IETF Logo Mail Archive

Re: [lisp] Let's review crypto in lisp-crypto

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 01 November 2015 09:53 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CED91A8738 for <lisp@ietfa.amsl.com>; Sun, 1 Nov 2015 01:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_BACKHAIR_52=1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uX-8K9BXO4Q2 for <lisp@ietfa.amsl.com>; Sun, 1 Nov 2015 01:53:30 -0800 (PST)
Received: from filtteri2.pp.htv.fi (filtteri2.pp.htv.fi [213.243.153.185]) by ietfa.amsl.com (Postfix) with ESMTP id CD0F21A872E for <lisp@ietf.org>; Sun, 1 Nov 2015 01:53:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri2.pp.htv.fi (Postfix) with ESMTP id A274819C79D; Sun, 1 Nov 2015 11:53:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri2.pp.htv.fi [213.243.153.185]) (amavisd-new, port 10024) with ESMTP id 2m8zxFwXnNdz; Sun, 1 Nov 2015 11:53:28 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id 661225BC002; Sun, 1 Nov 2015 11:53:28 +0200 (EET)
Date: Sun, 01 Nov 2015 11:53:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dino Farinacci <farinacci@gmail.com>
Message-ID: <20151101095325.GB13377@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20151028141703.GA9632@LK-Perkele-V2.elisa-laajakaista.fi> <1C855BE8-70D6-4604-AFED-4298AAD6186C@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1C855BE8-70D6-4604-AFED-4298AAD6186C@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/CepecPxrIN3Gtz1ymuRXVBnm16o>
Cc: LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Let's review crypto in lisp-crypto
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2015 09:53:32 -0000

On Sun, Nov 01, 2015 at 01:13:56AM -0700, Dino Farinacci wrote:
> 
> > - Ciphersuite 1 uses 1024-bit Diffie-Hellman, which is too weak
> >  (after you have cracked one key (and it doesn't take that much,
> >  especially if you can throw ASICs at the problem), you can crack
> >  each subsequent one in a few CPU minutes. With 2048-bit DH, at
> >  least the first key tends to be too hard, and with ECDH, tricks
> >  like this don't work).
> 
> Yes, both Brian and I replied that we were using this more for
> experimentation on low-powered or CPU challenged devices. We will
> not recommend its use. It’s just there for implementations to start
> with something. But havind said that, I would like to recommend
> the smaller keys that come along with chacha20/poly1305 so maybe
> the subject is moot. 

I think that even having low-security options is a problem.

> > - Instead of "homecooked" encryption, use AEAD modes. AES-GCM is a lot
> >  faster than AES-CBC + HMAC-SHA1-96.
> 
> I didn’t realize we were home cooking this. We can certainly go with
>  AES-GCM. Do you think we should add a new cipher suite for it or
> just change the existing ones that refer to AES-CBC to AES-GCM?

I think just change them.

> > - AEAD_CHACHA20_POLY1305 is not composition of CHACHA20 and POLY1305,
> >  it is a single AEAD algorithm (as is AES128-GCM).
> 
> Did we imply that? Can you point to the text? I for one, am not
> expert enough to know the difference so if text implies that,
> please point that out.

IIRC, the text says something like:

Encryption: Chacha20
Integerity: Poly1305  (i.e. AEAD_CHACHA20_POLY1305)

Which would imply some sort of composition (and the encryption and
decryption procedures also seem to imply it is composition, as
those handle encryption and authentication seperatedly).

> > - The NIST SP800-108 KDF handles the counter and length internally,
> >  those are not part of the context input.
> 
> You should point to text so we know where in the spec you are
> commenting against. It is hard to get context from your comments.

Section 5 in -02. The listing for "Context" (meaning the fields
in context).

> > - If you need identifier for association (e.g. for displaying to
> >  admin for authentication purposes), you must hash in the (EC)DH
> >  public keys used into the identifier. Otherwise MITM attacker can
> >  defeat the authentication.
> 
> We use the source RLOC and the Map-Request nonce to identify the association.

That's does not create identifier suitable for comparing between
endpoints for authentication.

> > - If the same system can be ITR and ETR at once, how one ensures that
> >  if two such systems establish associations to each other, the keys
> >  won't wind up being the same? This could be solved by requiring
> 
> Because the key-pair is unidirectional. If router A is an ITR and sends
> a Map-Request to router B, that key-pair is for data traffic encapsulated
> from A to B. If B is an ITR encapsulating to A an ETR, a differne
> key-pair is used. A new random number generator, nonce, and key
> exchange is performed for each direction.

You mean that A (and B) is supposed to use different DH keys for
their roles as ITR and ETR (if reusing keys, like at least some
implementations are going to do)?

I didn't see that explicitly required anywhere (this is kind of
thing one wants to document).

The problem if routers share keys between roles is that if two
such routers connect to each other and pick the same nonces (nonce
looks to be only 24 bits!) the keys will collide, with bad
results.

> > - AEAD_CHACHA20_POLY1305 IVs are 12 octets, right? That's too short
> >  to randomly generate. Instead, the encryptor should just use its
> 
> Yes, you are right. I padded to 16-bytes in my implementation. Do
> you see harm in that. That way the packet length/format doesn’t have
> to change for different cipher suites.

Well, no harm to have padding bits (if those are authenticated!). It
is just that such padding needs to be specified.

(Assuming AD for AEAD algorithms is ICV\Encrypt, those are
authenticated)

If you have some AEAD algo with N_MIN > 16 (I don't think any are
currently defined) you could even zero-pad the IV...

> > - Are the associations unidirectional (data is only ever sent one
> >  way) or how is uniqueness of IVs between directions handled?
> 
> Yes, unidirectional. IVs are per packet, any packet, in any direction.

Okay. That reduces IV uniqueness to ensuring each side generates
unique IVs and that the keying material is direction-dependent.
 
> > - IV is incremented for every packet? If using CBC mode, predictable
> >  IVs are bad (AEAD algorithms do deal with predictable IVs, but not
> >  repeating IVs).

I mean, the document seems to say both IVs are randomly generated and
incremented for every packet (which seem to be mutually
contradictionary).
 
> > - AEAD_CHACHA20_POLY1305 decryption both checks the ICV and if the
> >  check passes, decrypts the data. So performing step 2 also performs
> >  step 5.
> 
> Hmm. So are you saying that if the cipher suite negotiated is chacha20,
> we should not add a ICV? That would be great, beacuse we can make cipher
> suite 4 go even faster.

The encryption with AEAD algorithm presumably goes as follows:

1) The encapsulator generates IV by some method that takes very long
time to repeat (counters, LFSRs, etc...) and appends it to the LISP
header.

2) Invoke the AEAD encryption with:
- Key set to encryption-key
- Nonce set to the IV (truncated to N_MAX octets if N_MAX<16, padded
  with zeroes in the end to N_MIN octets if N_MIN>16).
- AD set to LISP header plus added IV field (the parts of packet marked
  as ICV but not encrypt).
- Plaintext set to the packet payload.

(Any possible tag output is appended to the ciphertext)

3) Prepend the LISP header, together with the IV field into ciphertext.

4) Lastly, prepend the UDP and IP headers into the encrypted packet
and send to destination RLOC.


And decryption:

1) Strip the outer IP and UDP headers.

2) Strip tag encryption concatenated  from packet payload (if any).

3) Invoke the AEAD decryption with:
- Key set to encryption-key (from local key-cache)
- Nonce set to the IV field contents (truncated to N_MAX octets if
  N_MAX<16, padded with zeroes in the end to N_MIN octets if N_MIN>16).
- AD set to LISP header plus added IV field (the parts of packet marked
  as ICV but not encrypt).
- Ciphertext set to the packet payload.

(If the algorithm has tag input, the tag is split off from the
ciphertext).

If the result is FAIL, drop the packet (it is tampered with) and
optionally issue a log message.

3) Strip IV from the packet.

4) Forward the packet to destination EID.
 

The nonce truncation/padding rules are to handle AEAD algorithms
that don't accept 16 octet nonces but still keep the IV on
wire at constant 16 octets.

There is also AEAD_AES_128_GCM, which being AEAD algorithm, is used
similarly to AEAD_CHACHA20_POLY1305. The above algorithms work with
it too.



-Ilari

v2.23.0 | Report a Bug | By Email