Re: [IPsec] Puzzle algorithm negotiation
Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 26 January 2015 09:34 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770401A885E for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 01:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqQT8maVDbkN for <ipsec@ietfa.amsl.com>; Mon, 26 Jan 2015 01:34:39 -0800 (PST)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 861BF1A8826 for <ipsec@ietf.org>; Mon, 26 Jan 2015 01:34:39 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id em10so8395976wid.5 for <ipsec@ietf.org>; Mon, 26 Jan 2015 01:34:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=rE/0KEHTQcRF0p76aDms+lYBwnL4oprRpgMoReq0Xik=; b=tff3fimUvi2lUMA6/F8l8iKus/eMZFzINzW7EJ63PcHGdyM7sIKuOYFTsfmWVxMwM3 Za8upU9vd9UIbeQZde0r0eL51ydLM+EjVP0JOtWG3BCdNuyAtGZ9Xsn4Kx22OdRvk3OV V3QvJAmpG955YbsZtOMQmbHyvHNVBW/dTjcMd2a+ZFXVhKAohbWy4K5Y75OfRpz0N+cD hiMWd+CsQecz7eXHSeJkvHELH3TxBwLF7OwjgWnw/d1CrM0P5U90as9KEYRbGnvu4szk m7U8QBV9UNRnw01i4cMFUgSINCL+oFTTlUpoLTg/7DWfmDToMK9FyhpYNSoX8FZa/LoA 0Q+A==
X-Received: by 10.194.71.45 with SMTP id r13mr41165843wju.128.1422264878086; Mon, 26 Jan 2015 01:34:38 -0800 (PST)
Received: from [10.2.0.130] (93-173-247-187.bb.netvision.net.il. [93.173.247.187]) by mx.google.com with ESMTPSA id bo3sm13502227wjb.44.2015.01.26.01.34.36 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Jan 2015 01:34:37 -0800 (PST)
Message-ID: <54C60A2C.2020105@gmail.com>
Date: Mon, 26 Jan 2015 11:34:36 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>
References: <BB49D854-245F-468E-9BBC-78D51B62ADCA@gmail.com> <0305AC94D9084D07B34DB45847595AD6@buildpc> <54C53CC8.5010603@gmail.com> <20D5D022-62E8-4BB4-97C0-C5D2D233D266@gmail.com>
In-Reply-To: <20D5D022-62E8-4BB4-97C0-C5D2D233D266@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/jcpYGl1kENEQh-Z_fOS_ql2FMgE>
Cc: ipsec <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Subject: Re: [IPsec] Puzzle algorithm negotiation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 09:34:41 -0000
I thought fixing the PRF would simplify the implementation, but now I realize that it wouldn't. Thanks, Yaron On 01/26/2015 06:52 AM, Yoav Nir wrote: > >> On Jan 25, 2015, at 8:58 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: >> >> Hi Yoav, Valery, >> >> I agree with Valery's proposed redefinition of the proof-work-work, based on the PRF. >> >> I am currently off-line so my question may have been answered in the pull request, but: can we make it very clear that the PRF used for the POW must be the very same as the one selected by the responder for the IKE SA? > > It is possible, but I don’t see why it’s a good thing. Suppose the conversation goes like this: > > Initiator: I want (AES-CBC-128 or AES-CBC-256) with (AUTH_HMAC-SHA1 or AUTH_HMAC-SHA256) and (PRF_ HMAC-SHA1 or PRF_HMAC-SHA256) and (Group 2 or Group 14) > > Responder: First do proof-of-work with PRF_HMAC-SHA256 > > Initiator: Here’s the proof-of-work, now I want (AES-CBC-128 or AES-CBC-256) with (AUTH_HMAC-SHA1 or AUTH_HMAC-SHA256) and (PRF_ HMAC-SHA1 or PRF_HMAC-SHA256) and (Group 2 or Group 14). > > Responder: Fine, I choose AES-CBC-128 with HMAC-SHA1 and PRF_HMAC-SHA1 and Group 2. > > What is the benefit of forcing the responder to choose the same PRF algorithm twice? What is wrong with having it choose PRF_HMAC-SHA1? Sure, we *can* do this, but why? > >> People may not like it (I don't) but a major reason for including agility today is FIPS silliness. One day people will be forced to rip out any mention of SHA-256 from their code, and we don't want to need to reopen the RFC. > > Some algorithms are also more fashionable than others. > > Yoav > >> >> Thanks, >> Yaron >> >> On 01/19/2015 12:02 AM, Valery Smyslov wrote: >>> Hi Yoav, >>> >>> Pull Request: https://github.com/ietf-ipsecme/drafts/pull/2 >>> >>> Hi, >>> >>> Valery has created this pull request. During the meeting in Honolulu >>> and subsequent discussion on the list, several people requested that >>> there be a negotiation of the algorithm used in the puzzle rather >>> than fixing it to SHA-256. >>> >>> The pull request suggests figuring out which algorithms the >>> Initiator supports by examining the SA payload in the IKE_SA_INIT >>> request, and using the PRF algorithms. >>> >>> I’m posting this to the list, even thought we’re not sure about >>> this. Specifically, PRF_AES128_XCBC and (I think) PRF_AES128_CMAC >>> won’t work with the bitcoin-like puzzle that is currently in the draft. >>> >>> Why? >>> >>> For convenience assume a 16-byte cookie, a fixed zero IV (as always >>> in AES-XCBC) and fixed zero key. >>> >>> So let Y = AESENC(key, IV XOR COOKIE) = AESENC(zero, COOKIE) >>> Let Z = AESDEC(key, zero) = AESDEC(zero, zero) >>> Extend the cookie by Y XOR Z. >>> The result will give you a 128-bit tag of all zeros. Way too easy. >>> >>> You forgot about the mandatory 10* padding in AES-XCBC. >>> So, the result of AESDEC(zero, zero) should not be a random >>> string, but should look like properly padded one. >>> But anyway, I think that if we use PRF for puzzles, then the puzzle >>> definition should be changed. >>> Let R=PRF(K,S). Then the puzzle should be: using supplied cookie as >>> message S, >>> find a key K so, that result R contains the requested number of trailing >>> zero bits. >>> I'm not a cryptographer, but I think this variant of puzzle should be secure >>> for all PRFs, defined in IPsec. Why? First, every secure PRF is a secure >>> MAC >>> (not visa versa). This is pointed out by several sources. Then, secure MAC >>> should not allow attacker to recover a key given the message and >>> the authentication tag. In our case the authentication tag is not fully >>> given, >>> but it must have some properties (desired number of trailing zero bits), >>> so it is not arbitrary. >>> >>> Another way to do this is to add a notification in the Initiator’s >>> request listing the hash algorithms that it supports. We could reuse >>> the RFC 7427 registry of hash algorithms. >>> >>> I don't think this is a good idea. First, it will require initiator to >>> include >>> a list of supported hash algorithms into request message. This will >>> unnecessary increase its size in all cases: at this point initiator >>> has no idea whether responder will ever use puzzles or even >>> whether it supports them. I think this is a waste of resources, >>> especially taking into consideration that we may reuse >>> information, that is always present in the request message. >>> >>> Personally, I really don’t like this algorithm agility, because we >>> don’t want to give the Initiator the options of a hard vs easy >>> puzzle. So suppose the Responder supports two algorithms, SHA-256 >>> and SHA-512, and that the latter is half as fast as the former, then >>> a SHA-512 puzzle would have to have 1 bit less than the SHA-256 >>> puzzle. But in fact, we know that SHA-512 is faster on 64-bit >>> platforms, while SHA-256 is faster on 32-bit platforms. Add some >>> GOST-certified hash to the mix, and the administrator’s task becomes >>> that much harder. >>> >>> If the difference in algorithms speeds is significant, then some weights >>> could be >>> added to algorithm definitions to make the required time to solve puzzle >>> roughly the same >>> on the same platform. >>> >>> OTOH often when a protocol is published without algorithm agility, >>> we end up extending it later. >>> >>> Exactly. >>> >>> Yoav >>> >>> Regards, >>> Valery. >>> >>> >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >>> >
- [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Valery Smyslov
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer
- Re: [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer