Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)
Tero Kivinen <kivinen@iki.fi> Tue, 29 July 2008 00:07 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA79B28C1DF; Mon, 28 Jul 2008 17:07:30 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8842928C206 for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 17:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBoz7r9RzeYt for <ipsec@core3.amsl.com>; Mon, 28 Jul 2008 17:07:28 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by core3.amsl.com (Postfix) with ESMTP id CA76A3A68D0 for <ipsec@ietf.org>; Mon, 28 Jul 2008 17:07:27 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id m6T07TLw026700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2008 03:07:29 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id m6T07TYs014461; Tue, 29 Jul 2008 03:07:29 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Message-ID: <18574.24385.37955.850321@fireball.kivinen.iki.fi>
Date: Tue, 29 Jul 2008 03:07:29 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <7783b00871110e39a0fa7f2f9b751a56.squirrel@www.trepanning.net>
References: <20080624163001.66CF63A6A69@core3.amsl.com> <24824166c413680844268e1db43651cf.squirrel@www.trepanning.net> <F7958F65-F576-4323-B0F4-19856EB3ED6C@checkpoint.com> <7783b00871110e39a0fa7f2f9b751a56.squirrel@www.trepanning.net>
X-Mailer: VM 7.19 under Emacs 22.1.1
X-Edit-Time: 9 min
X-Total-Time: 9 min
Cc: ipsec@ietf.org, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] WG Review: IP Security Maintenance and Extensions (ipsecme)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Dan Harkins writes:
> Your example was to send the 64-bit index into a database as the ticket.
> I'm sure that's not what you propose to do and was just an example but
> it illustrates why we need some base requirements around construction of
> the ticket. Such a ticket is forgeable and nothing binds a peer to such
> a ticket. The scheme would probably rely on layers of checks ("is the
> claimed sender of this ticket the same as the address in the SA pointed
> to by this ticket index?", etc) to ensure the ticket isn't misused instead
> of having a robust cryptographic check to ensure proper ticket usage.
Running index would be perfectly good ticket and would be perfectly
secure. The initiator doing the resumption will give that ticket to
the responder, responder will look up the keys and other material from
the database, and then decrypt the rest of the encrypted message and
verify the integrity of it. After that it will mark the index in the
database as "used" so it cannot be used anymore. The initiator has
proven the knowledge of the key associated to the ticket (but not
wrapped in to the ticket, as it was in the database instead) by being
able to create the encrypted and integrity protected parts of the
message. Any other peer would be knowing the keys to generate
cryptographically integrity portected message so that should prevent
anybody else using the ticket (unless the original party of the
initial IKE SA creation gives out the keys).
I do not understand why the ticket must be unforgeable or why it must
be indistinguishable from random? Those requirements do not make any
sense for me in this kind of database case. Anybody can see the ticket
immediately when it is first time used and attacker just needs to read
the ticket from there and block those packets from reaching the
recipient and then he can use the ticket if that would be the only
protection on the ticket. The real protection is that only valid party
can create the cryptographacally protected part of the message.
> Another bad example of ticket creation would be to create a keystream
> with a hash function, seeded with some password, and XOR the keystream
> with each ticket to create the opaque blob. A naive implementor who is
> not security savvy might come up with such a scheme. We should prevent
> someone from claiming compliance with a standards track RFC from the
> Security Area of the IETF if they have such a lame scheme.
Yes, that would be very bad ticket.
The vendor could also post those tickets and their decrypted content
to the wikipedia for storage, and that would also be bad way to do
tickets, but I still do not think we need to add rules forbidding
that...
> This is a security protocol and we should make sure it's secure. To do
> so we should specify _minimum_ behavior to comply with reasonable security
> requirements. A base blob communication protocol whose entire security
> is left up to the imagination of the implementor is not what a standards
> track RFC out of the Security Area of the IETF should be, in my opinion
> anyway.
But as has been pointed out the ticket might not be just opaque blob
communication, it could also be representated as handle to some
internal persistent data structure.
--
kivinen@safenet-inc.com
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] WG Review: IP Security Maintenance and Ex… IESG Secretary
- Re: [IPsec] WG Review: IP Security Maintenance an… Hui Deng
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Yaron Sheffer
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Yoav Nir
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Tero Kivinen
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- Re: [IPsec] WG Review: IP Security Maintenance an… Tero Kivinen
- Re: [IPsec] WG Review: IP Security Maintenance an… Dan Harkins
- [IPsec] WG Review: IP Security Maintenance and Ex… The IESG