Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
"James Kempf" <kempf@docomolabs-usa.com> Wed, 25 July 2007 16:42 UTC
Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDjwB-0002YQ-Rr; Wed, 25 Jul 2007 12:42:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IDjwA-0002Xr-F1 for mipshop@ietf.org; Wed, 25 Jul 2007 12:42:10 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IDjw9-0004fk-Mr for mipshop@ietf.org; Wed, 25 Jul 2007 12:42:10 -0400
Message-ID: <04ea01c7ceda$bd1b64f0$576115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Greg Daley <Greg.Daley@eng.monash.edu.au>
References: <f5860b321f815.1f815f5860b32@monash.edu.au> <f597e8de193b2.193b2f597e8de@monash.edu.au>
Subject: Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key
Date: Wed, 25 Jul 2007 09:42:07 -0700
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 2.8 (++)
X-Scan-Signature: 6640e3bbe8a4d70c4469bcdcbbf0921d
Cc: mipshop@ietf.org
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Greg, I got the copy you sent to the mailing list. It seems my problems with posting and reception have cleared up. I'll take a more detailed look at your proposal when I get to revising the draft and post any questions, but, after a quick read, I think it looks OK. I hope to quickly rev the document after the drafts gate opens and have Vijay issue a last call, so that we can get FMIP to the IESG before the November meeting. jak ----- Original Message ----- From: "Greg Daley" <Greg.Daley@eng.monash.edu.au> To: "Greg Daley" <Greg.Daley@eng.monash.edu.au> Cc: <mipshop@ietf.org>; "James Kempf" <kempf@docomolabs-usa.com> Sent: Wednesday, July 25, 2007 7:47 AM Subject: Re: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key Hi James, et al. please note, I have sent a more complete version of this e-mail to the list. Sorry for the klutziness. Greg ----- Original Message ----- From: Greg Daley <Greg.Daley@eng.monash.edu.au> Date: Wednesday, July 25, 2007 8:42 am Subject: [Mipshop] Key derivation keys for draft-ietf-mipshop-handover-key To: mipshop@ietf.org Cc: kempf@docomolabs-usa.com > > I made a comment at the mike yesterday concerned about the requirement > to use an additional (non-CGA) public/private keypair in the > handover-keys draft. > > The comment I made was based on misunderstanding the issues > presented in > Rajeev's presentation. > > Now I have had the chance to go through the meat of James' earlier > postabout these keys, and realize that the new keys would be > exclusivelygenerated for key derivation, and would not require any > bulk data > encryption using assymmetric cryptography. > > > I think this is a very good idea, in that it allows the key- > derivation keys > to be limited in lifetime, without affecting the stability or security > of the CGA. > > The lifetime of any public key which is used in cryptography should be > limited both by the number of key deriving encryption operations they > perform, and an absolute lifetime, in order to prevent cryptanalysis. > > > Having the router and host autonomously generate a shorter lived > key-derivation keypair can be made to provide significant security > without causing undue additional computation. > This is because the key can be used and reused for key derivations > with many different hosts and only discarded when it is worn out or > old. > > The cost is that the key-derivation key information (algorithm, public > key, etc) would have to be included in messages between the host > and router > before the keys could be derived, and additional information would > need to > be provided in the encrypted block of the Handover Key option. > > > Note that it is important to ensure that the encypted key derivations > themselves are not used in replay attacks, especially as the keys for > the encryption of the symmetric key information are no longer the CGA > private keys. > > This requires that information tying the sender's CGA public key to > theencrypted block. > > Here is my view of the protocol: > > > Legend > > N_n_i Nonce number (i) from node (n) > > T_n_i Timestamp number (i) from node (n) > > CGAOPT_n CGA option for node (n) > > KDKOPT_n Key Derivation Keying Option for node (n) > Contains: > information about key algorithm > public key > public key identifier (perhaps implicit, SHA-1 of > public key) > > SIGNED_n signature using the CGA private key of (n) > > h Host > > r Router > > > RS: Signed_h ( h,All Routers, N_r_1, T_r_1, KDKOPT_h, > CGAOPT_h ) > > RA: > > > > There is an assumption that the information in the KDK option is > valid for a period where the subsequent messages key derivation > exchanges are to be sent. > > Either this validity time can be included explicitly in the KDK option > itself, or there can be a reasonable assumption provided, e.g.: > > A node only sends a KDK option containing information valid for at > least30 minutes ( or however long the original SEND message > containing the > option is valid). > > > > _______________________________________________ > Mipshop mailing list > Mipshop@ietf.org > https://www1.ietf.org/mailman/listinfo/mipshop > _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop