Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
"James Kempf" <kempf@docomolabs-usa.com> Wed, 25 July 2007 16:42 UTC
Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDjwB-0002YQ-Rr; Wed, 25 Jul 2007 12:42:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDjwA-0002Xr-F1 for mipshop@ietf.org; Wed, 25 Jul 2007 12:42:10 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IDjw9-0004fk-Mr for mipshop@ietf.org; Wed, 25 Jul 2007 12:42:10 -0400
Message-ID: <04ea01c7ceda$bd1b64f0$576115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Greg Daley <Greg.Daley@eng.monash.edu.au>
References: <f5860b321f815.1f815f5860b32@monash.edu.au> <f597e8de193b2.193b2f597e8de@monash.edu.au>
Subject: Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
Date: Wed, 25 Jul 2007 09:42:07 -0700
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 2.8 (++)
X-Scan-Signature: 6640e3bbe8a4d70c4469bcdcbbf0921d
Cc: mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Greg,
I got the copy you sent to the mailing list. It seems my problems with
posting and reception have cleared up. I'll take a more detailed look at
your proposal when I get to revising the draft and post any questions, but,
after a quick read, I think it looks OK. I hope to quickly rev the document
after the drafts gate opens and have Vijay issue a last call, so that we can
get FMIP to the IESG before the November meeting.
jak
----- Original Message -----
From: "Greg Daley" <Greg.Daley@eng.monash.edu.au>
To: "Greg Daley" <Greg.Daley@eng.monash.edu.au>
Cc: <mipshop@ietf.org>; "James Kempf" <kempf@docomolabs-usa.com>
Sent: Wednesday, July 25, 2007 7:47 AM
Subject: Re: [Mipshop] Key derivation keys for
draft-ietf-mipshop-handover-key
Hi James, et al.
please note, I have sent a more complete version of this e-mail to the list.
Sorry for the klutziness.
Greg
----- Original Message -----
From: Greg Daley <Greg.Daley@eng.monash.edu.au>
Date: Wednesday, July 25, 2007 8:42 am
Subject: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
To: mipshop@ietf.org
Cc: kempf@docomolabs-usa.com
>
> I made a comment at the mike yesterday concerned about the requirement
> to use an additional (non-CGA) public/private keypair in the
> handover-keys draft.
>
> The comment I made was based on misunderstanding the issues
> presented in
> Rajeev's presentation.
>
> Now I have had the chance to go through the meat of James' earlier
> postabout these keys, and realize that the new keys would be
> exclusivelygenerated for key derivation, and would not require any
> bulk data
> encryption using assymmetric cryptography.
>
>
> I think this is a very good idea, in that it allows the key-
> derivation keys
> to be limited in lifetime, without affecting the stability or security
> of the CGA.
>
> The lifetime of any public key which is used in cryptography should be
> limited both by the number of key deriving encryption operations they
> perform, and an absolute lifetime, in order to prevent cryptanalysis.
>
>
> Having the router and host autonomously generate a shorter lived
> key-derivation keypair can be made to provide significant security
> without causing undue additional computation.
> This is because the key can be used and reused for key derivations
> with many different hosts and only discarded when it is worn out or
> old.
>
> The cost is that the key-derivation key information (algorithm, public
> key, etc) would have to be included in messages between the host
> and router
> before the keys could be derived, and additional information would
> need to
> be provided in the encrypted block of the Handover Key option.
>
>
> Note that it is important to ensure that the encypted key derivations
> themselves are not used in replay attacks, especially as the keys for
> the encryption of the symmetric key information are no longer the CGA
> private keys.
>
> This requires that information tying the sender's CGA public key to
> theencrypted block.
>
> Here is my view of the protocol:
>
>
> Legend
>
> N_n_i Nonce number (i) from node (n)
>
> T_n_i Timestamp number (i) from node (n)
>
> CGAOPT_n CGA option for node (n)
>
> KDKOPT_n Key Derivation Keying Option for node (n)
> Contains:
> information about key algorithm
> public key
> public key identifier (perhaps implicit, SHA-1 of
> public key)
>
> SIGNED_n signature using the CGA private key of (n)
>
> h Host
>
> r Router
>
>
> RS: Signed_h ( h,All Routers, N_r_1, T_r_1, KDKOPT_h,
> CGAOPT_h )
>
> RA:
>
>
>
> There is an assumption that the information in the KDK option is
> valid for a period where the subsequent messages key derivation
> exchanges are to be sent.
>
> Either this validity time can be included explicitly in the KDK option
> itself, or there can be a reasonable assumption provided, e.g.:
>
> A node only sends a KDK option containing information valid for at
> least30 minutes ( or however long the original SEND message
> containing the
> option is valid).
>
>
>
> _______________________________________________
> Mipshop mailing list
> Mipshop@ietf.org
> https://www1.ietf.org/mailman/listinfo/mipshop
>
_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop