[perpass] Why a Key Exchange should be a separate module
Phillip Hallam-Baker <hallam@gmail.com> Thu, 23 January 2014 22:51 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD091A0182 for <perpass@ietfa.amsl.com>; Thu, 23 Jan 2014 14:51:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1HlOYPWjjqS for <perpass@ietfa.amsl.com>; Thu, 23 Jan 2014 14:51:52 -0800 (PST)
Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 082DC1A007C for <perpass@ietf.org>; Thu, 23 Jan 2014 14:51:51 -0800 (PST)
Received: by mail-la0-f45.google.com with SMTP id b8so1995971lan.18 for <perpass@ietf.org>; Thu, 23 Jan 2014 14:51:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=GVDITnl+dDsdi7eZXPwbviu9pD0xyueolqLU2Sxt1b8=; b=pN1YFS0+HdsNnpAtZ09WO0uL4PuKHQ/f4//dAcLsiManRl5Eg6qgg/xZxNkeIliRdf wcgDx95Ts6H+ouFLPNFs+xGvfB/sGqTlIh8X4BD1hD7ZLpyk85fUhTveJ13raOKTj34V dG+Wi27wqtF5NBvtuLWxpHYRwFZxhdwNqyIpSrPHxfW22xVrz3FuZkglZlW3it6szLXz XcV+rDLucie1nWYFKFOXss2C2dTDgEKY2OVR1WlWIHqj2JjbUrE9xV02G3FQtnxDID7j 8vcrOpWz7FRbmGi6VHkqiwLC1w1HGX9OYrh8pCBlmP9316HEEU/ijDSZos6m+zLe2a4A +3yQ==
MIME-Version: 1.0
X-Received: by 10.112.234.194 with SMTP id ug2mr77917lbc.86.1390517510375; Thu, 23 Jan 2014 14:51:50 -0800 (PST)
Received: by 10.112.37.172 with HTTP; Thu, 23 Jan 2014 14:51:50 -0800 (PST)
Date: Thu, 23 Jan 2014 17:51:50 -0500
Message-ID: <CAMm+LwiLuEQ1q4utHAXXc6LcoggEYDRj6tSYd6E0fDjxL3PqoQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: perpass <perpass@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c30d06428b5404f0ab1683"
Subject: [perpass] Why a Key Exchange should be a separate module
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 22:51:55 -0000
It occurs to me that in answering Kent's attack on me, I may have inadvertently left the wrong impression of the reason why I have come to the conclusion that key exchange should be a separate concern from the binding to the communication layer. Then as I began to wonder why the proposal might have set him off and working from a hypothesis advanced in another place, I have come up with a better scheme than previously. The only connection to Omnibroker is that I realized the need to make this separation as a result of writing Omnibroker. After writing the first implementation, I took a look at my code and realized that over 70% of it dealt with the problem of establishing and managing a long term trust relationship between a group of related clients (i.e. sharing the same account) and a service. And that this is a mechanism that can be used in many, many other protocols. Consequently, I factored the connection protocol out. http://tools.ietf.org/search/draft-hallambaker-wsconnect-05 Now people can argue that the approach I take in wsconnect, namely relying on the encapsulating TLS transport to protect exchange of the long term secrets is a naive approach. Which of course it is. I want to replace that approach with something better, preferably something that has been thoroughly tested. But that currently requires me to reverse engineer some other key exchange which is hardly an optimal approach. So the current scheme is really a placeholder rather than a final proposal. Kerberos has shown the way forward here. A symmetric security context may be reduced to: * The identity and permissions of the subject * A set of cryptographic parameters (algorithms, etc) * A set of symmetric keys * An identifier that allows the counterparty to obtain the above Since the only necessary feature of the identifier is that it uniquely identify the security context to the counterparty, the identifier should be opaque to the communication medium. If the counterparty generates the identifier and the permitted identifier length is sufficiently long, the identifier can contain the security context provided that suitable encryption and authentication measures are used. Presenting the Key Exchange as a separate Web Service with defined inputs and outputs means that instead of having to choose between OAKLEY, IKE, PHOTURIS etc. as effectively exclusive schemes because there is only one MTI, a mix and match approach becomes easier. This presentation also makes it rather easier to conceal the identities of the parties when combined with the WSConnect approach because this integrates key exchange into the service discovery process. A WSConnect service association is to a collection of hosts with information to enable protocol and protocol version agility. Each host has a separate security association. So in WSConnect right now, if I have service A and B, the security association would have a different key identifier and symmetric key for each (with dummy data): Service = [ { "host" : "a", "secret" : "xxxxxx", "id" : "iixxxxx"}, { "host" : "b", "secret" : "yyyyyy", "id" : "iiyyyyy"}] This approach means that a passive observer can perform traffic analysis by looking for repeated appearances of iixxxxx and iiyyyyy. This would allow an attacker to match traffic from different IP addresses. It is not possible for the attacker to correlate iixxxxx and iiyyyyy directly but this may be inferred from other data. Now imagine that we add a parameter for a DH public key for each host. We can now blind the identifier values by encrypting them under an ephemeral DH key from the client. The separate key exchange service approach is very powerful because we can use it iteratively. One key exchange service can be used to protect interactions with another. This allows identity leakage to be concealed to a far greater degree than is currently possible in IPSEC or TLS. Control over identity leakage is given to the party deploying a service rather than the designer of the protocol. I think that is a good thing. Others might disagree. -- Website: http://hallambaker.com/
- [perpass] Why a Key Exchange should be a separate… Phillip Hallam-Baker