Re: [HOKEY] consensus call: key delivery security protocol
Yoshihiro Ohba <yohba@tari.toshiba.com> Thu, 09 August 2007 14:47 UTC
Return-path: <hokey-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IJ9IY-0003zt-To; Thu, 09 Aug 2007 10:47:38 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IJ9IW-0003zk-Ty for hokey@ietf.org; Thu, 09 Aug 2007 10:47:36 -0400
Received: from mgw.toshibaamericaresearch.com ([165.254.55.12] helo=toshi17.tari.toshiba.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IJ9IW-0005G1-Ac for hokey@ietf.org; Thu, 09 Aug 2007 10:47:36 -0400
Received: from steelhead.localdomain (toshi17.tari.toshiba.com [172.30.24.10]) by toshi17.tari.toshiba.com (8.13.1/8.13.1) with ESMTP id l79ElTfi089953; Thu, 9 Aug 2007 10:47:30 -0400 (EDT) (envelope-from yohba@tari.toshiba.com)
Received: from ohba by steelhead.localdomain with local (Exim 4.67) (envelope-from <yohba@tari.toshiba.com>) id 1IJ8sr-0006fi-7V; Thu, 09 Aug 2007 10:21:05 -0400
Date: Thu, 09 Aug 2007 10:21:05 -0400
To: "T. Charles Clancy" <clancy@cs.umd.edu>
Subject: Re: [HOKEY] consensus call: key delivery security protocol
Message-ID: <20070809142105.GD23421@steelhead.localdomain>
References: <46A4E634.8060708@cs.umd.edu> <20070807151737.GG16703@steelhead.localdomain> <Pine.GSO.4.61.0708081450490.12196@loompa>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-2022-jp"
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.61.0708081450490.12196@loompa>
User-Agent: Mutt/1.5.13 (2006-08-11)
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2857c5c041d6c02d7181d602c22822c8
Cc: hokey@ietf.org
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
Errors-To: hokey-bounces@ietf.org
I think that this issue is fundamental. Please see my comment inline. On Wed, Aug 08, 2007 at 02:51:16PM -0400, T. Charles Clancy wrote: > If AAA-proxy compromise is not part of our threat model, then all parties > are securely authenticated and keying material remains undisclosed to > non-trusted parties. The draft-housley-aaa-key-mgmt doesn't say to whom > the keying material must remain confidential, or that only the two > endpoints can know a key. > > Sure, a proxy can be compromised and misbehave, but so can a AAA server. The issue is not about compromise of an entity that generates or uses the keying material (any key distribution cannot securely work if such compromise happens). The issue is whether it is acceptable for the keying material to be seen by an entity that does not generate or use it in order for the key distribution to work. In the case of HOKEY, such an entity is typically a AAA proxy that may sit on the key distribution path between an authenticator and a HOKEY server or between a HOKEY server and a AAA server. This can happen in real deployment in which there is an intermediate AAA domain between the home AAA domain and visited AAA domain. With regard to draft-housley-aaa-key-mgmt, there is a hint to indicate to whom the keying material must remain confidential: " For example, [RFC4072] enables EAP keying material to be delivered from a AAA server to a AAA client without disclosure to third parties. Thus, key confidentiality is mandatory to implement in Diameter [RFC3588]. However, key confidentiality is not mandatory to use. " I have a doubt if hop-by-hop security is really acceptable for our key distribution mechanism. > > The cryptographic protocol academic in me cringes to say that, but I don't > see any practical way to avoid it. We need to trust the AAA > infrastructure. We can certainly document the concerns associated with a > hop-by-hop protocol in the security considerations section. As Glen mentioned before, Kerberos-like architecture that supports cross-realm operation can work without the keying material exposed to a AAA proxy in the intermediate AAA domain. Do you think that Kerberos is not practical? Also, depending on security policy, we may not fully trust the AAA infrastructure. Otherwise, why does RFC 3588 have the following text? " It is strongly RECOMMENDED that all Diameter implementations support end-to-end security. " Regards, Yoshihiro Ohba > > -- > t. charles clancy, ph.d. <> tcc@umd.edu <> eng.umd.edu/~tcc > adjunct professor, electrical engineering, university of maryland > > > On Tue, 7 Aug 2007, Yoshihiro Ohba wrote: > > >I was taking vacation and sorry for delayed response. > > > >How does option #1 with hop-by-hop security satisfy > >draft-housley-aaa-key-mgmt-09.txt, especially "Authenticate all > >parties" and "Keying material confidentiality and integrity" > >requirements? > > > >Regards, > >Yoshihiro Ohba > > > > > > > >On Mon, Jul 23, 2007 at 01:32:36PM -0400, Charles Clancy wrote: > >>Related issue: #28 > >> > >>The current key distribution document describes protocols that require a > >>shared key between the server and third party. According to RFC 4107, > >>we are required to specify how those keys are provisioned. The result > >>was 3 options: > >> > >>#1: convert the current protocol into one that uses hop-by-hop security > >>with channel bindings based on AAA > >> > >>#2: define a protocol to provision keys, as necessary, between AAA > >>servers and any remote AAA client that needs a pairwise key for > >>end-to-end security > >> > >>#3: use something like cross-realm Kerberos to provide the necessary > >>cryptographics to improve upon hop-by-hop security > >> > >>An initial hum eliminated option #2. A vote for options #1 and #3 > >>yielded 23 in favor of #1 and 11 in favor of #3. This email is to > >>confirm the consensus in the room during the meeting. > >> > >>Please comment by August 2. > >> > >>-- > >>t. charles clancy, ph.d. <> tcc@umd.edu <> eng.umd.edu/~tcc > >>adjunct professor, electrical engineering, university of maryland > >> > >>_______________________________________________ > >>HOKEY mailing list > >>HOKEY@ietf.org > >>https://www1.ietf.org/mailman/listinfo/hokey > >> > > > _______________________________________________ HOKEY mailing list HOKEY@ietf.org https://www1.ietf.org/mailman/listinfo/hokey
- [HOKEY] consensus call: key delivery security pro… Charles Clancy
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- Re: [HOKEY] consensus call: key delivery security… T. Charles Clancy
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn (gwz)
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn (gwz)
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn (gwz)
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn (gwz)
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Alper Yegin
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key delivery security… Sam Hartman
- RE: [HOKEY] consensus call: key delivery security… Madjid Nakhjiri
- Re: [HOKEY] consensus call: key delivery security… Dan Harkins
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn
- Re: [HOKEY] consensus call: key delivery security… Sam Hartman
- Re: [HOKEY] consensus call: key delivery security… Yoshihiro Ohba
- RE: [HOKEY] consensus call: key delivery security… Dan Harkins
- RE: [HOKEY] consensus call: key delivery security… Glen Zorn
- RE: [HOKEY] consensus call: key delivery security… Dan Harkins