[secdir] Anyone got a spare hour?
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 27 March 2012 06:38 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B7521E805A for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 23:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.206
X-Spam-Level:
X-Spam-Status: No, score=-103.206 tagged_above=-999 required=5 tests=[AWL=-0.607, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMhONdJeI4aF for <secdir@ietfa.amsl.com>; Mon, 26 Mar 2012 23:38:12 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 913D721E801F for <secdir@ietf.org>; Mon, 26 Mar 2012 23:38:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 1A20C171C04 for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:11 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1332830290; bh=7c4DPJyFlmeOEv/+Pk+Paq4n lARKwEnJEZhdxL7QGYw=; b=ohTkfhK2ZY/ZmMfvDfmHy0eeNrdxeYmA0NJtur90 TagMbnrHnOqTEPp2L5jerGZKFW1LopLx7Zj4YsRQj3uceBbppuofXbOww6nxqHN6 lB6rucPz7n1mFqaLdLJZHObfguLv5t+3o8UtSwqQm/+BHOEBLtCeSRBb4YS5tpxe vQGot8ilv4g4ulZvIKqZejuBBO2JX+HTaz0vUa7LNGKhUD4djcaTp1/JlLidKbeD N2ZmcF+GeMcMp4bfh6G0bHn0v92XExaFOCImhFOlXX2B3NVDCSEwj6cVBdoR/4my TQS8NbeXjsCvYhAdQtZEGOEPj5lYzYanUp+iqn31Gtxc4w==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id th3VIqcABSlb for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:10 +0100 (IST)
Received: from [130.129.19.33] (dhcp-1321.meeting.ietf.org [130.129.19.33]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 742E7171C03 for <secdir@ietf.org>; Tue, 27 Mar 2012 07:38:10 +0100 (IST)
Message-ID: <4F716052.5060701@cs.tcd.ie>
Date: Tue, 27 Mar 2012 07:38:10 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] Anyone got a spare hour?
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 06:38:13 -0000
If you do, today or tomorrow, and are in the mood, I'd appreciate if you could take a look at a discuss point ([1], point #1) I have on a document [2] where I've not had the time yet to go through it in enough detail and the WG are meeting Thursday and understandably would like to progress it before then. The situation is a mobile node ("MN") talking to a bit of MIP infrastructure (a "HAC"), over a TLS session, with TLS-server-endpoint channel bindings. (There's a separate issue about how they describe the TLS session but that's being addressed already.) Their MN authentication then goes: " MN HAC | | | Request/MHAuth-Init (...) | |------------------------------------------------------>| | | | Response/MHAuth-Init (...) | |<------------------------------------------------------| | | | Request/MHAuth-Done (...) | |------------------------------------------------------>| | | | Response/MHAuth-Done (...) | |<------------------------------------------------------| | | Figure 4: Authentication of the Mobile Node Using Shared Secrets 1) Request/MHAuth-Init: (MN -> HAC) mn-id, mn-rand, auth-method=psk 2) Response/MHAuth-Init: (MN <- HAC) [mn-rand, hac-rand, auth-method=psk, [status],] auth 3) Request/MHAuth-Done: (MN -> HAC) mn-rand, hac-rand, sa-scope, ciphersuite-list, auth 4) Response/MHAuth-Done: (MN <- HAC) [sa-scope, sa-data, ciphersuite, bootstrapping-data,] mn-rand, hac-rand, status, auth Where: auth = HMAC-SHA256(PSK, msg-octets | CB-octets) The length "mn-rand", "hac-rand" is 32 octets. Note that "|" indicates concatenation and optional parameters are shown in square brackets [..]. The square brackets can be nested. The shared secret PSK can be variable length. 'msg-octets' includes all payload parameters of the respective message to be signed except the 'auth' payload. CB-octets is the channel binding input to the auth calculation that is the "TLS-server-endpoint" channel binding type. " My concern is that there may be reflection attacks, or similar but I've not had the time yet to get down to the nitty-gritty. The attack I've in mind is an MN connecting to the HAC, getting a variant of message 2 and replaying that as message 3. I might want to hold the discuss to get them to add some directional thing in any case, but would really appreciate if someone can delve a bit into how these messages would look on the wire to see if this is a practical attack or just being careful for the future. And since I saw the above problem, I'm a bit concerned there might be more issues, so more eyeballs would be good for that in any case. Feel free to reply on or off list if you do have time to look at this. Thanks in advance, S. [1] https://datatracker.ietf.org/doc/draft-ietf-mext-mip6-tls/ballot/#stephen-farrell [2] https://datatracker.ietf.org/doc/draft-ietf-mext-mip6-tls/
- [secdir] Anyone got a spare hour? Stephen Farrell