Re: [IPsec] Puzzle algorithm negotiation
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 25 January 2015 23:01 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD0D1A00DB for <ipsec@ietfa.amsl.com>; Sun, 25 Jan 2015 15:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.192
X-Spam-Level:
X-Spam-Status: No, score=0.192 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHeLN-xRH5Iq for <ipsec@ietfa.amsl.com>; Sun, 25 Jan 2015 15:01:54 -0800 (PST)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 973C31A0053 for <ipsec@ietf.org>; Sun, 25 Jan 2015 15:01:54 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id k14so6200077wgh.10 for <ipsec@ietf.org>; Sun, 25 Jan 2015 15:01:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=SOChjHjngX3XA2Chs1qMHXsb65EgsfjQ2KujfLrYJeA=; b=ifaaNlyArUgxb08eyvMJWL64pIC5YN9kt5F3/+48DCZiHJklGmpUIUpXKxHjeQ2PsG OlMpN+IGTVt4PIWYtFguTB8vTYH7NnSdwYYo/dS5AiSb9sgGfHFnBKCv3qYRJj1L6iKz NEqLSIheTtTRF5VPk+qcdyrequFIRLuveehpCgzeSA8oFjxQ/kid+n9nfuDIYx7jkWtJ WPMmy5T5laKLyxzZptBGoOnkkN9MFg38TosmaJvxKkKkqVCdOGaF2nH7thaRJ35UpJya /+S3Ax10JeKB8nR/aEqkG2Q6oHDPuQr3i4+aF6EZQW+bs4GQkiNHFDT5osyLwUDNRLc3 aDOg==
X-Received: by 10.180.91.201 with SMTP id cg9mr27015954wib.63.1422226913410; Sun, 25 Jan 2015 15:01:53 -0800 (PST)
Received: from [10.0.0.7] (bzq-79-177-128-127.red.bezeqint.net. [79.177.128.127]) by mx.google.com with ESMTPSA id w3sm11931400wjf.3.2015.01.25.15.01.51 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 25 Jan 2015 15:01:52 -0800 (PST)
Message-ID: <54C53CC8.5010603@gmail.com>
Date: Sun, 25 Jan 2015 10:58:16 -0800
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir.ietf@gmail.com>, ipsec <ipsec@ietf.org>
References: <BB49D854-245F-468E-9BBC-78D51B62ADCA@gmail.com> <0305AC94D9084D07B34DB45847595AD6@buildpc>
In-Reply-To: <0305AC94D9084D07B34DB45847595AD6@buildpc>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Sc8QoLyF-QrqPnTymcaQFSKlyCw>
Subject: Re: [IPsec] Puzzle algorithm negotiation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jan 2015 23:01:56 -0000
Hi Yoav, Valery, I agree with Valery's proposed redefinition of the proof-work-work, based on the PRF. I am currently off-line so my question may have been answered in the pull request, but: can we make it very clear that the PRF used for the POW must be the very same as the one selected by the responder for the IKE SA? People may not like it (I don't) but a major reason for including agility today is FIPS silliness. One day people will be forced to rip out any mention of SHA-256 from their code, and we don't want to need to reopen the RFC. Thanks, Yaron On 01/19/2015 12:02 AM, Valery Smyslov wrote: > Hi Yoav, > > Pull Request: https://github.com/ietf-ipsecme/drafts/pull/2 > > Hi, > > Valery has created this pull request. During the meeting in Honolulu > and subsequent discussion on the list, several people requested that > there be a negotiation of the algorithm used in the puzzle rather > than fixing it to SHA-256. > > The pull request suggests figuring out which algorithms the > Initiator supports by examining the SA payload in the IKE_SA_INIT > request, and using the PRF algorithms. > > I’m posting this to the list, even thought we’re not sure about > this. Specifically, PRF_AES128_XCBC and (I think) PRF_AES128_CMAC > won’t work with the bitcoin-like puzzle that is currently in the draft. > > Why? > > For convenience assume a 16-byte cookie, a fixed zero IV (as always > in AES-XCBC) and fixed zero key. > > So let Y = AESENC(key, IV XOR COOKIE) = AESENC(zero, COOKIE) > Let Z = AESDEC(key, zero) = AESDEC(zero, zero) > Extend the cookie by Y XOR Z. > The result will give you a 128-bit tag of all zeros. Way too easy. > > You forgot about the mandatory 10* padding in AES-XCBC. > So, the result of AESDEC(zero, zero) should not be a random > string, but should look like properly padded one. > But anyway, I think that if we use PRF for puzzles, then the puzzle > definition should be changed. > Let R=PRF(K,S). Then the puzzle should be: using supplied cookie as > message S, > find a key K so, that result R contains the requested number of trailing > zero bits. > I'm not a cryptographer, but I think this variant of puzzle should be secure > for all PRFs, defined in IPsec. Why? First, every secure PRF is a secure > MAC > (not visa versa). This is pointed out by several sources. Then, secure MAC > should not allow attacker to recover a key given the message and > the authentication tag. In our case the authentication tag is not fully > given, > but it must have some properties (desired number of trailing zero bits), > so it is not arbitrary. > > Another way to do this is to add a notification in the Initiator’s > request listing the hash algorithms that it supports. We could reuse > the RFC 7427 registry of hash algorithms. > > I don't think this is a good idea. First, it will require initiator to > include > a list of supported hash algorithms into request message. This will > unnecessary increase its size in all cases: at this point initiator > has no idea whether responder will ever use puzzles or even > whether it supports them. I think this is a waste of resources, > especially taking into consideration that we may reuse > information, that is always present in the request message. > > Personally, I really don’t like this algorithm agility, because we > don’t want to give the Initiator the options of a hard vs easy > puzzle. So suppose the Responder supports two algorithms, SHA-256 > and SHA-512, and that the latter is half as fast as the former, then > a SHA-512 puzzle would have to have 1 bit less than the SHA-256 > puzzle. But in fact, we know that SHA-512 is faster on 64-bit > platforms, while SHA-256 is faster on 32-bit platforms. Add some > GOST-certified hash to the mix, and the administrator’s task becomes > that much harder. > > If the difference in algorithms speeds is significant, then some weights > could be > added to algorithm definitions to make the required time to solve puzzle > roughly the same > on the same platform. > > OTOH often when a protocol is published without algorithm agility, > we end up extending it later. > > Exactly. > > Yoav > > Regards, > Valery. > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Valery Smyslov
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer
- Re: [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer