IETF Logo Mail Archive

[MSEC] Re: weis-esp-group-counter, was MSEC status update

gmgietf@identaware.com Wed, 07 February 2007 11:51 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HElLD-0005Rz-Cy; Wed, 07 Feb 2007 06:51:59 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HElLD-0005Ro-0W for msec@ietf.org; Wed, 07 Feb 2007 06:51:59 -0500
Received: from lvs00-fl-n17.ftl.affinity.com ([216.219.253.5]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HElLC-0003WM-KU for msec@ietf.org; Wed, 07 Feb 2007 06:51:58 -0500
Received: ("??"@ams017.ftl.affinity.com) by ams017.ftl.affinity.com id S360049AbXBGLvd for <msec@ietf.org>; Wed, 7 Feb 2007 06:51:33 -0500
References: <S373524AbXBESa1/20070205183027Z+1280@ams004.ftl.affinity.com> <EE8A84FC-F140-4BFE-956A-41DB215C8322@cisco.com>
In-Reply-To: <EE8A84FC-F140-4BFE-956A-41DB215C8322@cisco.com>
From: gmgietf@identaware.com
To: Brian Weis <bew@cisco.com>
Date: Wed, 07 Feb 2007 06:51:32 -0500
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <S360049AbXBGLvd/20070207115133Z+8716@ams017.ftl.affinity.com>
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 37af5f8fbf6f013c5b771388e24b09e7
Cc: msec@ietf.org, George Gross <gmgross@identaware.com>
Subject: [MSEC] Re: weis-esp-group-counter, was MSEC status update
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/msec>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
Errors-To: msec-bounces@ietf.org

Hi Brian, 

To fully avoid the IV reuse problem in the general case, you probably need 
to encode a 4-tuple: {S-GCKS-ID, (re-)registration counter, SID, SSIV}. This 
approach would avoid the need write the SSIV to non-volatile storage and the 
potential problems that would occur if a group uses a distributed GCKS. 

I guess I'll stay tuned for the next revision of this draft. 

br,
  George 

Brian Weis writes: 

> Hi George, 
> 
> Thanks for your review. Some comments are embedded below. 
> 
> On Feb 5, 2007, at 10:30 AM, gmgietf@identaware.com wrote: 
> 
>> Hi Brian and Lakshminath,
>> <snip>
>>> V.
>>> New work (to be adopted after asking for group's opinion):
>> 
>> <snip>
>>> draft-weis-esp-group-counter-cipher-00: Ditto.
>> 
>> I do not have a strong objection to this draft being adopted as a  MSEC 
>> working group item. However, there are several questions  (problems?) 
>> that I wondered about when I did a quick superficial  review of this 
>> draft.
>> 1) A fundamental problem is nonce or IV re-use, as recently  discussed at 
>> length on CFRG. Wei Dai posted an good summary of  those discussions and 
>> what to do about this problem about a week  ago. I would suggest that 
>> this draft should include that guidance  in its security considerations. 
>> That said, I suspect the risk of  compromise is magnified in direct 
>> proportion to the size of the  group membership. Instead of two 
>> endpoints, there are "N" endpoints  that could accidently re-use a {SID, 
>> SSIV} pair, and this needs to  be emphasized by this draft. There were 
>> about two dozen CFRG e-mail  exchanges about random number generation, 
>> counter management,  virtual machine interactions, and re-boot scenarios. 
>> At the least,  the Sender-Specific IV (SSIV) field must be saved in a 
>> non-volatile  storage after each use to avoid the scenario where a 
>> re-boot causes  accidental {SID, SSIV} re-use. That way if a member 
>> re-boots then  re-joins the same group, then it MUST also restart its 
>> SSIV at the  last value used plus one. This is only one example. There 
>> are other  cases mentioned by CFRG that need documentation. Perhaps the 
>> SID  and SSIV must be qualified by a third field assigned by the GCKS, a  
>> "registration instance" counter?
> 
> I'm aware of the CRFG thread, and will review it for additional  security 
> considerations text as you suggest. Regarding re-use of the  SSIV, your 
> suggestion may not be appropriate as there are some  devices for which 
> frequent writes to non-volatile storage (e.g.,  NVRAM) are not 
> appropriate. It was our intention that re-joins would  be detected by the 
> GCKS during re-registration, and that it would  take appropriate action. 
> I'll review Section 4 and clarify this. 
> 
>> 2) A second problem is the inability to scale to large groups  because 
>> the per sender state that receivers must maintain to  enforce anti-replay 
>> services. The draft does not mention anti- replay service or how it 
>> interacts in this multi-sender group  scenario. The draft must state that 
>> anti-replay service is not  recommended, or else explain how it is done 
>> such that it scales to  a large group.
> 
> Describing anti-replay services would make sense for a draft that is  
> defining how multi-sender AH or ESP should be deployed. But his draft  has 
> a more modest goal of describing how multi-sender counter-mode  ciphers 
> can be deployed. The draft-ietf-msec-ipsec-extensions I-D  gives the 
> guidance you mention above. This guidance is certainly  relevent to the 
> esp-group-counter draft, but I don't think this  document needs to do more 
> than reference that I-D. I can add text  pointing readers to that document 
> for guidance on multi-sender SAs. 
> 
>> 3) The draft as written assumes that there is only a single  
>> cryptographic group and a single omnipotent GCKS. It seems to  preclude 
>> any easy extension or accommodation for composite groups  or distributed 
>> S-GCKS operations. In particular, the requirements  in section 4 could be 
>> a source of complexity. Is an endpoint always  required to interact with 
>> the same S-GCKS? Are all S-GCKS expected  to know the SID of every 
>> potential group member?
> 
> We didn't intend to make restrictions regarding composite groups or  
> distributed S-GCKS operations. But this is hard to answer without  knowing 
> exactly how the distributed GCKS system in a particular  deployment works. 
> 
>> 4) The assertion made in section 6, the Security Considerations,  that 
>> the security is equivalent to that of a single sender is not  true and 
>> should be replaced with text along the lines described above.
> 
> The actual sentence is: "When [this document's] recommendations are  
> followed, the security of the crypto algorithms is equivalent to the  
> conventional case in which there is a single sender." We believe that  
> this is a true statement as long as the IVs are not reused (i.e., the  
> recommendations in this document). But we'll certainly add points  made on 
> the CFRG thread as well, as you suggest. 
> 
> Thanks,
> Brian 
> 
>> hth,
>>  George 
>> 
>> _______________________________________________
>> MSEC mailing list
>> MSEC@ietf.org
>> https://www1.ietf.org/mailman/listinfo/msec
> 
> -- 
> Brian Weis
> Advanced Security Development, Security Technology Group, Cisco Systems
> Telephone: +1 408 526 4796
> Email: bew@cisco.com
 


_______________________________________________
MSEC mailing list
MSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/msec

v2.23.0 | Report a Bug | By Email