[MBONED] Formal Validation of Security Properties for AMT Exchanges
Bill Atwood <bill@cse.concordia.ca> Wed, 23 March 2011 23:12 UTC
Return-Path: <bill@cse.concordia.ca>
X-Original-To: mboned@core3.amsl.com
Delivered-To: mboned@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 916E33A66B4 for <mboned@core3.amsl.com>; Wed, 23 Mar 2011 16:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qfDnp5y61593 for <mboned@core3.amsl.com>; Wed, 23 Mar 2011 16:12:12 -0700 (PDT)
Received: from oldperseverance.encs.concordia.ca (oldperseverance.encs.concordia.ca [132.205.96.94]) by core3.amsl.com (Postfix) with ESMTP id 3C7D03A659C for <mboned@ietf.org>; Wed, 23 Mar 2011 16:12:12 -0700 (PDT)
Received: from [IPv6:::1] (bill@poise.encs.concordia.ca [132.205.2.209]) by oldperseverance.encs.concordia.ca (envelope-from bill@cse.concordia.ca) (8.13.7/8.13.7) with ESMTP id p2NNDiZw031458; Wed, 23 Mar 2011 19:13:44 -0400
Message-ID: <4D8A7EAA.3060903@cse.concordia.ca>
Date: Wed, 23 Mar 2011 19:13:46 -0400
From: Bill Atwood <bill@cse.concordia.ca>
Organization: Concordia University, Department of Computer Science and Software Engineering
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: mboned@ietf.org
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.58 on oldperseverance.encs.concordia.ca at 2011/03/23 19:13:44 EDT
Cc: Ali Salem <sale_ali@cse.concordia.ca>
Subject: [MBONED] Formal Validation of Security Properties for AMT Exchanges
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mboned>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2011 23:12:13 -0000
As part of a larger project using AMT to extend the reach of multicast sessions, we have modeled the exchanges between an AMT gateway and its associated AMT relay, using the AVISPA tools. (Automated Validation of Internet Security Protocols and Applications; see http://www.avispa-project.org/) If specific attacks by an intruder are also modeled, it is possible to demonstrate that the message exchanges are free from those attacks. >From these augmented models, we have learned the following: Authentication on the MAC According to the Internet-Draft, the produced MAC is used only for routability purposes by the respondent, and the originator does not need to know anything about it in terms of content or hashing algorithm. As a result, if any party represents itself as an authentic AMT Relay, the AMT Gateway has no way to figure out otherwise. All the scenarios that we tested produced the same result: a Relay Impersonation attack was found where the intruder pretended to be a Relay and consequently fooled the Gateway. Note that since an intruder can easily present himself as a Relay, he will be able to easily learn the unsecured parameters exchanged with the Gateway. Secrecy of the MAC The MAC is sent in the clear, so the lack of secrecy of the MAC is obvious. While the MAC is composed from some parameters (the example given in the draft is "the source IP of the request, the source UDP port, the request nonce and a secret key known only to the respondent"), it is produced using a one-way cryptographic hash, making it unlikely that the intruder could figure out the original parameters. However, an intruder may be able to make use of the MAC by sending a Membership update Leave/Done message to the Relay while spoofing the source IP address of the Gateway. This can result in the Relay disconnecting the unicast stream to the Gateway. An example of this sequence of events has been demonstrated by AVISPA. Secrecy of the Local Secret According to the Internet Draft, the Local Secret ("the secret known only to the respondent") never has to be shared with the other side; it is only used to verify return routability of the originator. The Gateway does not care what the Local Secret is or what the MAC produced by the Relay is, since it simply echoes it in the AMT membership update message. An intruder cannot figure out the original parameters of the MAC (see above), and thus will not be able to learn the value of the Local Secret. To further confirm this, the validation results from all of our scenarios showed the protocol to be safe with respect to this goal for a bounded number of sessions. Implications 1) The Security Considerations section of the draft should at least acknowledge the existence of the Relay Impersonation attack, even if the solution to it is declared to be out-of-scope. 2) The design team should consider whether or not it is necessary to protect the MAC. If the decision is made not to alter the protocol to achieve this, the potential attack should be noted in the Security Considerations section of the draft. Bill Atwood Ali Salem -- Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046 Distinguished Professor Emeritus fax: +1 (514) 848-2830 Department of Computer Science and Software Engineering Concordia University EV 3.185 email: bill@cse.concordia.ca 1455 de Maisonneuve Blvd. West http: //users.encs.concordia.ca/~bill Montreal, Quebec Canada H3G 1M8