[ippm] draft-ietf-ippm-owdp-11.txt security
stanislav shalunov <shalunov@internet2.edu> Tue, 30 November 2004 22:39 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA24385 for <ippm-archive@lists.ietf.org>; Tue, 30 Nov 2004 17:39:18 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CZGFk-0007pA-Pn; Tue, 30 Nov 2004 17:13:45 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CZFKN-0003sm-Q5 for ippm@megatron.ietf.org; Tue, 30 Nov 2004 16:14:28 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA08414 for <ippm@ietf.org>; Tue, 30 Nov 2004 16:14:25 -0500 (EST)
Received: from basie.internet2.edu ([207.75.164.22]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CZFPV-0000Pr-SV for ippm@ietf.org; Tue, 30 Nov 2004 16:19:49 -0500
Received: from localhost (unknown [127.0.0.1]) by basie.internet2.edu (Postfix) with ESMTP id E53071CD682; Tue, 30 Nov 2004 16:14:20 -0500 (EST)
Received: from basie.internet2.edu ([127.0.0.1]) by localhost (basie.internet2.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27976-04; Tue, 30 Nov 2004 16:14:20 -0500 (EST)
Received: from localhost (unknown [127.0.0.1]) by basie.internet2.edu (Postfix) with ESMTP id A0B741CD515; Tue, 30 Nov 2004 16:14:20 -0500 (EST)
To: Samuel Weiler <weiler@sparta.com>
From: stanislav shalunov <shalunov@internet2.edu>
Date: Tue, 30 Nov 2004 16:14:48 -0500
Message-ID: <86mzwzkpiv.fsf@abel.internet2.edu>
Lines: 111
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: by mail.internet2.edu virus scanner
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Cc: ippm@ietf.org
Subject: [ippm] draft-ietf-ippm-owdp-11.txt security
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org >
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org ?subject=unsubscribe>
List-Post: <mailto:ippm@ietf.org >
List-Help: <mailto:ippm-request@ietf.org ?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org ?subject=subscribe>
Sender: ippm-bounces@ietf.org
Errors-To: ippm-bounces@ietf.org
Sam, Thank you very much for the in-person security review of the OWAMP specification on Friday at the last IETF meeting in Washington. During the security review, two potential problem areas were identified: user authentication in OWAMP-Control and packet authentication in authenticated mode in OWAMP-Test. Before making any changes to the protocol, I would like to write down my understanding of the potential weaknesses and make sure this understanding is shared. In re user authentication in OWAMP-Control: in the current specification, user authentication consists of (i) session key establishment; (ii) using the session key subsequently to make requests. Let us talk about the two separately. (i) Session key establishment consists of the server issuing a challenge and the client encrypting the challenge with the master key (the shared secret) along with a session key. I believe this to be the technique of protocol 2 (key transport with challenge-response) in section 12.3.1(i) of the Handbook of Applied Cryptography (HAC) by Menezes et al. This protocol is described as follows: A <- B: n_B (1) A -> B: E_K(r_A, n_B, B*) (2) where the star next to B in step 2 denotes an optional parameter. The optional parameter (the addressee of the message) is not used in the specification. The optional field may be used to prevent reflection attack described as attack 2 in section 12.9.1 of the HAC. The reflection attack does not appear to be applicable to the OWAMP specification, as it requires the client to run a server that would authenticate the (original) server using the same master key. In other words, the defence against the reflection attack is, in the terms of HAC, ``using distinct keys K and K' for encryptions from A to B and B to A, respectively.'' (ii) Using the session key to make requests does not appear to be vulnerable, even though no redundancy is inherent in the initial exchange as the necessary redundancy is contained in the protocol messages. It thus appear to me that no change to the user authentication part of OWAMP is warranted. Do you agree? In re packet authentication in authenticated mode of OWAMP-Test: the authentication token of each packet is its sequence number encrypted with redundancy using the same session key as that used in the OWAMP-Control session that spawned the OWAMP-Test session. The threat model is as follows: both the client and the server wish to cooperate to produce trustworthy measurement results. The attacker, who does not know the master key associated with the pair <server, client's user name>, can observe traffic, modify it, hold it, replay it, initiate sessions (both OWAMP-Control and OWAMP-Test) with the same server using a different user name, and, of course, initiate sessions with different servers (which would have unrelated user name namespace and unrelated secrets). The attacker is to be positively prevented from initiating sessions with the server using the client's credentials. In authenticated mode, the timestamp is in the clear with no protection, so the attacker can modify that at will; he can also delay packets or replay them. The potential problem is related to the fact that the key used to encrypt the sequence number with redundancy is the same for all OWAMP-Test sessions spawned by the same OWAMP-Control session. Thus, an attacker observing packets from different sessions might be able to switch the authenticators and inject extra traffic. Since an attacker is already able to replay packets after observing them (possibly with different timestamps, at attacker's option), even if the packets are lost subsequently to the observation, he can perform the following attack: by observing packets from one OWAMP-Test session (and guessing the sequence numbers, which might be easier if the stream is periodic than if it is, e.g., Poisson) and using the authenticators from these packets in the packets that belong to a different OWAMP-Test session spawned by the same OWAMP-Control session, the attacker can make packets arrive sooner than they otherwise would (loss, for the purposes of this attack, is a special case of very long delay). For example, an attacker might sit very close to, e.g., the client and have the ability to observe and modify traffic; the client and the server might start two periodic sessions, one in each directions; the attacker would then be able to use packets from the session where the client is the sender to completely generate packets from the session where the server is the sender, and have them delivered at any time the attacker chooses with timestamps that the attacker chooses. Note: while during the security review this weakness was mentioned only in the context of authenticated mode, encrypted mode is similarly vulnerable, with the obvious change in attacker's abilities (namely, the attacker can, under the same circumstances as in the case of the authenticated mode, make packets arrive earlier than they otherwise would, but he, differing from the case of authenticated mode, cannot change the original timestamps in the packets from the different session; while this limits the utility of the attack, the attack is still there). With respect to the second problem, I propose the following resolution: replace the use of the OWAMP-Control session key K in OWAMP-Test (both encrypted and authenticate mode) with a key that is unique to the particular OWAMP-Test session, AES_K(SID) (the 16-octet session identifier encrypted with AES in ECB mode using the session key from the OWAMP-Control session spawning the OWAMP-Test session). Do you see any problems with this? Thank you again for the review and your involvement with OWAMP, -- Stanislav Shalunov http://www.internet2.edu/~shalunov/ Sex is the mathematics urge sublimated. -- M. C. Reed. _______________________________________________ ippm mailing list ippm@ietf.org https://www1.ietf.org/mailman/listinfo/ippm
- [ippm] draft-ietf-ippm-owdp-11.txt security stanislav shalunov