IETF Logo Mail Archive

Re: [lisp] Deriving Map-Register/Notify authentication key from PSK [Was: Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT)]

Dino Farinacci <farinacci@gmail.com> Wed, 20 March 2019 22:27 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 926EE1200D7; Wed, 20 Mar 2019 15:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YU821NDy6PI; Wed, 20 Mar 2019 15:27:32 -0700 (PDT)
Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13CA1131270; Wed, 20 Mar 2019 15:27:29 -0700 (PDT)
Received: by mail-pg1-x544.google.com with SMTP id i2so2789151pgj.11; Wed, 20 Mar 2019 15:27:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=stXizuIH4NeU8h5P/K13cGLyBjz4Y7BUEZJjsfdCPDg=; b=cbcPSh8mzzluXB0B0AfEgkoUObUEiAU3pv5eXkzwvyAkZhUqDyfQBVXo35IOPFWFMo /mrUsOXGIputi8gcw+60vWcHn2ufrCguTdrfgZc721i4MB+w3wNNd7/w5F2gFtpzPtX3 YANOddCAPTrVE+eXeMz1NDVcGOFgrms46FoRohOTfJMioA+lANSNTIM561LVGB0/zkOy 4a5UwnrkENCqxbNs+bXFXf3+HesjYlITKATN3lZd6PqGiQgDC0OT7UXQWNFiMrqiHTCu RZYwjb20yUMIkm/FHWC+ymHfxSeNhKzXgawyeah2cklxGhIYNZKKicM21fTuKw+PgoHQ QlEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=stXizuIH4NeU8h5P/K13cGLyBjz4Y7BUEZJjsfdCPDg=; b=g3nkd6UcKKlMJUgZ5DVNtLZxj5VfhS8XcfK93LFVVA9CFyi7uaxZj6mHiPnFpRsRbz OHgkTb/ydeqWK27sxq1g1eS2kDKMs2wEM+fy/PdYRWdDSgbZ1QdEGlYlFVZotuZexGow Uc+hjkD/eH0Jrx2vBUGx6CnlbXs3EDImKszQO6MXwKUsE0QoepHCi8fj7+6xronAN5Zw lSgkkjY78B9sBONecThd8cuw0PAQws6pmVQjDl2VmNop6uROMlU4ZB1g3i52U4FiGnM4 TfEfdJk5AukxezChk3C8CoC8OOph97ldv0RrOuSE5SDu7nF25QvulE+Jc7enUiqUZRd7 S9HQ==
X-Gm-Message-State: APjAAAVGPvW2Y7Qn97yA79L5CZd2MRcS0blwdujlrar/fJOi3I/FRq+k Bc0+Ih85z1zrgeXt0xOr+5E=
X-Google-Smtp-Source: APXvYqyE5XzQCAhs/lkXRldwLfr4n34ybGsJznLbSe4zaPoWQr0q2ZhhrpA6crrVg+UxJlIzeqaVNQ==
X-Received: by 2002:a65:50cc:: with SMTP id s12mr352226pgp.130.1553120848575; Wed, 20 Mar 2019 15:27:28 -0700 (PDT)
Received: from [10.97.50.142] ([96.72.181.209]) by smtp.gmail.com with ESMTPSA id a1sm4979402pfn.26.2019.03.20.15.27.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Mar 2019 15:27:27 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <20190320150544.GE80498@kduck.mit.edu>
Date: Wed, 20 Mar 2019 15:27:26 -0700
Cc: Fabio Maino <fmaino@cisco.com>, lisp-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-lisp-rfc6833bis@ietf.org, lisp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <BB32AA11-8316-4FB5-900B-234D87E140AF@gmail.com>
References: <154954743968.23471.9935733647283605722.idtracker@ietfa.amsl.com> <0d5057bf-46a4-afa2-0794-09c444cfde99@cisco.com> <20190320150544.GE80498@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/-F3Us4WYKTRhJzFvzj1eIYyZ76M>
Subject: Re: [lisp] Deriving Map-Register/Notify authentication key from PSK [Was: Re: Benjamin Kaduk's Discuss on draft-ietf-lisp-rfc6833bis-24: (with DISCUSS and COMMENT)]
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 22:27:36 -0000

Ben regarding using PSKs for Map-Registers. How about we do this:

(1) The ETR and map-server can be provisioned with up to 256 keys.
(2) Each Map-Register uses one of the 256 keys buy doing a random number modulo 256.
(3) Each consecutive Map-Register will use a different key.
(4) The Map-Server would do the same for Map-Notify messages.

A key could only be used once very 4 hours.

And then a new 256 set of keys can be re-configured via a provisioning system.

How does that sound?

Dino

> On Mar 20, 2019, at 8:05 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Mon, Mar 18, 2019 at 03:01:07PM -0700, Fabio Maino wrote:
>> Hi Ben,
>> I'm starting this separated thread to discuss this point.
> 
> Thanks for splitting it off.
> 
>> 
>> On 2/7/19 5:50 AM, Benjamin Kaduk wrote:
>>> This document includes a mechansism to use HMAC keyed by a pre-shared key
>>> to authenticate messages (Map-Register and Map-Notify*); it is directly
>>> using the long-term PSK as the HMAC key.  This is not really consistent
>>> with current IETF best practices (e.g,. BCP 107), which tend to not use the
>>> long-term key directly for keying messages, but rather to incorporate some
>>> form of key derivation step, to protect the long-term key from
>>> cryptanalysis and reduce the need to track long-term per-key data usage
>>> limits.  It is probably not feasible to directly require all LISP
>>> implementations to switch keying strategy, but it seems quite advisable to
>>> define new algorithm ID types that include a key derivation step before the
>>> HMAC, and to begin efforts to convert the ecosystem to the more sustainable
>>> cryptographic usage.  I would like to discuss what actions are reasonable
>>> to take at this time, on this front.
>> 
>> 
>> We plan to proceed as follows.
>> 
>> Currently the Map-Register/Map-Notify protocols messages are 
>> authenticated using a Pre-Shared Key (PSK) identified by the Key ID 
>> field in the Map-Register/Notify message (I'll refer to Map-Register 
>> only from now on, but everything applies to both protocols). The Key ID 
>> field allows rotation of the PSK.
>> 
>> The Algorithm ID identifies the algorithm used. Currently the values 
>> defined are : (0) None, (1) HMAC-SHA1-96, and (2) HMAC-SHA-256-128
>> 
>>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>        |    Key ID     | Algorithm ID  |  Authentication Data Length   |
>>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>        ~                     Authentication Data                       ~
>>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>> 
>> 
>> We plan to introduce a simple key hierarchy that starting from the PSK 
>> derives per "application" specific keys (applications being 
>> Map-Register/Map-Notify Authentication, LISP-SEC OTK key wrapping, ... 
>> ). We will use the most significant bits of the Key ID as actual 
>> identifier of the PSK, and the least significant ones to rotate through 
>> application specific keys for a given PSK.
>> 
>> 
>> PSK [identified by Key ID-MSb]
>> 
>>     +--> Map-Register/Notification Key [identified by Key ID-LSb]
>> 
>>     +--> LISP-SEC OTK Wrapping Key [identified by Key ID-LSb]
>> 
>>     +--> ...
>> 
>> 
>> For example, if we use the 4 Most Significant bits in the Key ID to 
>> identify the PSK and the 4 Least Significant bits to rotate per 
>> application keys the ETR/MS will use an HKDF (RFC 5869) for 
>> per-application key derivation. Something like:
> 
> It's not clear to me that we need to use explicit identifier space to
> indicate what type of key we derived -- shouldn't that be implicit from the
> context in which we're processing a mesage?
> 
>> Map-Register Authentication Key = HKDF(Key ID + "Map-Register 
>> Authentication" + PSK)   where "Map-Register Authentication" is a string 
>> that identifies the Map-Register application.
> 
> It's good and important to include an identifier like this ("Map-Register
> Authentication") to produce different keys for performing different types
> of operations, but I think I may have been too brief when I introduced the
> topic of key derivation.  The general risk is that if we have a single key that
> gets used over and over for the same class of operation over a long period
> of time, an attacker can collect lots of ciphertexts produced by the same
> key, and do some forms of cryptanalysis that benefit from having more
> ciphertexts.  Whether this reused key is the original PSK explicitly shared
> between parties, or one deterministically derived from it for just
> map-register authentication or map-notify protection doesn't make much
> difference to the attacker -- there's still a lot of ciphertexts produced
> using the same key.  (That key just happens to have been the output of a
> KDF instead of directly shared).  The main goal of the KDF is to stop
> presenting many ciphertexts over time produced with the same key, by
> generating a fresh derived key for each exchange.  So, in addition to that
> context label for what type of key it is, we want something fresh per
> message, perhaps that binds the derived key to the specific message at
> hand.  I haven't thought very hard about the details yet, but it seems
> likely that we'd want to include the nonce as KDF input.  In some protocols
> we end up putting almost the entire message being protected in as
> additional input, but that's not always necessary or even helpful.
> 
>> As an example a Map-Register that has the Key ID field set to 0xd0 
>> refers to Map-Register Key 0x0 generated using PSK 0xd. If the ETR wants 
>> to rotate to a new Map-Register Authentication Key (without changing 
>> PSK) it will set the Key-ID field to 0xd1. A new PSK will be provisioned 
>> before all the 16 Map-register Authentication Keys associated with PSK 
>> 0xd are used.
> 
> I'm not sure there's a need to be able to rotate these intermediate derived
> keys separately from the main PSK (or, really, to have them at all, if
> there ends up being per-message input to the final KDF).  I guess
> technically it might end up letting you prolong the extent of "safe" PSK
> usage for the original PSK (along the lines of draft-irtf-cfrg-re-keying
> but not exactly the same); it's just not clear to me that we'd end up
> anywhere close to the computed limit, here.
> 
>> We will use the Algorithm ID to encode the particular KDF used. As an 
>> example the Algorithm ID defined for the Map-Register authentication 
>> protocol would be:
>> 
>> HMAC-SHA-256-128-HKDF-SHA1-128 that include HMAC-SHA-256-128 as 
>> Map-register authentication Algorithm, and HKDF-SHA1-128 as Key 
>> Derivation Algorithm.
> 
> That sounds reasonable.
> 
>> This is compatible with the existing Algorithm IDs defined up to now 
>> (encoded with values 0,1 and 2) that will be deprecated.
>> 
>> This seems general enough that we can extend it to other security 
>> services used with the various LISP messages (e,g, to derive a wrapping 
>> key to transport the OTK in LISP-SEC)
> 
> I think we can make it pretty general, yes.
> 
> -Benjamin
> 
>> Please let us know if you have comments or suggestions.
>> 
>> We will post the text to describe this in more details as soon as it's 
>> ready.
> 
> _______________________________________________
> lisp mailing list
> lisp@ietf.org
> https://www.ietf.org/mailman/listinfo/lisp

v2.23.0 | Report a Bug | By Email