[homenet] A summary of Babel cryptographic extensions

Juliusz Chroboczek <jch@irif.fr> Sat, 07 July 2018 09:55 UTC

Return-Path: <jch@irif.fr>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56D5130DF3; Sat, 7 Jul 2018 02:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mEQmIwV-vmg1; Sat, 7 Jul 2018 02:55:21 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BDB6130DEE; Sat, 7 Jul 2018 02:55:21 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/75695) with ESMTP id w679sb4M016190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 7 Jul 2018 11:54:37 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/75695) with ESMTP id w679soKr028288; Sat, 7 Jul 2018 11:54:50 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 3B017EB200; Sat, 7 Jul 2018 11:55:19 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id INdADwTfhhLj; Sat, 7 Jul 2018 11:55:17 +0200 (CEST)
Received: from trurl.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id C7680EB22E; Sat, 7 Jul 2018 11:55:16 +0200 (CEST)
Date: Sat, 07 Jul 2018 11:55:16 +0200
Message-ID: <87y3en4bgb.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org, babel-users@lists.alioth.debian.org, homenet@ietf.org
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Sat, 07 Jul 2018 11:54:37 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Sat, 07 Jul 2018 11:54:50 +0200 (CEST)
X-Miltered: at korolev with ID 5B408DDD.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5B408DEA.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5B408DDD.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5B408DEA.002 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5B408DDD.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5B408DEA.002 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/8a2hAuarzKaG0hj2qJcW6hi2bt0>
Subject: [homenet] A summary of Babel cryptographic extensions
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 09:55:25 -0000

Hi, and sorry for the massive cross-posting.  I suggest followups should
go to babel@ietf.

The mails that I'm receiving indicate that we (Babel@IETF) have confused
some people with our crypto plans.  Thanks to all for your questions, and
let me please try to clarify things publicly.

Considering security, I am concerned by the tension between simple,
auditable protocols and excessive complexity due to additional features.
Of course, we could just design a simple protocol and say that extra
features are out of scope, but many of the feature requests are actually
legitimate (confidentiality, asymmetric keying, pairwise keying, ASN.1, etc.).

So we're currently pushing for having two protocols for Babel:

  - HMAC for Babel [1,2,3], which is simple, understandable,
    implementable, and has almost no dependencies, but requires minimal
    changes to Babel, but has minimal features (static symmetric keying
    only, no pairwise keying);
  - Babel over DTLS [4], which pushes the crypto down to DTLS, and
    therefore has all the creepy features of your DTLS implementation --
    at the cost of depending on a DTLS library, which some feel is overkill.

[1] https://tools.ietf.org/html/rfc7298
[2] https://tools.ietf.org/html/draft-ovsienko-babel-rfc7298bis
[3] https://tools.ietf.org/html/draft-do-babel-hmac
[4] https://tools.ietf.org/html/draft-decimo-babel-dtls

(References draft-ovsienko and draft-do are two competing protocols, both
based on RFC 7298; I'm supporting draft-do or something based on it.)

Both protocols have implementations [5,6], and independent reimplementations
are in progress or at least being considered.  Details are likely to
change, but the implementations are mature enough for experimentation.

[5] https://github.com/MisterDA/babeld branch unicast-dtls
[6] https://github.com/wkolod/babeld branch hmac-challenge

What I'd like to see eventually is:

  - both protocols published as RFCs;
  - one of the protocols being the recommended protocol (I'm kibbitzing
    for HMAC);
  - all publicly available implementations of Babel supporting the
    recommended protocol, at least as a compile-time option.

Concerning Homenet -- Homenet will need at some point to decide what HNCP
security looks like, and decide how it interacts with Babel security.  My
personal opinion at this early stage is that HNCP should perform key
negociation and distribute symmetric keys to Babel-HMAC, but I know that
at least one prominent visionary in the Homenet community feels rather
strongly about asymmetric or pairwise keying.  Given that HMAC security is
probably going to depend on DTLS anyhow, it's not unreasonable to require
Babel-DTLS in Homenet.

We'll try to arrange for presentations on the subject at IETF Montréal,
but all the parties involved are rather busy, so it's not a given.

I hope this clarifies things,

-- Juliusz