IETF Logo Mail Archive

Re: [IPsec] Diet-ESP

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 17 February 2015 21:17 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58B51A90C4; Tue, 17 Feb 2015 13:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOyIz0slwvIO; Tue, 17 Feb 2015 13:17:14 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65BD21A90BC; Tue, 17 Feb 2015 13:17:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35802; q=dns/txt; s=iport; t=1424207833; x=1425417433; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=tTYFMn85SuGKj+GwZ05efvvU4SsM8gjAlGcGegjc748=; b=VV8+gezSPhnTEELnIhudE5wrBYsBP6vEihLKFYXsSvk9y0Kgr7PPbHbF tbsxrSKMqZ47tAYGDzV/2IjbFLGtEfg18UPmlAlG1hi6ZjBSWGjgmokzh 9YD8ve+E7jPxN/V4O3pDiqNFQJ80c4XA+N20lP9dX/CGnHfitj32blbsk 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHBwCrruNU/4cNJK1bgkNDUloEgn+wHo1DgXCFbwIcf0MBAQEBAQF8hAwBAQECAg4VCjgUEAIBCA4DBAEBCxYHAwICAh8RFAkIAgQOBQgRBod8AxENuTOSMQ2FNAEBAQEBAQEBAQEBAQEBAQEBAQEBAReLD4JEgUcyFhsGAYJoLoEUBY1MgWyDV4Qagl44glWIZIYEIoNubwEBAQGBQH8BAQE
X-IronPort-AV: E=Sophos;i="5.09,595,1418083200"; d="scan'208,217";a="124398236"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-8.cisco.com with ESMTP; 17 Feb 2015 21:17:12 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t1HLHCXX017269 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 17 Feb 2015 21:17:12 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.248]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0195.001; Tue, 17 Feb 2015 15:17:12 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Thread-Topic: [IPsec] Diet-ESP
Thread-Index: AQHQSl8D8Q49UimlJk+ag/Gqzu2LiJz0RjGwgAEbzAD//++owA==
Date: Tue, 17 Feb 2015 21:17:11 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340420D03A72F@xmb-rcd-x04.cisco.com>
References: <CADZyTkkqjSQe1HvMhLqg1g1-bxGc3iXB8kjL81qJgieCwV6h8Q@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340420D03A28E@xmb-rcd-x04.cisco.com> <CADZyTkmssqtDFfLAae19w0-rxdiiE3TopgB21LbiEE1O-mQA=g@mail.gmail.com>
In-Reply-To: <CADZyTkmssqtDFfLAae19w0-rxdiiE3TopgB21LbiEE1O-mQA=g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.255.216]
Content-Type: multipart/alternative; boundary="_000_A113ACFD9DF8B04F96395BDEACB340420D03A72Fxmbrcdx04ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Nomx8ylP6b8utj6ifoRIOwYug4k>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [IPsec] Diet-ESP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 21:17:21 -0000

Others have addressed my other points; let me talk about the specific issues with GCM.

One summary of the issues found is http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.297.9568&rep=rep1&type=pdf ; the problem with GCM is that:

-          With one successful forgery, the attacker can modify other packets the same way without detection.

-          With a handful of successful forgeries, the attacker can learn enough to be able to forge arbitrary messages.
Now, with the full 16 byte ICV, this is not a concern (because the probability of the attacker finding one successful forgery is tiny); however once you start reducing the ICV value, well, various guessing strategies start working better.

Now, neither HMAC nor CMAC has this problem; yes, with a tiny ICV, someone can generate a forgery by blindly guessing; however a successful forgery doesn’t give the attacker any information about how to generate a second successful forgery, or any information about the internal state.  Instead, generating a second forgery requires just as much work as you’d expect (that is, the same amount of work taken to generate the first forgery).

Hence, while I would suggest that you rethink the strategy of allowing tiny ICVs, if you do go ahead, I would strongly urge you to mandate the use of either HMAC or CMAC to generate those tiny ICVs – those won’t make a poor situation even worse.


From: Daniel Migault [mailto:mglt.ietf@gmail.com]
Sent: Tuesday, February 17, 2015 10:48 AM
To: Scott Fluhrer (sfluhrer)
Cc: 6lo@ietf.org; ipsec@ietf.org
Subject: Re: [IPsec] Diet-ESP

Hi Scott,
Thank you for the feed back. I agree that compressing the ICV reduces security related to authentication. Let's call this a "weak authentication".
I am not saying it is a valid argument, but since IPsec enables NULL authentication too, we considered that enabling "weak authentication" would be possible with a clear warning in the security consideration.
The reason we are looking we are looking for weak authentication is to be able to balance authentication with bandwidth optimization. In fact, suppose you compute the mean/median over a thousand different value, that one or two values are corrupted may not have much impact overall, and we may prefer to extend the life time of the mote for 5 years instead.

Regarding you comment I think the issue ou raised is more related to GCM. -- By the way I would be interested to have a description or relevant doc describing  why ICV in GCM particularly matters. One way to address the issue you raised would be:
    - 1) mention the need for weak authentication in the requirement draft
    - 2) remove ICV compression from Diet-ESP
    - 3) Define encryption protocols with weak authentication with different sizes of the ICV. For example suppose AES-MODEX has an ICV of N, then we may need to add AES-MODEX_i with i in [0 ... N-1].
The advantage of doing so is that it avoids end user to weaken the protocols especially when one compression is fine with one protocol but not with the others. In that sense it looks a better design.
However, I see the following drawbacks:
    - It requires to create multiple encryption protocols. Unlike compression, implementation cannot use existing implementation of AES-MODEX.
    - Negociation for hosts accepting all AES-MODEX_i with i in [0 ... N-1] requires many SA payload in the IKEv2 negotiation. However, we may deal with this with a AES-MODEX_ALL to indicate the responder choses its compression.

BR,
Daniel

On Tue, Feb 17, 2015 at 6:28 AM, Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:
Here’s an issue with this draft; it doesn’t meet the requirements that it claims.  In particular, it claims that it is based on standard IPsec, and that its security is equivalent to IPsec (R1-R3).  However, it allows (and, as far as I am concerned, encourages) the use of tiny ICVs; these tiny ICVs introduce security vulnerabilities that do not occur within sane configurations of IPsec (where sane includes using an integrity transform).  In particular, using tiny ICVs with GCM is a known security issue.

Now, it would be possible to have an encryption protocol that would not have issues with small ICVs (say, by using a wide block cipher); however this would be rather different than standard IPsec (in part because IPsec was never designed with these minimal bandwidth constraints); either we need to stay with an IPsec-based protocol (which implies a largish ICV), or go with something else (which would have less overhead, but doesn’t look that much like IPsec internally).


Oh, and a minor note on the IV generation: it’s actually secure to use the same key you use to encrypt to encrypt the counter for the IV; you don’t need a separate key.

From: IPsec [mailto:ipsec-bounces@ietf.org<mailto:ipsec-bounces@ietf.org>] On Behalf Of Daniel Migault
Sent: Monday, February 16, 2015 10:08 PM
To: 6lo@ietf.org<mailto:6lo@ietf.org>
Cc: ipsec@ietf.org<mailto:ipsec@ietf.org>
Subject: [IPsec] Diet-ESP

Please find the new version of Diet-ESP a compress IPsec/ESP for IoT. We have implemented and tested Diet-ESP. Compared to the standard IPsec/ESP, Diet-ESP can reduce the networking overhead added to unprotected data from 100% to a few percent. I will be happy to present these draft next IETF.

Feel free to make comments!

The drafts includes:
    1) draft-mglt-6lo-diet-esp-requirements<http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-requirements/>: lists the requirements for Diet-ESP
    2) draft-mglt-6lo-aes-implicit-iv<http://datatracker.ietf.org/doc/draft-mglt-6lo-aes-implicit-iv/>: indicates how to avoid carrying the IV in each ESP packet. It is instead generated by each peers. The protocols described in the draft can be used with the regular IPsec/ESP.
    3) draft-mglt-6lo-diet-esp<http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp/> describes the core Diet-ESP protocol, that is how to compress/decompress each fields of the standard IPsec/ESP. Compression is discribed through a Diet-ESP Context.
    4) draft-mglt-6lo-diet-esp-payload-compression<http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-payload-compression/>: describes how the clear text can be compressed before encryption. In fact unless IPsec/ESP is used with NULL encryption, the data in the ESP packet is encrypted. Encryption makes compression hard to perform. Instead compressing before encrypting can be very efficient. This makes possible to remove UDP/TPC/IP tunnel headers.
    5) draft-mglt-6lo-diet-esp-context-ikev2-extension<http://datatracker.ietf.org/doc/draft-mglt-6lo-diet-esp-context-ikev2-extension/>: describes how to negociate Diet-ESP with IKEv2. In fact this mostly result in an agreement for the DIet-ESP Context. This exchange may then be extended to Diet-HIP Exchange.
BR,
Daniel
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58<tel:%2B33%206%2070%2072%2069%2058>



--
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email