Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08

["Frank Brockners (fbrockne)" <fbrockne@cisco.com>]

Hi Christian,
Thanks for the follow up – and the suggestion of an alternate approach. IMHO – and I checked with other authors, who voiced similar views – it would be best to follow your guidance and have the working group crispen up the requirements as well as assumptions for the operational environment and only then discuss and evaluate solution approaches.
Depending on the target set of requirements and the operational environment, the WG can choose an appropriate approach with guidance from CFRG. That could be, per what you suggest below, something much simpler from a control plane perspective - avoiding the complexities of SSS  – with a data-plane as simple as what the draft currently suggests. That could also be another, yet to be determined approach, such as the approach based on nested encryption that the WG discussed before, or an SSS based approach with a polynomial per packet, etc. Hopefully we’ll get it right the next time.

Martin, Jim, Joel – any thoughts and guidance from your end, on whether the document should be handed back to the working group?

Thanks again, Frank


From: Christian Huitema <huitema@huitema.net>
Sent: Saturday, 25 September 2021 16:42
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; secdir@ietf.org
Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen <stephen.youell@jpmorgan.com>; sfc@ietf.org; draft-ietf-sfc-proof-of-transit.all@ietf.org; krishna.sashank@gmail.com
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08



On 9/25/2021 4:20 AM, Frank Brockners (fbrockne) wrote:

Hi Christian,



Thanks for the follow-up. Please see below.



-----Original Message-----

From: Christian Huitema <huitema@huitema.net><mailto:huitema@huitema.net>

Sent: Friday, 24 September 2021 17:16

To: Frank Brockners (fbrockne) <fbrockne@cisco.com><mailto:fbrockne@cisco.com>; secdir@ietf.org<mailto:secdir@ietf.org>

Cc: shwetha.bhandari@gmail.com<mailto:shwetha.bhandari@gmail.com>; last-call@ietf.org<mailto:last-call@ietf.org>; Youell, Stephen

<stephen.youell@jpmorgan.com><mailto:stephen.youell@jpmorgan.com>; sfc@ietf.org<mailto:sfc@ietf.org>; draft-ietf-sfc-proof-of-

transit.all@ietf.org<mailto:transit.all@ietf.org>; krishna.sashank@gmail.com<mailto:krishna.sashank@gmail.com>

Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-

08





On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote:

Hi Christian,



Thanks a lot for the detailed follow-up. Please see inline.



-----Original Message-----

From: Christian Huitema <huitema@huitema.net><mailto:huitema@huitema.net>

Sent: Thursday, 23 September 2021 22:13

To: Frank Brockners (fbrockne) <fbrockne@cisco.com><mailto:fbrockne@cisco.com>; secdir@ietf.org<mailto:secdir@ietf.org>

Cc: shwetha.bhandari@gmail.com<mailto:shwetha.bhandari@gmail.com>; last-call@ietf.org<mailto:last-call@ietf.org>; Youell, Stephen

<stephen.youell@jpmorgan.com><mailto:stephen.youell@jpmorgan.com>; sfc@ietf.org<mailto:sfc@ietf.org>; draft-ietf-sfc-proof-of-

transit.all@ietf.org<mailto:transit.all@ietf.org>

Subject: Re: [Last-Call] Secdir last call review of

draft-ietf-sfc-proof-of-transit-

08





On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote:

Hi Christian,



Thanks a lot for your detailed review. Please see inline.



-----Original Message-----

From: Christian Huitema via Datatracker <noreply@ietf.org><mailto:noreply@ietf.org>

Sent: Monday, 20 September 2021 05:48

To: secdir@ietf.org<mailto:secdir@ietf.org>

Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org<mailto:draft-ietf-sfc-proof-of-transit.all@ietf.org>;

last-call@ietf.org<mailto:last-call@ietf.org>; sfc@ietf.org<mailto:sfc@ietf.org>

Subject: Secdir last call review of

draft-ietf-sfc-proof-of-transit-08



Reviewer: Christian Huitema

Review result: Serious Issues



I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security

area directors.

Document editors and WG chairs should treat these comments just

like any other last call comments.



This document proposes a security mechanism to prove that traffic

transited through all specified nodes in a path. The mechanism

works by adding a short option to each packet for which transit

shall be verified. The option consists of a random number set by

the originator of the packet, and a sum field to which each transit

node adds a value depending on public parameters, on the random

number and on secrets held by the node. The destination has access

to all the secrets held by the nodes on the path, and can verify

whether or not the final sum corresponds to the sum of expected

values. The proposed size

of the random number and the sum field is 64 bits.

In the paragraph above, I described the mechanism without

mentioning the algorithm used to compute these 64 bit numbers. The

64 bit size is obviously a

concern: for cryptographic applications, 64 bits is not a large

number, and that might be a weakness whatever the proposed algorithm.

The actual algorithm appears to be a bespoke derivation of Shamir's

Secret Sharing algorithm (SSS). In other word, it is a case of

"inventing your

own crypto".

...FB: SSS is a well know algorithm and

draft-ietf-sfc-proof-of-transit does not

modify it.

All draft-ietf-sfc-proof-of-transit does is to operationalize the

SSS algorithm

for the proof of transit use case.

Also note that the draft does not require the use of 64 bit numbers.

Nor does draft require a minimum time between changing the secrets.

What particular attack are you concerned about where 64 bit numbers

are a

concern?

SSS relies on the representation of polynomials as a sum of

Lagrange Basis Polynomials. Each of the participating nodes holds a

share of the secret represented by a point on the polynomial curve.

A polynomial of degree K on the field of integers modulo a prime

number N can only be revealed if at list K+1 participants reveal

the value of their point. The safety of the algorithm relies on the

size of the number N and on the fact that the secret shall be revealed only

once.

But the algorithm does not use SSS directly, so it deserves its own

security

analysis instead of relying simply on Shamir's work.

The proposed algorithm uses two polynomials of degree K for a path

containing

K+1 nodes, on a field defined by a prime number N of 64 bits. One

K+of the

polynomial, POLY-1, is secret, and only fully known by the verifying node.

The other, POLY-2 is public, with the constant coefficient set at a

random value RND for each packet.



For each packet, the goal is compute the value of POLY-1 plus

POLY-2 at the point 0 -- that is, the constant coefficient of

POLY-3 = POLY-1 + POLY-

2.

Without going in too much details, one can observe that the

constant coefficient of POLY-3 is equal to the sum of the constant

coefficients of POLY-1 and POLY-2, and that the constant

coefficient of POLY-2 is the value RND present in each packet. In

the example given in section 3.3.2, the numbers are computed modulo

53, the constant coefficient of POLY-1 is 10, and the value RND is

45. The final sum  CML is indeed

10 + 45 = 2 mod 53.



To me, this appears as a serious weakness in the algorithm. If an

adversary can observe the value RND and CML for a first packet, it

can retrieve the constant coefficient of POLY-1, and thus can

predict the value of CML for any other packet. That does not seem very

secure.

...FB: There seems to be a bit of confusion or misreading of how the

method

works. In the above statement you seem to assume that the verifier

would not be part of the proof-chain, so that the final CML value

would be somehow exposed to an external entity along with RND. This

is not the case. The verifier is the last node (k+1) in the proof-chain.

At concept level, the method reconstructs the polynomial hop by hop,

picking

up a point on the curve at every hop. Only final node in the

proof-chain, which is also the verifier, acts on the information of

all the k+1 points and as such is able to reconstruct the polynomial.

In section 3.2.1, the draft explicitly states that the verifier *is*

part of the

proof-chain: "Each of the k+1 nodes (including verifier) are assigned

a point on the polynomial i.e., shares of the SECRET." The fact that

the verifier, i.e., the last node in the proof-chain ("k+1"),  can

retrieve the secret, is desired and intentional, because the verifier

needs to compare the result of the iterative construction of the secret with

the secret value it received from the controller.

This is how the system is designed, and the calculation of (10+45)

mod 53 = 2 is part of the verification.



OK. That's slightly less bad. But it is still very bad crypto,

because you are effectively doing a linear combination.



You are evaluating POLY-3 = POLY-1 + POLY-2



POLY-2 can be written as POLY-2 = RND + POLY-2-NC, in which POLY2-NC

only contains the non constant terms -- that is, POLY-2-NC(0) = 0



Then for any point X, we get POLY-3(X) = POLY-1(X) + POLY2-NC(X) +

RND For a given value Xj of X, this means we can express : POLY-3(Xj)

= Vj + RND In which Vj is a constant term = POLY-1(Xj) + POLY2-NC(Xj)



Each node will increment the cumul by the value LPCj * POLY-3(Xj) =

LPCj

* (Vj + RND)



Suppose that an adversary can observe the value of CML before and

after being incremented by node Xj. Suppose that it could do that

twice. Then it has the

values:



CML1-before-j = C1b

CML1-after-j = C1a

D1 = C1a - C1b = LPCj * (Vj + RND1)



CML1-before-j = C2b

CML1-after-j = C2a

D2 = C2a - C2b = LPCj * (Vj + RND2)



D2-D1 = LPCj*(RND2-RND1)



LPCj = (RND2-RND1)/(D2-D1)

Vj = D2/LPCj - RND2



The inverse of numbers modulo a prime P is easily computed -- see

Fermat's little theorem.



Once the input and output of a node have been observed twice, it

becomes easy to update the cumulative sum CML while bypassing these

nodes.

...FB: This is great. Thanks for spelling out the details.  You raise a good point:

For the solution to make sense, we need to ensure that an attacker cannot

observe the input and output of a node.

To ensure this does not happen, we must require the communication to/from

the node to be encrypted, e.g., through link layer encryption of at least the

proof-of-transit data fields.

We'll add this requirement to the draft - and also detail the threat you describe

above in detail in the security considerations section.



That still will not be sufficient, because you also have to deal with the nodes

themselves. By definition, they see the intermediate results of other nodes. For

example, if the function chain is A->B->C->D->E, the node B sees the output of B

and the node D sees the input of D. If B and D  collude, they have access to the

input and output of C. They can easily find the secrets of C, and then execute a

chain A->B---->D->E in which the input of D is "corrected" to hide the absence of

C from the evaluator E.



Thanks much. You raise another valid point and we will add it to the security considerations section.

That said, IMHO we'd need to put the scenario you raise into perspective:

If the nodes B and D would be compromised by an attacker, the deployment would face a much more serious security issue than what any proof-of-transit method could protect against.





The linear combination scheme in the draft is not sound crypto. My

recommendation is to present the problem and the threat model clearly to the

crypto community, for example by presenting to the CFRG, and solicit advice on

better algorithms.



There has been quite a bit of discussion on proof of transit in several WGs, even before the SFC WG picked it up. And the SFC working group has considered different approaches early on in the solution specification, including e.g., using nested encryption, which is probably more in line with your preferences. See https://datatracker.ietf.org/doc/html/draft-ietf-sfc-proof-of-transit-01#section-3.5.1. From my recollection of the discussion - others please chime in - one main reason of why the current approach was chosen was its computational simplicity, i.e., hardware platforms which do not support native encryption capabilities like AES-NI can implement it without considerable impact on the computational latency. So in other words, the current method is the result of a trade-off decision.
We are discussing mathematics, not opinions. It is not a matter of preferences, it is a matter of threat model. The draft that I reviewed does not mention that the scheme should only be used in a benign environment in which no attacker can see the traffic and all nodes are fully trusted to not try gaming the system. The proposed scheme uses crypto vocabulary, with references to SSS and use of terms like "proof" or "cryptanalysis". Indeed, the header paragraph of the security considerations says:

   POT is a mechanism that is used for verifying the path through which

   a packet was forwarded.  The security considerations of IOAM in

   general are discussed in [I-D.ietf-ippm-ioam-data].  Specifically, it

   is assumed that POT is used in a confined network domain, and

   therefore the potential threats that POT is intended to mitigate

   should be viewed accordingly.  POT prevents spoofing and tampering;

   an attacker cannot maliciously create a bogus POT or modify a

   legitimate one.  Furthermore, a legitimate node that takes part in

   the POT protocol cannot masquerade as another node along the path.

   These considerations are discussed in detail in the rest of this

   section.

The previous discussions have shown that an attacker CAN  "maliciously create a bogus POT or modify a legitimate one", provided it is able to see the traffic, or some of the traffic. The discussions also show that "a legitimate node that takes part in the POT protocol" CAN "masquerade as another node along the path". Contrary to statements in the "cryptanalysis" section, "A passive attacker observing CML values across nodes (i.e., as the packets entering and leaving)" CAN  "perform differential analysis". The attack cannot "be mitigated using a good PRNG for generating RND".

If the system was only designed for operation in a "benign environment" and you were only concerned with detecting operation failures, I am pretty sure that you could come out with something less complicated. For example you could exploit the analysis that I made to radically simplify the implementation and describe the scheme as "CML = Sum (Xj*RNDp)", where Xj is a secret coefficient provisioned to node j, and RNPp is per packet random number. The verification by the evaluator will check that "RND == CML + Xe*RND", where "Xe = 1 - Sum Xj". That would get you an easy-to-implement checksum. But you would need to be very clear about the domain of application, and the failure mode if the traffic can be observed or nodes can be compromised, and the draft should probably drop the references to Shamir's SSS, because they just obfuscate the analysis.

-- Christian Huitema