Comments on the IPSEC Internet drafts.
"Phillip M. Hallam-Baker" <hallam@w3.org> Fri, 30 June 1995 07:49 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa00348; 30 Jun 95 3:49 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa00344; 30 Jun 95 3:49 EDT
Received: from ietf.cnri.reston.va.us by CNRI.Reston.VA.US id aa00687; 30 Jun 95 3:48 EDT
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa00333; 30 Jun 95 3:48 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa00329; 30 Jun 95 3:48 EDT
Received: from www18.w3.org by CNRI.Reston.VA.US id aa00390; 30 Jun 95 3:40 EDT
Received: from www22 (www22.w3.org) by www18.w3.org (5.0/NSCS-1.0S) id AA09500; Fri, 30 Jun 1995 03:41:05 +0500
Message-Id: <9506300741.AA09500@www18.w3.org>
Date: Fri, 30 Jun 1995 03:41:05 -0400
X-Orig-Sender: hallam@w3.org
X-Orig-Sender: iesg-request@IETF.CNRI.Reston.VA.US
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "Phillip M. Hallam-Baker" <hallam@w3.org>
Organization: World Wide Web Consortium
X-Mailer: Mozilla 1.1N (X11; I; SunOS 5.3 sun4m)
Mime-Version: 1.0
To: iesg@CNRI.Reston.VA.US, ietf@CNRI.Reston.VA.US
Subject: Comments on the IPSEC Internet drafts.
X-Url: http://www.w3.org/hypertext/WWW/Security/ipsec_comments.html
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
content-length: 9290
Comments on the IPSEC Internet drafts. Dr Phillip M. Hallam-Baker World Wide Web Consortium This document is available as hypertext at the following URL: http://www.w3.org/hypertext/WWW/Security/ipsec_comments.html This is in response to the call for comments on the following internet draft proposals: draft-ietf-ipsec-arch-02.txt, draft-ietf-ipsec-auth-02.txt, draft-ietf-ipsec-esp-01.txt, draft-ietf-ipsec-ah-md5-03.txt, draft-ietf-ipsec-esp-des-cbc-04.txt Executive summary I believe that these documents require further work before they are ready for adoption as proposed standards. The documents as currently written define a framework that is insufficiently generic. Introduction This response was in art stimulated by comments made by Phil Rogaway in his note: draft-rogaway-ipsec-comments-00.txt It is worth noting in passing that ASCII text is a sub-optimal means of expressing cryptographic systems. The ambiguity of natural language renders it a cumbersome notation for what are essentially mathematical concepts. Many of the problems with the drafts would almost certainly had been rectified at an earlier stage if the means of expression had permitted a more rigorously algebraic approach. Natural language encourages reference to specific examples rather than concentration on the high level abstractions crucial to the task. Conspicuously lacking from the standards documents is a grounding of the concepts in a well developed formalism such as the specification languages Z or VDM. It is to be hoped that future standards development will recognize the significant advantages that a well chosen and appropriate notation for discourse provides and that plain ASCII text alone is not such a notation. If ASCII text does not permit adequate expression of such notations that should be considered a reason to consider another form of notation and not a reason not to employ such an analysis. Use of a message digest function for authenticity checking. The specifications auth-02 and ah-md5-03 imply that a message digest function should be used to ensure authenticity. This makes two questionable assumptions. First that such a use is an appropriate use of a digest function and second that digest functions are appropriate for this task. A message digest is a function of a single variable, a keyed digest is a function of two variables. It is clearly undesirable to confuse the two. The use of a digest function and a shared secret to produce a symmetric key secret function is a relatively new concept, one that has received little attention in the literature. Most cryptographic digest functions have been designed as an adjunct to a public key signature scheme. Such use makes flaws such as a possibility of an extension attack unimportant. When applying a cryptographic component designed with one purpose in mind for a different purpose careful evaluation of the new requirements is essential. Even if a mode of use of a message digest function has the necessary properties for security it does not follow that such use is appropriate. It is probable that an algorithm specifically designed for the purpose of ensuring authenticity would be more satisfactory. The construction of a keyed digest function from cryptographic primitives such as hash functions and ciphers is in general concerned with preventing the exploitation of specific weaknesses in specific algorithms. As a consequence it is not useful to separate consideration of the underlying hash function from the mode of operation employed to construct a keyed digest function. It is therefore considered undesirable to specify modes of operation for cryptographic primitives in a manner analogous to DES. Although such a modular approach would be of assistance in building libraries the security of M1(H1) and M2(H2) does not imply the security of M1(H2) or M2(H1). On the specific keyed digest mechanism proposed There is at present no known attack against MD5 which renders it unsuitable for keyed digest use. It is however susceptible to two specific forms of attack, an extension attack and an attack on the internal compressor function which may be used to synthesize collisions. In such circumstances a decision to base IP security on a theoretically untested mode of operation of this specific algorithm might be considered a brave step. Alternative keyed digest algorithms. I do not propose to suggest an alternative keyed digest algorithm within the timeframe for responses to the standards documents nor even to provide a complete statement of requirements for such an algorithm. I believe however that it is better that it is better to mention no keyed digest mechanism in the architectural documents at the present time rather than mandate all implementations to implement an algorithm that has at best no strong foundations in the proposed mode of usage and at worst may be suspect. It is clearly desirable that a keyed digest function be resistant to extension attacks and have no known weaknesses such as the MD5 compressor function attack. Additionally it is desirable that the key be involved in the calculation process throughout the digest process. This may be considered an aesthetic requirement, that the calculation process should be symmetric involving commensurate calculations on both inputs. Proposal: The IPSEC architecture should be phrased in terms of a fast symmetric key signature mechanism rather than assume that a generic hash function should be employed for this purpose. This proposal corresponds to a strong endorsement of Rogaway's recommendation number 5. Encryption of known plaintext. Cryptanalysis using known or chosen plaintext is considerably easier than direct attack. Encryption of known headers is thus clearly undesirable since it provides a direct route to formation of a known plaintext attack and may open a route to construction of a chosen plaintext attack. A specific form of attack must be considered which exploits weaknesses in multiple cryptographic components. If for example a system employed related keys to ensure encryption and authenticity a chosen plaintext attack on the privacy component might provide information to compromise the authenticity mechanism. Proposal: Encryption of known headers should be prohibited. This proposal corresponds to a strengthening of Rogaway's recommendation number 3. Encryption of message digests. The encryption of message digest functions of encrypted text should be considered undesirable. Consider the difficulty of solving the the following constraint set for m: * e = E (k, m) * d = E (k, H(m)) Compared to the difficulty of solving for m in the following case: * e = E (k, m) * d = H (E (k, m)) In the first case we have two independent equations in m. In the second only one. It is possible therefore for the second mode of operation to provide unconditional security in certain situations (e.g. m is an unknown genuinely random value fewer bits in length than the key) whereas this is not possible in the first case. Proposal: It is proposed that the scope of any digest function should encompass the encrypted text and not vice versa. This proposal corresponds to a strengthening of Rogaway's recomendation number 4. Key sizes A limitation of key sizes to 64 bits may be considered in future to be the cryptographic equivalent of the original Arpanet decision to limit addresses to 32 bits. I concur with Rogaway's proposal that the key sizes of at least 128 bits should be permitted. I prefer Rivest's proposal that key sizes should be arbitrary or subject to a generous limit. Attack model It is important that the security assurances of the system be understood. Two tools for analyzing such assurances are threat trees and constraint networks. It is strongly advised that such analysis be performed. The construction of threat trees from a taxonomy of risks is a well established technique for constructing an attack model for a system. Such an analysis has been of great assistance to the author in consideration of transaction level protocols. A common reason for failure of cryptographic systems is the creation of unintended correlations between components which although individually secure fail in particular combinations. An example of this being the DES-CBC TIC mode in PM. Such unintended correlations may often be uncovered by construction of constraint networks corresponding to the data structures and algorithms employed. Such an analysis is most effective if subjected to automated verification. Summary of proposals. * Eliminate references to message digest functions where a keyed digest usage is actually intended. * Do not encrypt known headers. * Do not specify public constraints on encrypted objects, specifically do not incorporate message digests of message plaintext even if these are encrypted. * Allow arbitrary key sizes. * A comprehensive attack model consisting of as a minimum threat tree and constraint network analysis should be compiled. In addition it is strongly recommended that even if IETF procedures insist on the precedence of ASCII text renditions of specification documents that a document detailing the architecture in algebraic terms be compiled.
- Comments on the IPSEC Internet drafts. Phillip M. Hallam-Baker