Re: [secdir] Secdir last call review of draft-ietf-drip-arch-22
Valery Smyslov <valery@smyslov.net> Thu, 31 March 2022 08:12 UTC
Return-Path: <valery@smyslov.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C983A08D5; Thu, 31 Mar 2022 01:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=smyslov.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGEc--arcZFj; Thu, 31 Mar 2022 01:12:27 -0700 (PDT)
Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5475D3A1905; Thu, 31 Mar 2022 01:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :Date:Subject:In-Reply-To:References:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=viAtLdZigJcnyXr9qf+wcWHmtYHxNThr2r31UNgX1d8=; b=onB534oYbmkYQHdJkOskCRKM8m nmtPEs9RrQdk4sZJ5Tq1La6h3kD7Xt3CVL67VFnCw+g7ru4a3XdZMqeChJTwgJF4VP63Jx7C6PVhW CCYBaUdblBUsPBbTtD9Z8oUeuQ2tGjHZ3jclf+ZoJu2m5P6tZl20vciyEqr+fxlDSU7+TtX5QqDrw wFfvXqwWyTmWaIpBmuwhMbHJATFbLHxPk7qXRSq/fyx9EyW/3S58A/Lj7t92DDUhY/fvUcKaHOOG6 ri5JzIKTvbOQ1EUHLQvzYfQITIM01J0GDucwtcKjzdYaBN9yB2FayH/xGwtJ4MrxdjnlFWD9ZNeVE 4mGfs3Zw==;
Received: from [93.188.44.204] (port=50642 helo=buildpc) by direct.host-care.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <valery@smyslov.net>) id 1nZpuo-0000BJ-Bc; Thu, 31 Mar 2022 04:12:22 -0400
From: Valery Smyslov <valery@smyslov.net>
To: 'Robert Moskowitz' <rgm@labs.htt-consult.com>, secdir@ietf.org
Cc: draft-ietf-drip-arch.all@ietf.org, last-call@ietf.org, tm-rid@ietf.org
References: <164864828914.19999.4038160950945043224@ietfa.amsl.com> <ca3a9df9-1056-825a-2900-119df42a1a44@labs.htt-consult.com>
In-Reply-To: <ca3a9df9-1056-825a-2900-119df42a1a44@labs.htt-consult.com>
Date: Thu, 31 Mar 2022 11:12:21 +0300
Message-ID: <19b101d844d7$0e376b40$2aa641c0$@smyslov.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHAkWuyxQUkzf87mu+hlPYoCbOlNwGc9tz5rPuWVIA=
Content-Language: ru
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - direct.host-care.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - smyslov.net
X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net
X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RcUe7co4TQrLn6x830X-Job3Z4c>
Subject: Re: [secdir] Secdir last call review of draft-ietf-drip-arch-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 08:12:32 -0000
Hi Bob, thank you for prompt reply, please see my comments below. > I am taking a quick response here, and will have to go over it more > closely for a second pass. > > On 3/30/22 09:51, Valery Smyslov via Datatracker wrote: > > Reviewer: Valery Smyslov > > Review result: Has Issues > > > > The topic of the draft is complex and involves many fields which I'm not expert > > of. The overall architecture looks secure, however it's difficult for me to > > analyse all the details. Nevertheless, it seems to me that there are some > > security issues with the draft. > > > > 1. Section 3.2 > > > > A UA equipped for Broadcast RID SHOULD be provisioned not only with > > its HHIT but also with the HI public key from which the HHIT was > > derived and the corresponding private key, to enable message > > signature. A UAS equipped for Network RID SHOULD be provisioned > > likewise; the private key resides only in the ultimate source of > > Network RID messages (i.e., on the UA itself if the GCS is merely > > relaying rather than sourcing Network RID messages). Each Observer > > device SHOULD be provisioned either with public keys of the DRIP > > identifier root registries or certificates for subordinate > > registries. > > > > I wonder why SHOULDs are used here and not MUSTs. In which cases it's OK not to > > equip e.g. UAs with private keys and how they will perform digital signatures > > in this case? Am I missing something? > > Good catch. Thanks. All too often you read things so many times that > points like this just slip by and this is why we have last calls... > > Broadcast RID MUST be provisioned OK. > As our whole architecture is to prove the Remote ID ownership in > messages broadcasted from the UA and that needs to private key... > > Note for Network RID, it is not so simple. It may be that the GCS does > all the signing for NRID messages, having its own trusted link to the UA > to get the data to proxy. This is why SHOULD for NRID is appropriate. I think that having "trusted link" assumes that UA has some private key to authenticate information it sends to GCS. Well, I understand that this may be a different key... > And SHOULD for Observers is correct, as an Observer might be using a > verifying service, rather than directly validating the messages. Our > position is direct validation on by the Observer is preferred, but ASTM > does diagram validation services. Agree. > So recapping, change first SHOULD to MUST. Other SHOULDs are correct. > > > 2. It is not clear for me how revocation is done in case the private key of UA > > is compromised. While the Security considerations section states that > > revocation procedures are yet to be determined, I think that some text about > > the directions in which they are planned to be determined should be present. > > Since these are raw keys, revocation is not directly possible. The > drip-registry draft may evolve various methodologies for providing > revocation information. At this writing, we would be really > speculating. Perhaps, black-holing in DNS; if a DET has been revoked, a > DNSSEC protected response on looking up the DET would say so. We might > be able to include this as an example for revocation, but only an > example at this point. I see. I still think that architecture document should have some text about revocation (even if the text is speculative) in the main body, i.e. where the architecture is defined. Just to show readers that revocation is in scope of architecture and will be addressed later. > > 3. Section 9. > > > > The size of the public key hash in the HHIT is also of concern. It > > is well within current server array technology to compute another key > > pair that hashes to the same HHIT. > > > > If I understand the draft correctly, the size of public key hash is 20 or 19 > > octets (Section 3.1). > > The architecture document does not detail the format of an HHIT. It > turns out that in draft-ietf-drip-rid, the hash size is 64 bits so this > attack is real and details about it are in the Security Considerations > of that draft. Perhaps say: > > The size of the public key hash in the HHIT (64 bits) is also of concern > > ? Do we need to reference ietf-drip-rid? We really do not want to do > that is it creates delaying dependencies. Oh, I now see, for 64 bits it is really possible to find second preimage. Perhaps the text can be modified along the lines (with no specific details about solution spec as Med advised): Depending on the selected size of the public key hash in the HHIT, it may be well within current server array technology to compute another key pair that hashes to the same HHIT. > > Finding another key pair that hashes to the same hash > > requires second preimage attack, which must take in this case 2^160 or 2^152. > > In my understanding of the state-of-art, it's still beyond possibilities of > > current computers. Am I missing something? > > Unfortunately you have to see: > > draft-ietf-drip-rid-17 sec 10. > > > 4. The Security Considerations section is silent about possible impact of > > Cryptographically Relevant Quantum Computers. While it's not clear whether such > > computers will be ever build, the proposed architecture looks fragile with > > respect to them. First, from my understanding the architecture, private/public > > key pairs in UA are relatively long-lived and difficult to update. This gives > > an attacker plenty of time to break them and once they are broken, enough time > > to exploit. Second, the impact of breaking can be substantial due to the nature > > of UA (a potentially dangerous object). Third, while many protocols involved in > > this architecture can be upgraded with quantum safe cryptographic primitives, > > it seems to me that for some pieces it will be really challenging (e.g. the > > draft discusses limitations on payload size for Bluetooth, which will be more > > severe with PQ cryptography with much larger keys and signatures). I think this > > issue must be addressed somehow, at least mentioned. > > Intentionally so. We could get lost in the weeds. We are extremely > size and computing constrained and current QSC is just not providing > solutions. IF such a crypto suite is invented, it can be slotted in, as > we have designed for crypto-agility. Also, we do not spell it out, but > we do say that a DET may be used for only a single 'operation' (flight > to us non-UAS operators). Thus a concerned implementor could use a > fresh DET, making the exposure for only the duration of the operation. > We do not spell this out, as there are other operational reasons for a > UAS operator to constantly change DETs. I think that the document will benefit if you mention in the Security Considerations that quantum security is intentionally out of scope (perhaps with some of the reasoning you provided). Otherwise it looks like this is overlooked. > > 5. While an example when one UA physically steals UAS RID sender of another UA > > is clever, I think that such scenarios (physical security) are not in scope of > > IETF work. I believe that many others similar schemes can be invented, so I > > suggest to discuss physical security in a separate subsection of Section 9. > > ? other authors? chairs? advise please. > > > Not related to security: > > > > Section 3.2: > > > > A self-attestation of a HHIT used as a UAS ID can be done in as > > little as 84 bytes when Ed25519 [RFC8032] is used, by avoiding an > > explicit encoding technology like ASN.1 or Concise Binary Object > > Representation (CBOR [RFC8949]). This attestation consists of only > > the HHIT, a timestamp, and the EdDSA signature on them. > > > > If no encoding is used then how extensibility is achieved? > > Extensibility is in the HHIT which includes the Suite ID (Ed25519/cSHAKE > here). A different HHIT Suite ID will result in a differently > structured self-attestation. None exist right now, so no attempt is > made to consider what other results would look like. OK. > > I also wonder how algorithm agility property is achieved for broadcast RID > > messages. > > As above the HHIT includes the Suite ID. Note that the HHIT is an > extension of the HIT in rfc7401 that also provided algorithm agility > through the included Suite ID. OK, good to know. My concern was that with broadcasts changing algorithms is operationally challenging - since there is no negotiation you should first upgrade all the receivers and only then start upgrading UAs. > I hope this helps. Definitely. Thank you, Valery.
- [secdir] Secdir last call review of draft-ietf-dr… Valery Smyslov via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Robert Moskowitz
- Re: [secdir] Secdir last call review of draft-iet… mohamed.boucadair
- Re: [secdir] [Last-Call] Secdir last call review … Michael Richardson
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… Card, Stu
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… shuai zhao
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] [Drip] Secdir last call review of dr… Robert Moskowitz
- Re: [secdir] [Drip] Secdir last call review of dr… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… Card, Stu