[IPsec] Potential issue with draft-ietf-ipsecme-ikev2-intermediate
Valery Smyslov <smyslov.ietf@gmail.com> Thu, 11 November 2021 07:37 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9BD53A0D38 for <ipsec@ietfa.amsl.com>; Wed, 10 Nov 2021 23:37:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYwtRtAgRQZM for <ipsec@ietfa.amsl.com>; Wed, 10 Nov 2021 23:36:58 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39EB3A0D35 for <ipsec@ietf.org>; Wed, 10 Nov 2021 23:36:57 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id n12so2482347lfe.1 for <ipsec@ietf.org>; Wed, 10 Nov 2021 23:36:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:content-language:thread-index; bh=5jX8/qHXcuEQHoFpbM/5GFiFozPKFpIShNmAZs4sRlk=; b=EHEUZYAady5P/xO87QSSSOtENq8jVH5+bXS49u+WTn6N9G6IqXlQ6vZwx6H1IFzXEl xMJg+CZAfHCUlXYcrxUxr6Zlsvw4FBAyNr4u8sj0M8rEtb6uDX/0J/V+1nYcSOBrNstn TDqta554+YEHY0DsSxJ3qcDwOsF6PzSFM2s8tNwgDGq4SrwnXlh93O8s+cRNHQLaZnm5 zwHNULjQqodcc0ejJKl2IDDubkEmLmwxB9sLfa/dKSHyoYA/XeEAllgpdOhFfFAYKOzr dATm0kSxzeU0MFuG26VXvKL4q+7ZKBjMLgINfs6RoHXJ1TzhGJ1ts/JBwr4ViNr2RSEi InUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:content-language:thread-index; bh=5jX8/qHXcuEQHoFpbM/5GFiFozPKFpIShNmAZs4sRlk=; b=Dssa+UsWjnBMbUy9lL63s4V43/FNxHkrp/5fWb/ou5q7G04/ncbr3eQsJXul2WUR+i oSyBV+uQT0KuMm9JV9+dT9ebiDylJLPEDX26yPKoEbMFGMkc0DA8/rhzkYYJILa3SStD aoBv6P1dOH9XP9PO4M8EuHnPTj8Df1XzOtA9ekgp1DALLKz2ZL/rB+0gwQUbAsAvvjVu hBaE1/tDlou3YoHaIuYibF24gc3Ba08mWlZOux4QP7/EYp8gVBSIIL2KcMUSL3WLKnoU Ku+03RQBrcirK5SufpDias/pDoZfufwLsBtkJESDohuQ1QcCUZ5zUoMI+AdpxeEQpvkL +KbA==
X-Gm-Message-State: AOAM533G6fpVSv1VDFfVrcyjkf8tIkwyi62wWeVXe8+Xzi7KgVzFRaKa /2GqpB4jrbiIWhq4B1Tb+GR2VCS/Syk=
X-Google-Smtp-Source: ABdhPJxU+sJNItyhyfRAZ0EJE3HMjQWpilh7+rYqP3ujjuVWkYj96huYsaBHHISv7ELGc3cY/3SfYg==
X-Received: by 2002:a19:6557:: with SMTP id c23mr4862351lfj.617.1636616214344; Wed, 10 Nov 2021 23:36:54 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id l18sm99935lfc.246.2021.11.10.23.36.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Nov 2021 23:36:53 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
Cc: 'Tobias Brunner' <tobias@strongswan.org>
Date: Thu, 11 Nov 2021 10:36:55 +0300
Message-ID: <105001d7d6ce$e76f7f50$b64e7df0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AdfWw85jMIHo/90vTHK9rbnZRhxavg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8kM6GoPeJwjuoxSH4CL4B75ZJMk>
Subject: [IPsec] Potential issue with draft-ietf-ipsecme-ikev2-intermediate
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 07:37:02 -0000
Hi,
I have had off the list discussion with Tobias Brunner and he has pointed out to one potential issue
with draft-ietf-ipsecme-ikev2-intermediate. Currently the authentication of IKE_INTERMEDIATE
exchanges is performed as follows:
InitiatorSignedOctets = RealMsg1 | NonceRData | MACedIDForI | IntAuth
ResponderSignedOctets = RealMsg2 | NonceIData | MACedIDForR | IntAuth
IntAuth = IntAuth_1 [| IntAuth_2 [| IntAuth_3 ... ]]
IntAuth_1 = IntAuth_1_I | IntAuth_1_R
IntAuth_2 = IntAuth_2_I | IntAuth_2_R
IntAuth_3 = IntAuth_3_I | IntAuth_3_R
...
IntAuth_1_I = prf(SK_pi_1, IntAuth_1_I_A [| IntAuth_1_I_P])
IntAuth_2_I = prf(SK_pi_2, IntAuth_2_I_A [| IntAuth_2_I_P])
IntAuth_3_I = prf(SK_pi_3, IntAuth_3_I_A [| IntAuth_3_I_P])
...
IntAuth_1_R = prf(SK_pr_1, IntAuth_1_R_A [| IntAuth_1_R_P])
IntAuth_2_R = prf(SK_pr_2, IntAuth_2_R_A [| IntAuth_2_R_P])
IntAuth_3_R = prf(SK_pr_3, IntAuth_3_R_A [| IntAuth_3_R_P])
...
So, a new blob IntAuth is added to signature or MAC calculation.
Note, that the size of IntAuth blob depends on the number of IKE_INTERMEDIATE
exchanges that took place: each IKE_INTERMEDIATE exchange increases it by the
2x <size of prf>.
The potential problem with this scheme that Tobias pointed out to is that
if the number of IKE_INTERMEDIATE exchanges is controlled by the initiator
(this is not true for draft-ietf-ipsecme-ikev2-multiple-ke, but may be true for
other applications of IKE_INTERMEDIATE), then malicious initiator
may mount a memory exhaustion attack on responder by performing a large number
of IKE_INTERMEDIATE exchanges.
Besides this attack (which is more a theoretical concern, since the size of prf is pretty
small and the number of IKE_INTERMEDIATE exchanges will not be counted by
thousands or even hundreds in any case), the inconvenience of the current scheme for
the responder is that in case it uses some HSM with limited internal storage
for storing intermediate IntAuth_* and it doesn't know beforehand the number
of IKE_INTERMEDIATE exchanges (again, this is not true for draft-ietf-ipsecme-ikev2-multiple-ke,
but may be true for other applications of IKE_INTERMEDIATE), then the internal resources
of this HSM will be wasted. Again, this is more a theoretical concern, since
IntAuth_* are not secret and can pe pulled from HSM and stored in main memory.
The bottom line. The problem that IntAuth is growing with each IKE_INTERMEDIATE
exchange do exist, but in my opinion, the potential bad consequences from it
are mostly theoretical. That said, we can fix this problem by re-defining the
IntAuth calculation as follows (the scheme suggested by Tobias):
InitiatorSignedOctets = RealMsg1 | NonceRData | MACedIDForI | IntAuth
ResponderSignedOctets = RealMsg2 | NonceIData | MACedIDForR | IntAuth
IntAuth = IntAuth_N_I | IntAuth_N_R
IntAuth_1_I = prf(SK_pi_1, IntAuth_1_I_A [| IntAuth_1_I_P])
IntAuth_2_I = prf(SK_pi_2, IntAuth_1_I | IntAuth_2_I_A [| IntAuth_2_I_P])
IntAuth_3_I = prf(SK_pi_3, IntAuth_2_I | IntAuth_3_I_A [| IntAuth_3_I_P])
...
IntAuth_N_I = prf(SK_pi_N, IntAuth_N-1_I | IntAuth_N_I_A [| IntAuth_N_I_P])
IntAuth_1_R = prf(SK_pr_1, IntAuth_1_R_A [| IntAuth_1_R_P])
IntAuth_2_R = prf(SK_pr_2, IntAuth_1_R | IntAuth_2_R_A [| IntAuth_2_R_P])
IntAuth_3_R = prf(SK_pr_3, IntAuth_2_R | IntAuth_3_R_A [| IntAuth_3_R_P])
...
IntAuth_N_R = prf(SK_pr_N, IntAuth_N-1_R | IntAuth_N_R_A [| IntAuth_N_R_P])
This will make the size of IntAuth blob constant regardless of the number of
performed IKE_INTERMEDIATE exchanges.
The draft draft-ietf-ipsecme-ikev2-intermediate has passed WGLC and is now
waiting for AD review. There are few interoperable implementations,
but none are used in production yet (to my best knowledge).
So, the question to the WG is - what should we do with this:
1. Re-define calculation of IntAuth to make it constant in size.
This will most probably require another WGLC and will break
interoperablity of existing products. The latter seems not so
important (no product has been released yet), but the former
may delay publication process.
2. Leave calculation of IntAuth as is and add some text to the
Security Considerations section that describes potential
problems and makes advise to the responder (e.g.
limit the number of accepted IKE_INTERMEDIATE exchanges).
This will not change bits on the wire and hopefully
will not require another WGLC.
3. Ignore this issue (do nothing).
Opinions?
Regards,
Valery.
- [IPsec] Potential issue with draft-ietf-ipsecme-i… Valery Smyslov
- [IPsec] Potential issue with draft-ietf-ipsecme-i… Tero Kivinen
- Re: [IPsec] Potential issue with draft-ietf-ipsec… Paul Wouters