >> >> currently > >> >> >> >> > > specified in the problem statements draft. The main > >> >> >> >> extension was a > >> >> >> >> > > requirement for stronger key distribution security. > >> >> >> >> > > > >> >> >> >> > > Discussion: The problem statements document > >> >> currently requires > >> >> >> >> > > channel bindings to allow clients to authenticate the > >> >> >> network to > >> >> >> >> > > which they are connecting, and prevent the lying > >> >> NAS problem. > >> >> >> >> > > However one possible implementation of > channel bindings > >> >> >> >> would allow > >> >> >> >> > > keys to be distributed prior to the network being > >> >> >> >> authenticated by > >> >> >> >> > > the peer. While the peer may decide to not use a > >> >> >> >> > > network > >> >> >> >> after it's > >> >> >> >> > > validated its identity, network entities could retain > >> >> >> the keying > >> >> >> >> > > material. > >> >> >> >> > > There has been much debate on the list as to > whether or > >> >> >> >> not network > >> >> >> >> > > entities could maliciously use this keying > material, and > >> >> >> >> the intent > >> >> >> >> > > here is to not rehash all that discussion. > >> >> >> >> > > > >> >> >> >> > > Question: Should additional text be added to > the problem > >> >> >> >> statement > >> >> >> >> > > draft > >> >> >> >> > > to require peer authorization for distributing > >> >> >> keying material? > >> >> >> >> > > > >> >> >> >> > > Protocol Implications: If "yes" then a 3-party > >> >> >> protocol would be > >> >> >> >> > > need, and would require L2 advertisement of the NAS-ID > >> >> >> >> and local AAA > >> >> >> >> > > domain name. If "no" then channel bindings where > >> >> >> identities are > >> >> >> >> > > hashed into the key derivation would be sufficient. > >> >> >> >> > > > >> >> >> >> > > -- > >> >> >> >> > > t. charles clancy, ph.d. <> tcc@umd.edu <> > >> >> >> >> > > www.cs.umd.edu/~clancy > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > _______________________________________________ > >> >> >> >> > > HOKEY mailing list > >> >> >> >> > > HOKEY@ietf.org > >> >> >> >> > > https://www1.ietf.org/mailman/listinfo/hokey > >> >> >> >> > > > >> >> >> >> > > >> >> >> >> > _______________________________________________ > >> >> >> >> > HOKEY mailing list > >> >> >> >> > HOKEY@ietf.org > >> >> >> >> > https://www1.ietf.org/mailman/listinfo/hokey > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > >> >> >> > > >> >> >> > _______________________________________________ > >> >> >> > HOKEY mailing list > >> >> >> > HOKEY@ietf.org > >> >> >> > https://www1.ietf.org/mailman/listinfo/hokey > >> >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> >> > >> > > >> > >> > >> > > > > > _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] consensus call: key distribution security… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Lakshminath Dondeti
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Joseph Salowey (jsalowey)
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Narayanan, Vidya
- Re: [HOKEY] consensus call: key distribution secu… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Dan Harkins
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key distribution secu… Charles Clancy
- RE: [HOKEY] consensus call: key distribution secu… Madjid Nakhjiri
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Charles Clancy
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- Re: [HOKEY] key scope versus Context. consensus c… Bernard Aboba
- RE: [HOKEY] key scope versus Context. consensus c… Madjid Nakhjiri