Re: [HOKEY] AD review of draft-ietf-hokey-erp-aak

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 24 November 2011 13:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F7421F8A66 for <hokey@ietfa.amsl.com>; Thu, 24 Nov 2011 05:13:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XwAOcQW8069X for <hokey@ietfa.amsl.com>; Thu, 24 Nov 2011 05:13:51 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id EB7CE21F8A57 for <hokey@ietf.org>; Thu, 24 Nov 2011 05:13:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 0A0C6171CB7; Thu, 24 Nov 2011 13:13:50 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1322140429; bh=lkuR45Ub/c7VpU 4W+kZMjyfQjwpQpKOcjYFlYXTl9f8=; b=dJcyqPQfskPAZZPj5ZJyiBg5CcROQk 8pcFHtX2Flt6PsmftodCAaXUfC40htQqnHouqmT14M4leK/kUguDoq1O9XMJgJBu g33beZDxS/hVLuF1p32kEPTB5Cyq5NFXRNC5ulfFEUGWUkYie54VXbVM9DWWkAvS H/zXBwn7wWYdF2Yf//XdoGiyr4dlmKgkIvDJiMxPiAmWPij4NdS2qCK6t2E+zLo1 RgSyZCeEndJC+vokLV4jgPXxAUrgN4rb4Acp1FUbWgdVWcP+94sa+SuCqodP2Qqy MI89X6UOEXPmUFBXLPZlO8T0jqDP+3aPxr/ry8H8b6x3XbbgcX41XTcg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 1Lnfcov2gxM7; Thu, 24 Nov 2011 13:13:49 +0000 (GMT)
Received: from [10.87.48.8] (unknown [86.42.16.250]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D4B72171C21; Thu, 24 Nov 2011 13:13:46 +0000 (GMT)
Message-ID: <4ECE4300.8070901@cs.tcd.ie>
Date: Thu, 24 Nov 2011 13:13:36 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Qin Wu <bill.wu@huawei.com>
References: <4ECA9AD5.3050409@cs.tcd.ie> <B5D72BE948614EB6BA4D5DCDD907074C@china.huawei.com> <4ECE2EC9.6040408@cs.tcd.ie> <03FB617435B7413D8F0381C5D4689806@china.huawei.com>
In-Reply-To: <03FB617435B7413D8F0381C5D4689806@china.huawei.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Glen Zorn <glenzorn@gmail.com>, "Cao, Zhen" <caozhen@chinamobile.com>, hokey@ietf.org
Subject: Re: [HOKEY] AD review of draft-ietf-hokey-erp-aak
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2011 13:13:52 -0000

Hiya,

Good stuff. I'd say there's enough there already to push out another
revision. Not sure if you want to wait on responses to the
other issues or not. You can figure that out with your co-authors
and WG chairs I guess.

Cheers,
S.

On 11/24/2011 01:06 PM, Qin Wu wrote:
> Hi,
> ----- Original Message -----
> From: "Stephen Farrell"<stephen.farrell@cs.tcd.ie>
> To: "Qin Wu"<bill.wu@huawei.com>
> Cc:<hokey@ietf.org>; "Glen Zorn"<glenzorn@gmail.com>ail.com>; "Cao,Zhen"<caozhen@chinamobile.com>
> Sent: Thursday, November 24, 2011 7:47 PM
> Subject: Re: [HOKEY] AD review of draft-ietf-hokey-erp-aak
>
>
>>
>> Hiya,
>>
>> On 11/24/2011 06:08 AM, Qin Wu wrote:
>>> Hi, Stephen:
>>> Thank for your valuable review.
>>> Here is my answer to the main issues I think and I skip most of editorial issues or nits issues.
>>> My coauthors will address the remaining issues.
>>
>> Fine thanks.
>>
>>> ----------------------------------------
>>> #7, p5 - "The rIK is used to protect this message." Is that right?
>>> How is rIK used to protect the message when the message contain
>>> rIK?  I also wondered what "protect" means exactly - are the flags
>>> etc. all protected and how?
>>>
>>> [Qin] I think rIK should be corrected as pIK. pIK is used to protect the ERP message
>>> exchanged between the peer and the EA server. MSK used for normal EAP exchange should be further derived into
>>> other child keys. Alternatively, the pMSK can be derived into child keys. These child keys protect the ERP
>>> message exchanged between the peer and SAP.
>>
>> Alternatively? Isn't it a bit late in the day (just before
>> IETF LC) to be considering such alternatives?
>>
>> If you do replace rIK with pIK please send the chaged paragraph
>> to the list before posting the draft to make sure its ok?
>
> [Qin]: I just explain how the message is protected between the peer and authenticator using
> the existing key derived from regular EAP exchange, however this is not the focus of this document.
> We more focus on how message is protected between the peer and the server using pIK.
> protect here means integrity protection or prevent  the message sent over inscure channel being tampered.
>
>>
>>> #8, p5 - If I'm an authenticated user and I send the message at
>>> step 2 to the SAP, then can I get the SAP to forward the message to
>>> anything on the Internet? If not, where does it say how that's
>>> controlled? I guess the SAP knows based on its config and/or the
>>> authentication state of the peer but if so you should probably say
>>> that?
>>>
>>> [Qin]: SAP plays the role of authenticator should encapsulate the ERP message
>>> into AAA message and route the AAA message based on Realm part of KeyName-NAI.
>>
>> That's misses the point. The Realm part of the KeyName-NAI is
>> supplied by the peer (the user). Is the SAP supposed to check
>> that its an ok Realm before encapsulating and sending the AAA
>> message? If so, you need to say so. If not, then that might
>> allow attack attempts and should be noted.
>
> [Qin]: Okay.
>
>>
>>> #15, p8 - You can only have one keyName-NAI in the message and that
>>> MAY have either the home domain name or the domain name to which
>>> the peer is currently attached for ite realm part.  How does anyone
>>> know which to include when? Seems underspecified or missing a
>>> reference?
>>>
>>> [Qin]: This was discussed on the list many times. Based on the discussion,
>>> we take the following way:
>>> The peer should know where to send the message? If the peer
>>> communicate with the home server, the peer should carry home domain name
>>> in the keyName-NAI. If the peer communicate with the local server, the peer
>>> should carry local domain name in the keyName-NAI.
>>> The authenticator or local ER server in the path can know if the KeyName-NAI carry
>>> local domain name by comparing the domain name carried in KeyName-NAI with local
>>> domain name it has already known.
>>
>> So perhaps its clear in your mind and on the list, but its
>> not clear in the document and it needs to be.
>
> [Qin]: Okay. we need to revise the document to reflect this.
>
>>
>>> #16, p8 - How are CAP-Identifier and "Sequence number" TLVs
>>> "associated"?
>>>
>>> [Qin]: Suppose multiple CAP-identifiers are carried in the ERP message,
>>> the same number of Sequence number TLVs should be carried with associated CAP-identifier.
>>> We can rely on the order to associate each other.
>>
>> "rely on the order" is what you need to put in the document
>> then and you need to say what's ok and what's not. E.g. the
>> message field ordering for 3 of both could be
>>
>>      capid1, capid2, capid3, seq1, seq2, seq3
>> OR
>>      capid1, seq1, capid2, seq2, capid3, seq3
>>
>> Are both ok? What about:
>>
>>      capid1, capid2, seq1, seq2, capid3, seq3
>>
>> You need to say what's ok I think.
>
> [Qin]: Good point, we need to fix this.
>
>>
>>> #18, p8 - Exactly how is the sequence number used in the
>>> calculation of the pMSK for each CAP? Can these be re-used? (Across
>>> reboots?) Do they need to be random? That all needs stating I
>>> think.
>>>
>>> [Qin]: This was discussed on the list before. The results is:
>>> If we carry three CAP-Identifiers, we should also send three Sequence number TLVs
>>> with associated CAP-Identifiers. The Sequence number for each CAP MUST not be reused.
>>
>> MJST NOT be re-used is fine but needs to be stated.
>>
>> Your response doesn't answer the question though.
>
> [Qin]: if there are multiple CAPs, the EA server can not send the same pMSK to all the CAPs.
>     The pMSK is derived as follows.
>
>     pMSK = KDF (K, S), where
>
>        K = pRK and
>
>        S = pMSK label | "\0" | Sequence number | length
> If the sequence number is set to the same value for each CAP, all the CAP will get the same pMSK.
> That's not secure.
>
>
>> *How* (exactly) is the sequence number used when calculating
>> the pMSK? Maybe that's specified in ERP, but it has to be
>> specified somewhere so you need more text or a reference.
>
>
> [Qin]: Yes, see above.
>
>>> #20, p8 - authentication tag - where is the input to the HMAC
>>> function specified? (Its not here anyway.) I think someone needs to
>>> say how this is calculated. That means both the plaintext (message)
>>> input (e.g. are any header bits in/excluded?) and the key input
>>> (which key?). It could be that this just needs a reference if its
>>> done the same as some other RFC. An example would be great to give.
>>>
>>> [Qin]: We should base on HMAC mechanims specified in RFC2104,
>>
>> I think you want RFC 4868 which defines HMAC with SHA256. But
>> that doesn't define a 64 bit output I now notice so I think you
>> need to define that or drop it or find a place where it's defined.
>> The 128 and 256 bit output variants are defined in 4686.
>
>
> [Qin]: Good point, we need to add a reference to RFC4868 and RFC2104.
> As for 64 bit output, we need to find out or drop it.
>
>>> Use the integrity algorithm indicated in the Cryptosuite field to
>>> calculate authentication tag value. rIK will be used for calculation.
>>> The message used to calculate authentication tag should exclude authentication
>>> tag field and but not exclude header bits.
>>
>> So you need to say that.
>
> [Qin]: Okay.
>
>>>
>>> #22, p8 - You need references for the HMAC functions.
>>>
>>> [Qin] It should be RFC2104.
>>
>> Nope. See above.
>>
>>>
>>> #23, p8 - Should/are the choices for cryptosuites in some IANA
>>> registry?  If not, why not? If so, where?
>>>
>>> [Qin] RFC5296 has already created registries for'Re-authentication
>>>      Cryptosuites'. These crytosuites can be reused for ERP-AAK.
>>
>> So use that then and say you're doing so.
>
> [Qin]: Okay.
>>
>>> #36, p11 - Is it ok for "different sequence numbers" to mean "just
>>> increment" or not?  Is it ok for sequence numbers to be re-used say
>>> after the peer reboots?  I think you need to say.
>>>
>>> [Qin] See the above answer to #16, #18.
>>
>> I looked. I still don't know the answer.
>>
>> S
>>
>>>
>>>
>>> Regards!
>>> -Qin
>>> ----- Original Message -----
>>> From: "Stephen Farrell"<stephen.farrell@cs.tcd.ie>
>>> To:<hokey@ietf.org>
>>> Sent: Tuesday, November 22, 2011 2:39 AM
>>> Subject: [HOKEY] AD review of draft-ietf-hokey-erp-aak
>>>
>>>
>>>>
>>>> Hi all,
>>>>
>>>> Here's my review of this. There are a lot of comments,
>>>> but quite a few are very nitty or are things where I
>>>> probably just need to be told that I don't know enough
>>>> about ERP. (Which is true of course:-)
>>>>
>>>> Some are non trivial however, and there are a lot of nits,
>>>> so I've put this into the revised-ID-needed state.
>>>>
>>>> Probably best is to handle any easy ones via email and
>>>> then setup a skype chat for whatever's left. Let me
>>>> know...
>>>>
>>>> Cheers,
>>>> S.
>>>>
>>>>
>>>
>>>
>>> --------------------------------------------------------------------------------
>>>
>>>
>>>> _______________________________________________
>>>> HOKEY mailing list
>>>> HOKEY@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/hokey
>>>>
>>>
>