[secdir] Re: Secdir early review of draft-pignataro-eimpact-icmp-02
Carlos Pignataro <cpignata@gmail.com> Sat, 18 May 2024 17:51 UTC
Return-Path: <cpignata@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1DDC14F5F5; Sat, 18 May 2024 10:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.205
X-Spam-Level:
X-Spam-Status: No, score=-6.205 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WlhvArOAKMK; Sat, 18 May 2024 10:51:36 -0700 (PDT)
Received: from mail-oo1-xc34.google.com (mail-oo1-xc34.google.com [IPv6:2607:f8b0:4864:20::c34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF2FC14F5F4; Sat, 18 May 2024 10:51:36 -0700 (PDT)
Received: by mail-oo1-xc34.google.com with SMTP id 006d021491bc7-5b273b9f1deso822461eaf.3; Sat, 18 May 2024 10:51:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716054695; x=1716659495; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=azMPKwyoll8uxkq4danDUga3AaufTBvlVHbpG4rY3kc=; b=AvSacp4ijX7RfejiMWUW9+PDFNr9AJ3AIgRqgdkK3frR8/YQoz9JeK9PdJjF7FkIMN POfyI67B/IP4AKV+SaohK2cbw9VO2ohax3sdahPQ6p4xSEpDmpTOG11Bze6KTmtNaJnH PLQalZnWnEtuZ5cu+G47HiTIwl2AmIAJ74r0cLGIppaPfet8te9+LRD8Qm18rc3r78gP fcKJzfDPz0CF4YVctCl1Sa6ZoRC+OGvsF4iZBjkarK45c2ZUIfGXmiW+ZEE7KAupP0yQ G4HCovmMV265ZLys0P2efThaJxWrOJkB9UaIO4KniiIy41kmE3X4YnY5ZsuIE3yMt20T kWfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716054695; x=1716659495; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=azMPKwyoll8uxkq4danDUga3AaufTBvlVHbpG4rY3kc=; b=FZrGXjRa2SJ72ByrcySM7LiiVJl8rwZwfHk1oz5fE6uStZq/8Z8huK1KOEpV51ibkO jYqAU5autqpyD5iAGM4TQ+1L4tWUUaftiGLxFs9hPYIqOVPG/9RQ9sonOCnL/MZO6C11 4kurcOD2OwO/Lnr+qH4a9Xv0vSXw1b6/b8ytBDd8M6tq/OMDwOo1KqmhU2bT+ZsnoxmN OyVveAysH7bO9XpBwsqN82dCdrYfZPWcJeYP4FdK040ksMsLHlPo6i0C9eaH543kg6FU FwxHsCCH+jfD4gYHkPYOk2lCzpqQOxUomTOHrt/W+CtBmw3HIH4gKZFYsZiYcRVh9lWw WuVQ==
X-Forwarded-Encrypted: i=1; AJvYcCVSnkJV1wi2QkMjCuOw4zvVSuk+1N+hu1KAATufoPfZ76Sx0mMJ7/rf4GoRMTRlqwSMx4lR0E3bWWrlDHduFrvR+yKA/E2XxDidPgZVpINYJXSAQs5TLL+onEA+oWkCaIpaILXfNLmIdveo
X-Gm-Message-State: AOJu0YxVv4LeIj5W1NOMkf8f5SEL6stdyyYGZg8ZmyWF6SkthcG4MrO7 Y3yXraRDzOLD1W7W8D3za39LJTNZk3U4SPVDqXadv2ncHAPvwW2clhTces1bohk=
X-Google-Smtp-Source: AGHT+IEGVH1aqZVK1/m+zt7hbYLdL4EBIfRUNtDvu23yZEw8qDz3Np5zHKvzDE3IGg0gHKsqUQwxpQ==
X-Received: by 2002:a4a:351c:0:b0:5b2:f2e5:a8c8 with SMTP id 006d021491bc7-5b2f2e5a984mr15913712eaf.8.1716054695310; Sat, 18 May 2024 10:51:35 -0700 (PDT)
Received: from smtpclient.apple ([189.176.14.110]) by smtp.gmail.com with ESMTPSA id 006d021491bc7-5b26dd4da1asm4171521eaf.6.2024.05.18.10.51.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 18 May 2024 10:51:34 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E526AD85-8C05-4C9C-9055-07F17D2FC864"
Content-Transfer-Encoding: 7bit
From: Carlos Pignataro <cpignata@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 18 May 2024 12:51:23 -0500
Message-Id: <547644D7-8EF7-42CF-93BD-F5E2F207DA5E@gmail.com>
References: <9C8679E6-4E52-4A5A-A5B5-B55429A0EF51@ifi.uio.no>
In-Reply-To: <9C8679E6-4E52-4A5A-A5B5-B55429A0EF51@ifi.uio.no>
To: Michael Welzl <michawe@ifi.uio.no>
X-Mailer: iPhone Mail (21F79)
Message-ID-Hash: XAEDJ2QNLTR55RC6FIQT3FFNZOPFF4KY
X-Message-ID-Hash: XAEDJ2QNLTR55RC6FIQT3FFNZOPFF4KY
X-MailFrom: cpignata@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-pignataro-eimpact-icmp.all@ietf.org, secdir@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir early review of draft-pignataro-eimpact-icmp-02
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ogIIW6FJ0OP_cGabk3v-V2iLbnU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
On May 17, 2024, at 00:38, Michael Welzl <michawe@ifi.uio.no> wrote:
Hi all !Just a thought: a router or switch may not itself be much involved in crypto operations (in the absence of IPSec, and while no encrypted management protocol is in use). In such situations, DPA may be a non-problem.Devices can of course abstain from sharing power information. What if the security considerations section said that devices should allow their owner to configure if they should share this information while cryptographic operations are active?( I say “allow their owner to configure” because there may be more concerns about sharing power information widely, so anyway an administrator may want to configure the device to share this information only within a certain network domain. )Cheers,MichaelOn May 17, 2024, at 7:16 AM, Shawn M Emery <shawn.emery@gmail.com> wrote:Hi Carlos,
Comments begin with SME.
On 5/12/24 4:41 PM, Carlos Pignataro wrote:
SME: Of course.Hi 👋🏼 Shawn,
Many thanks for this very useful review!!! Very useful!
SME: This countermeasure is still susceptible to divide-and-conquer attacks, where different parts of the secret key are learned over time.We have been thinking about your review comments, tracked athttps://github.com/cpignata/eimpact-icmp/issues/27" class="moz-txt-link-freetext" rel="nofollow">https://github.com/cpignata/eimpact-icmp/issues/27 , and have some follow up questions for you (leaving only the relevant part of the review)
1. For DPA (as in differential power analysis), an attacker would need a “continuous” Current / Power over time curve while the crypto algo is executed. Would the fact that this is getting a single value (not a time series) be a fair high level counter measure?
SME: Ideally yes, but this depends on individual component/system/software design and therefore could not assume one way or the other that this type of mitigation has been employed on any given device.2. Do these elements typically have DPA protection as in injecting noise? Should we in the results?
3. Could you please share a reference to DPA we could use to add text? And really welcome textual suggestions!!! 😉
SME: Hmmm, this is an area of ongoing research, where promising countermeasures include a holistic approach, such as software flagging sensitive data for the hardware to treat this data with algorithmic noise, i.e., undifferentiated power consumption based on input. So if this type of mitigation was a MUST in this draft then how many network nodes could currently meet this requirement? If that answer is "very few to none" then this draft, IMO, would not be an appropriate source to provide guidance on how to counter remote side-channels attacks. What is the granularity of voltage that would be meaningful as a sustainability metric?
Thanks again, Shawn!SME: NP
Regards,
Shawn.
--
Reviewer: Shawn Emery
Review result: Has Issues
[…]
However, one attack vector that I could
think of is a high-fidelity reporting of power draw for the targeted node's
memory, cache, or HSM component then an attacker could perform a remote
side-channel attack (i.e., using DPA) during cryptographic operations in order
to extract the associated secret key.
General comments:
Thank you for the use-case section.
Editorial comments:
None.
- [secdir] Secdir early review of draft-pignataro-e… Shawn Emery via Datatracker
- [secdir] Re: Secdir early review of draft-pignata… Carlos Pignataro
- [secdir] Re: Secdir early review of draft-pignata… Shawn M Emery
- [secdir] Re: Secdir early review of draft-pignata… Michael Welzl
- [secdir] Re: Secdir early review of draft-pignata… Carlos Pignataro
- [secdir] Re: Secdir early review of draft-pignata… Michael Welzl
- [secdir] Re: Secdir early review of draft-pignata… Shawn M Emery
- [secdir] Re: Secdir early review of draft-pignata… Carlos Pignataro