Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.txt
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 02 June 2015 11:53 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E9D1B2D67 for <lisp@ietfa.amsl.com>; Tue, 2 Jun 2015 04:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzY_CfYveRga for <lisp@ietfa.amsl.com>; Tue, 2 Jun 2015 04:53:22 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 253241B2D65 for <lisp@ietf.org>; Tue, 2 Jun 2015 04:53:22 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id 796244043; Tue, 2 Jun 2015 14:53:19 +0300 (EEST)
Date: Tue, 02 Jun 2015 14:53:19 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: "Brian Weis (bew)" <bew@cisco.com>
Message-ID: <20150602115319.GA15906@LK-Perkele-VII>
References: <20150501225938.17488.33586.idtracker@ietfa.amsl.com> <E0214FD5-7C51-45FA-89EC-B3656B6A6766@gmail.com> <20150502072254.GA6857@LK-Perkele-VII> <F269FD42-C422-438B-ACD6-BFBDBA5C76F4@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F269FD42-C422-438B-ACD6-BFBDBA5C76F4@cisco.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/a76GjdPynzz9RVp14LCLiUv1cBY>
Cc: LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.txt
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 11:53:24 -0000
On Tue, May 05, 2015 at 06:46:57AM +0000, Brian Weis (bew) wrote: > Hi Ilari, > > Thanks for your comments. > > On May 2, 2015, at 12:22 AM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > > On Fri, May 01, 2015 at 04:04:03PM -0700, Dino Farinacci wrote: > >> Folks, this draft contains the following changes: > >> > >> B.1. Changes to draft-ietf-lisp-crypto-01.txt > >> > >> o Posted May 2015. > >> > >> o Create cipher suites and encode them in the Security LCAF. > >> > >> o Add IV to beginning of packet header and ICV to end of packet. > >> > >> o AEAD procedures are now part of encryption process. > > > > At least I can follow how the algorithms work. Remaining issues/notes: > > - It composes AEAD mode instaed of using ready-made one. The composed > > mode is if nothing else slow (SHA-1 is already slower than some > > ready-made AEAD modes). > > These are the algorithms we’re comfortable with for now. We could > have specified the combined AEAD mode cipher modes, but they add > complexity in the form of maintaining a counter for the nonce. What kind of memory is the association data in? Something that isn't volatile or which can't sustain fast updates? Any reason why "count and if you lose position, just rekey" wouldn't work. Note that designing AEAD algorithms is quite nontrivial. And making one with bad performance is easy too. > > - Key derivation looks to be missing hashing in important parameters > > (like group and exchange keys) into secrets. > > Not sure which parameters you mean? The DH shared secret is the > key for the KDF, I’m not sure why we’d provide any other keys as input > to the KDF. The problem is that by manipulating things like ciphers, groups or exchange keys (even one-sided), attackers can make strange things happen. Hashing such parameters is especially important if some sort of connection "figerprint" is provoded for MITM detection. If unsure what to hash, just dump the LCAFs into session key derivation as a whole. At least TLS took nasty attacks from not hashing in the exchange keys (g^x, g^y or xG, yG). Also, found another potential issue. There is no nonce field, which means that public keys can't be safely reused, but must be regenerated for each use. This would be especially troublesome for computationally-limited and memory-limited devices. If one has no space for auxillary tables, one needs to do DH operation to generate a key (which doubles key exchange CPU usage). With tables one can push it to about one third of DH operation, but at cost of tens (ECDH) or hundreds (DH) of kB of static tables. Of course, when reusing DH keys, one shouldn't keep them valid for too long. IIRC, Daniel J. Bernstein recommended ten seconds a while back, and considered several hours some products did as too long. > > - Some NIST-spec KDF? I think there are RFCs that describe KDFs. > > Yes, there’s RFC 5869 but the NIST KDFs are also widely used. I think RFC 5869 is much more used in IETF protocols than NIST KDFs. > > - 1024-bit DH is regarded as quite weak nowadays. > > - Two new ECDH functions from CFRG were recently annouced[1]. > > Should be faster than DH1024/DH2048 with way smaller keys. > > We do need less computationally demanding ciphers for deices that do > crypto in ARM based platforms, which explains the 1024-bit DH (and yes, > we realize it is weak). As stated in the Future Work section we will > be looking at these ECDH functions and should have some results > before the Prague meeting. If we can replace the 1024-bit DH we will. Something came up when investigating the TLS Logjam mess. Experts guess that NSA has computed "logarithm tables" for a few common 1024-bit DH groups. Those tables allow breaking DH very quickly. The authors of research on TLS Logjam recommended regarding use of DH: - Use ECDH (beweare of weak 160-bit curves and backdoored curves) - Named (fixed) groups need to be 2048 bits at least (beware of back- doored groups) - If needing to use 1024-bit DH, generate your own group and change it frequently. - Don't use <1024 bit DH at all. -Ilari
- [lisp] I-D Action: draft-ietf-lisp-crypto-01.txt internet-drafts
- [lisp] Fwd: I-D Action: draft-ietf-lisp-crypto-01… Dino Farinacci
- Re: [lisp] Fwd: I-D Action: draft-ietf-lisp-crypt… Ilari Liusvaara
- Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.… Brian Weis (bew)
- Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.… Ilari Liusvaara
- Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.… Dino Farinacci
- Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.… Ilari Liusvaara
- Re: [lisp] I-D Action: draft-ietf-lisp-crypto-01.… Dino Farinacci