Re: [secdir] Secdir early review of draft-ietf-dtn-bpsec-default-sc-02
Benjamin Kaduk <kaduk@mit.edu> Sun, 21 March 2021 04:04 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEE13A144A; Sat, 20 Mar 2021 21:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.404
X-Spam-Level:
X-Spam-Status: No, score=0.404 tagged_above=-999 required=5 tests=[KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WnB2GWHRQDz2; Sat, 20 Mar 2021 21:03:57 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C433A1449; Sat, 20 Mar 2021 21:03:53 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 12L43h0W023385 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 21 Mar 2021 00:03:47 -0400
Date: Sat, 20 Mar 2021 21:03:42 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Christian Huitema <huitema@huitema.net>
Cc: secdir@ietf.org, draft-ietf-dtn-bpsec-default-sc.all@ietf.org
Message-ID: <20210321040342.GO79563@kduck.mit.edu>
References: <161611713427.19367.10392386702864224514@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <161611713427.19367.10392386702864224514@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HRPAvo2CgLXx4GQbPA6O31na9kA>
Subject: Re: [secdir] Secdir early review of draft-ietf-dtn-bpsec-default-sc-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 04:04:02 -0000
Hi Christian, Thanks for the spot-on review! BP security is indeed pretty complicated with all those moving pieces, and I agree that test vectors would help give confidence in correctness of implementations. I had good experiences working with Ed on other DTN documents (the worst part was self-induced delay on my part), so I expect that the WG will be pretty receptive to your suggestions. Thanks again, Ben On Thu, Mar 18, 2021 at 06:25:34PM -0700, Christian Huitema via Datatracker wrote: > Reviewer: Christian Huitema > Review result: Has Nits > > I have reviewed draft-ietf-dtn-bpsec-default-sc-02 as part > of an early security review requested by the transport AD. The draft specifies > how to use either HMAC/SHA based authencation or AES-GCM authenticated > encryption in the framework defined by the Bundle Protocol Security > Specification (draft-ietf-dtn-bpsec-27) for the Bundle Protocol Version 7 > draft-ietf-dtn-bpbis-31.txt. > > The specifications are straightforward applications of well-known algorithms: > HMAC256/SHA256, HMAC384/SHA384, HMAC512/SHA512, AES128 GCM, and AES256 GCM. The > text is written in a detailed manner, guiding potential developers through the > implementation of these algorithms. For me, these descriptions seem almost > ready, expect for two nits. However, the overall system appears very complex, > and some ways to manage that complexity would be welcome. My minimum suggestion > would be to add test vectors. > > The first nit regards the table of BIB-HMAC-SHA2 Security Parameters in section > 3.3.4. The default value for the SHA Variant is specified as "256", but section > 3.3.1 only defines values 5, 6 and 7 for that parameter. I assume that the > intent is to default to HMAC256/SHA256, but in that case the default should be > 5, not 256. > > The second nit regards the discussion of authentication and confidentiality in > section 4.1. AEAD algorithms distinguish between authenticated data and > encrypted data. The text expresses a different concept,separate definitions of > "scope of confidentiality" and "scope of authentication". I suggest that these > paragraphs be rewrittent to specify that "the scope of authentication is always > the union of the additional data and the scope of confidentiality." > > These are small issues. My real concern with this document is the overall > complexity of the Bundle Protocol and the Security specification. The protocols > appear specified for maximum flexibility. Messages can be relayed. Relays can > add their own security blocks to the bundle. Authentication and encryption can > apply to different blocks in the bundle. Messages can be fragmented. Nodes can > choose to apply different level of security to different bundles, or to > different blocks in the same bundle. I suppose that these choices are justified > by application requirements, but all this complexity may end up causing > interoperability issues, and potential security failures. > > The way CBOR encoding are used brings another source of complexity. CBOR allows > for different ways of encoding the same data. The bundle security document and > this algorithm specification document request that some data parts be > re-encoded in the "canonical" CBOR format before authentication tags are > computed or verified. Experience in other domains shows that relying on > canonization before authentication is very fragile, and a source of > interoperability failures. It would be much more robust to assume that > authenticated objects are immutable, and that the wire format of these objects > is fed directly into the hash algorithm. > > To mitigate the risk of interoperability failures, I suggest adding test > vectors to the specification. Each test case should start with a clear text > test bundle, apply either authentication or authenticated encryption according > to some variations of the authentication or AAD scope flags, and produce a > result. Different test vectors might start with different mode of CBOR > encoding, to test the canonization process. This kind of investment might save > a lot of time to future developers! > > Not a comment on this draft, but I see lot of potential issues with > fragmentation. I understand that in a Delay Tolerant Network,relays need to be > able to fragment messages. The draft correctly points out that if an > authenticated message is fragmented, authentication can only be received while > all fragments are received. However, this would not protect from attacks > against fragmentation similar to those seen in IP, IPv6 and TCP. I think that > some kind of secure fragmentation protocol need to be studied and specified by > the working group. > > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Secdir early review of draft-ietf-dtn-bp… Christian Huitema via Datatracker
- Re: [secdir] Secdir early review of draft-ietf-dt… Benjamin Kaduk
- Re: [secdir] [EXT] Secdir early review of draft-i… Birrane, Edward J.