[secdir] Anyone got a spare hour?
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 27 March 2012 06:38 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B7521E805A for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 23:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.206
X-Spam-Level:
X-Spam-Status: No, score=-103.206 tagged_above=-999 required=5 tests=[AWL=-0.607, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMhONdJeI4aF for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 23:38:12 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 913D721E801F for <secdir@ietf.org>; Mon, 26 Mar 2012 23:38:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 1A20C171C04 for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:11 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1332830290; bh=7c4DPJyFlmeOEv/+Pk+Paq4n lARKwEnJEZhdxL7QGYw=; b=ohTkfhK2ZY/ZmMfvDfmHy0eeNrdxeYmA0NJtur90 TagMbnrHnOqTEPp2L5jerGZKFW1LopLx7Zj4YsRQj3uceBbppuofXbOww6nxqHN6 lB6rucPz7n1mFqaLdLJZHObfguLv5t+3o8UtSwqQm/+BHOEBLtCeSRBb4YS5tpxe vQGot8ilv4g4ulZvIKqZejuBBO2JX+HTaz0vUa7LNGKhUD4djcaTp1/JlLidKbeD N2ZmcF+GeMcMp4bfh6G0bHn0v92XExaFOCImhFOlXX2B3NVDCSEwj6cVBdoR/4my TQS8NbeXjsCvYhAdQtZEGOEPj5lYzYanUp+iqn31Gtxc4w==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id th3VIqcABSlb for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:10 +0100 (IST)
Received: from [130.129.19.33] (dhcp-1321.meeting.ietf.org [130.129.19.33]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 742E7171C03 for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:10 +0100 (IST)
Message-ID: <4F716052.5060701@cs.tcd.ie>
Date: Tue, 27 Mar 2012 07:38:10 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] Anyone got a spare hour?
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 06:38:13 -0000
If you do, today or tomorrow, and are in the mood, I'd
appreciate if you could take a look at a discuss point
([1], point #1) I have on a document [2] where I've not
had the time yet to go through it in enough detail and
the WG are meeting Thursday and understandably would like
to progress it before then.
The situation is a mobile node ("MN") talking to a bit
of MIP infrastructure (a "HAC"), over a TLS session,
with TLS-server-endpoint channel bindings. (There's a
separate issue about how they describe the TLS session
but that's being addressed already.)
Their MN authentication then goes:
"
MN HAC
| |
| Request/MHAuth-Init (...) |
|------------------------------------------------------>|
| |
| Response/MHAuth-Init (...) |
|<------------------------------------------------------|
| |
| Request/MHAuth-Done (...) |
|------------------------------------------------------>|
| |
| Response/MHAuth-Done (...) |
|<------------------------------------------------------|
| |
Figure 4: Authentication of the Mobile Node Using Shared Secrets
1) Request/MHAuth-Init: (MN -> HAC)
mn-id, mn-rand, auth-method=psk
2) Response/MHAuth-Init: (MN <- HAC)
[mn-rand, hac-rand, auth-method=psk, [status],] auth
3) Request/MHAuth-Done: (MN -> HAC)
mn-rand, hac-rand, sa-scope, ciphersuite-list, auth
4) Response/MHAuth-Done: (MN <- HAC)
[sa-scope, sa-data, ciphersuite, bootstrapping-data,] mn-rand,
hac-rand, status, auth
Where:
auth = HMAC-SHA256(PSK, msg-octets | CB-octets)
The length "mn-rand", "hac-rand" is 32 octets. Note that "|"
indicates concatenation and optional parameters are shown in square
brackets [..]. The square brackets can be nested.
The shared secret PSK can be variable length. 'msg-octets' includes
all payload parameters of the respective message to be signed except
the 'auth' payload. CB-octets is the channel binding input to the
auth calculation that is the "TLS-server-endpoint" channel binding
type.
"
My concern is that there may be reflection attacks, or similar
but I've not had the time yet to get down to the nitty-gritty.
The attack I've in mind is an MN connecting to the HAC, getting
a variant of message 2 and replaying that as message 3. I might
want to hold the discuss to get them to add some directional
thing in any case, but would really appreciate if someone can
delve a bit into how these messages would look on the wire to
see if this is a practical attack or just being careful for
the future.
And since I saw the above problem, I'm a bit concerned there
might be more issues, so more eyeballs would be good for that
in any case.
Feel free to reply on or off list if you do have time to look
at this.
Thanks in advance,
S.
[1]
https://datatracker.ietf.org/doc/draft-ietf-mext-mip6-tls/ballot/#stephen-farrell
[2] https://datatracker.ietf.org/doc/draft-ietf-mext-mip6-tls/
- [secdir] Anyone got a spare hour? Stephen Farrell