Re: [sfc] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Thu, 23 September 2021 19:32 UTC
Return-Path: <fbrockne@cisco.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00B43A190C; Thu, 23 Sep 2021 12:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.596
X-Spam-Level:
X-Spam-Status: No, score=-4.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lENMDqUO; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tDaeOO0d
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRYYF16f4gwO; Thu, 23 Sep 2021 12:31:58 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24F2B3A1909; Thu, 23 Sep 2021 12:31:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7764; q=dns/txt; s=iport; t=1632425518; x=1633635118; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=lENMDqUOqZ5lXASwTjwQ8RaAHexmltn1D1AJwDbiV3nmHTZF9xkhfwuB NeiQ5dVN8dLMszKIeclAYSV3hBhcfPPTHwHf5SW/0aaDV2pvP5mJnTVnF dAz6jyfVPreF0wOnl8oXe3udxHh3fTK651WmAohIt6ph3t92WfYo4c1pF 8=;
IronPort-PHdr: A9a23:Bq0o6hR86SLx97b/WKsmjCmwbdpso13LVj580XJvo7JTc7iu+p2kOkHDtr1hj17MCIPc7f8My+/bqLvpVmFI55Gd+GsDf5pBW15g640WkgUsDdTDBRj9K/jnPCwnHdhPUVYj+XynYgBZHc/kbAjUpXu/pTcZBhT4M19zIeL4Uo7fhsi6zaa84ZrWNg5JnzG6J7h1KUbekA==
IronPort-Data: A9a23:MAgCtqgZN4U1SDpLAh553j3wX1613BIKZh0ujC45NGQN5FlHY01jehtvUWvQaP2Pa2qmL9FxbIzjoUkG7JbUzoBkSVBo+y41FChjpJueD7x1DKtf0wB+jyH7ockOA/w2MrEsF+hpCC+BzvuRGuK59yAkhPvTHuCU5NPsY0ideyc1EE/Ntjo78wIJqtYAbemRW2thi/uryyHsEAfNNwpPD44hw/nrRCWDExjFkGhwUlQWPZintbJF/pUfJMp3yaqZdxMUTmTId9NWSdovzJnhlo/Y1w0mBtXgmbHhfwhTGvjZPBOFjTxdXK3Kbhpq/3NplP1kcqtHLx4L1V1lnPgpoDlJnZK6UwAiPavBsO8cSBJfVSp5OMWq/ZeWeyHn75bDlhOun3zEhq8G4FsNFZYE9/53DGcI5PsFJTQJRhKbguWsz7u9DOJrg6wLN8n0MZ8fszdqzTjfAf88QLjMRqzL4ZlT2zJYrttAFt7fatYXLz11Y3zoZxRUJhIcAZY6tOalmne5dCdXwHqZv6M5/y3SwRB/laPjO5/NYNuNS4BSkAOEvGvA5GXlRBgeMPSexCaLtHW2iYfnhi7wVIMIPLy16vAsh0ecrkQTFRwKWF6yifmki1KzXtsZLUEIkhfCB4BaGFeDVNLxWVizp2SJ+0dEHdFRCOY9rgqKz8LpD8+iLjBsZlZ8hBYO7ZJeqeQW62K0
IronPort-HdrOrdr: A9a23:kPHoHa4eal9d/9JhDgPXwZCCI+orL9Y04lQ7vn2ZFiY1TiXIra6TdaoguiMc0AxhJ03Jmbi7Sc69qADnhOBICO4qTPeftWjdySqVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzvoSgjPIaerIqePvmMvD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQlUVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1UjegIK5Y1n3XnOkgT/6Knmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3DRY0eTFcBcso+5zXYISdKUmQ8XeR730k8d1vFImjTsl6eO0EDQMkfboWwTAjTZuC6laDPY0LzErXQBepd8bUYzSGqH16Lm1+sMjJ6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsnMzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDr1Cy/PBrZbQQFi+oWEV4r2dSq8kc7/mst6ISeZrP8M=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXAAC91Uxh/5JdJa1aHAEBAQEBAQcBARIBAQQEAQFAgUUHAQELAYFSUQeBUTcxhEeDSAOEWWCICAOBEo55ilOBLoElA1QLAQEBDQEBQQQBAYR9AheCLwIlNAkOAQIEAQEBEgEBBQEBAQIBBgSBEROFaA2GQgEBAQECARIREQwBATcBCwQCAQgRBAEBAwImAgICMBUICAIEAQ0FCBqFJQMOIQFQon0BgToCih96gTGBAYIIAQEGBASFChiCNQmBECoBgn+EFoRDgQ6BHyccgUlEgRVDeYE3Nz6ERoMWN4IuiSdqAQN1VwYGEy0+DAQBDAcFMgEHEZE2gw8BRo0emzgKgyyYfYYAFINni2eXOpYeoAUrIwyEVwIEAgQFAg4BAQaBMDE7gVlwFTuCaVEZD44gg3KKXnQ4AgYLAQEDCZI4AQE
X-IronPort-AV: E=Sophos;i="5.85,317,1624320000"; d="scan'208";a="921062816"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Sep 2021 19:31:33 +0000
Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 18NJVXTG029790 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 23 Sep 2021 19:31:33 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 23 Sep 2021 14:31:32 -0500
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 23 Sep 2021 14:31:32 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 23 Sep 2021 14:31:32 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fV1Vlj9SgCpi6MoGJvTIQJS+owKGbXpyxHPiBRMtkny0Bu2gK0Z7czyO/zE2w84+fXzyvIP9q8w2vM2liZ1jxJuF2d+zcdtftv0LGp4+CJrXXqNXJ+NbH5goZu020xBhObfq+HshTRhSch1rdARAEUfSXURALAoQrMHJKIUKfe3Tku2HMDIsNb/lx0KNy8jndi3DM/FS7SHxnX1mffrRneaPtctwyzIXNQN+RvcjiZoqo37W1CNatxVfamaUvZNYOBnE77swVCIfbyvDhhRBniRCY+HC8eglVZE8/2cps0O9hyBpG60cJQG91ok54PPiE2bD3P9QDfBoyFJ1EcSP5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=VbIaoKwa0PnDiSXr1lxrc18W3eD7oH+toXF+i060ZxB3858ssbw64n9TyNx6l2RT4PJJvaT7TqlV0OnBiUgFRbBJwj9RVTFXwpR/r27YyZBVsv/6fT1nSKBKLd19dKhcSUj7i/bIyHZe7jTrowcKtSly2dLDfRhRJ+hvIpNdSE710qKiVIQ/cltNivBLmKmAiXxVHT5lAal6fUlqnt+2wguYmQAtgcWkPXCbpvB0QF6GjKSf8vsz1S4aYiMVXQl20ya85HhtxcfFBbIeSZuSseVX+5YO8301c1vzNq5LUY7ZHxI6+MFMqe84goYlxomYwAMMitCzeiBWAF7MpdADgg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=tDaeOO0dw7QBnHftow5F/Ani3HAfeQjY5NThk6JxqF+THoOAXWiZqfOLdsti8zCnTWTYbUxXnVrgvpSnFXoRI4LEPeF566+FbXe4YvKSDo3QG1dTU/kLZT1GcwJcGolqbArEooeHcg7D3p2BWBSYg47aXpi9TVqDGWljkKvegSs=
Received: from DM8PR11MB5606.namprd11.prod.outlook.com (2603:10b6:8:3c::23) by DM8PR11MB5655.namprd11.prod.outlook.com (2603:10b6:8:28::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13; Thu, 23 Sep 2021 19:31:31 +0000
Received: from DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65]) by DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65%3]) with mapi id 15.20.4544.015; Thu, 23 Sep 2021 19:31:31 +0000
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-sfc-proof-of-transit.all@ietf.org" <draft-ietf-sfc-proof-of-transit.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "shwetha.bhandari@gmail.com" <shwetha.bhandari@gmail.com>, "Youell, Stephen" <stephen.youell@jpmorgan.com>
Thread-Topic: Secdir last call review of draft-ietf-sfc-proof-of-transit-08
Thread-Index: AQHXrdJnjOHuO4fhnU+wPCtBTLa6aaux/B8w
Date: Thu, 23 Sep 2021 19:31:31 +0000
Message-ID: <DM8PR11MB5606222AA0739CE8093A6777DAA39@DM8PR11MB5606.namprd11.prod.outlook.com>
References: <163210969860.31323.5718880916818308072@ietfa.amsl.com>
In-Reply-To: <163210969860.31323.5718880916818308072@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 198b5d59-267f-4a63-7d30-08d97ec8bf2f
x-ms-traffictypediagnostic: DM8PR11MB5655:
x-microsoft-antispam-prvs: <DM8PR11MB5655E7794149A349E1A5592BDAA39@DM8PR11MB5655.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LzTFzUVDCV9UH0DuD1eXU9pb3SloPDriUuU2owAu0661F/3z7KnTFIUUTVEC2s2eMrKzvR6WHdPe0Ob6UkfzmnWXxa1Y+0gPEKCgiyXvr91np0Gm+6B6bAY9+Dz9fiMDHux7DIs+zD+15S6rm0b9kjvXO2iM5IbBnPFI7iWKRRLZhtZfeOcoWhxJ27DYc270mNU2laiHe8dZJ6WFiskrwCaySIhQ1xapjTsyBnkSB5QFmjTw5kTGlS5sV1PA+YUfOIBk5/7lxytDXKrXsYb4VrsDJwwKhn5KzsXYe52C1daeyANw+FuNpSI9DGGj7jY8P0EwOBNlcCeFCShnJme/Z1AoVv/b+GgmEsObfUFD09j3I04+mW0Wq/kOTddLoXzkeHIUOsLbf3T6Jc6dW6BXepWD/oS8zvigT1yD9EU2/bzyfWag0KQoRg9ZgRCcXGPyMgVPvX5KWwSBEeVYe7/HpMcnyVwh6fsYj2yQN1j/yEsQ/bfnQcY88A4j6UupcAxb8W23Qss5tAoVtgQuqH+VDpkX6A3jwRgQ9ft/0vB13YBlUAUR7CZm/PRk7ZmgoG/mJKeWiC1lxUxxx7pOAPMw7fgf1oCLwXHmPp0JAW+S8PsLgRlUKTGWIGRw3rxXCchXADJ76Zt+X2Zz7FyTpBoy3hQplsnyFor2v3M5A+pHFYKImpHJp44R5FzU+eBtmHk8YyGPID2cNZru4kzr25G2Jw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5606.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(186003)(66946007)(5660300002)(2906002)(86362001)(53546011)(508600001)(71200400001)(7696005)(66476007)(26005)(6506007)(4326008)(9686003)(38100700002)(122000001)(52536014)(83380400001)(8676002)(8936002)(38070700005)(64756008)(110136005)(54906003)(76116006)(55016002)(33656002)(316002)(66446008)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: j4OjdeTe+8ZkjOsJb0jSmAeKMOOc7Q3eFy5drt7cduIelItbAo9ddRj5NXWrd3P0qOc1rXegs5tFzKOmitL20KhLJ94phuBpvLQ0qsC5ejlY4kHseyR+f9+wrijlgfgtaLI0Ga1n4mrkcmj17HI8FhFEmheVrUafxUSfXkXr3mw9WnlOPQjV3c/y02JyoKPgxRLMnJgP0qnUiVbRkMOWslWhM6cr6+cntO++YQlURP9tzvZXzDYNbcqSZI66mB2Ts/dRfq7WTyL7P1yfQNAX3oY3+tPZX/OSiBGu3LsingNW2lTURABdZTF0hzTo/Ov/+El9B+WgAbBv8tZzN/6bj9BdZU+BdesJuIp6W3XNC+GPXKYFAjdl2PDzzBXJP5mAJFrXWOST8N2OkDuveQMbjB38xPOtvNST+bgL4RWrd1fLPUN09rvz+LakVPP7URk8MmrPEZKoCZVTGmzGADGH/F+zUMFV1agahb48ziojI0oJuS9lMU6B9rMcXsBDqo13My0GWbgp2qUqskwiqRPZF1Vvu3VrQDn8UWrADdn5o7QJCJJrDV6tQSTHYRLxyPS3QH4pIKGKxV+tkMXySW+OSNYdOrZjYKE/8jZ0C0UCixVYc7X8/s9H2aqRvrHz2gDzrAR8ZgFXuSAcXXilTm802eU2SvKaOHwck1tO4Ly9IRRym8V1Jo/JfVaoig1Yfr3KbDZJqURuyVXDrk86shlvZmfA7AZJXGCdOzItyQXHSL19U20Kw2+KDmfVlLNALcchn1WGkrqHiMktq26TEkwlZLBDg2+fDrxXRw6BfkT0r42AQ1jyfnkG9tSkicxawzrubIXfFjmxeorFMrJVOegkygg0EhA/GoWZ3ADNuVFO7FcZGqYyHuQJU8FrpXIJCJzGqtbMUqiQ/FGJKgkWrKQAL/CBU/9dHRgcMWB0ik1S3eS+5uUnptD4eshWMrq6mjdXtSWNOMuQ4tpDnUF4gol74ybvHR1n71skBXQdn6AiQB4n7FbkULvPu1lCelu9D8rgFyCJITWUxyXnsqkto8cMV7skL9rifxaD1X7izeuWDTFU2ujr4j+eRCLUksv5pL1p11zl0mQxQuF6PXy7pmclxuy1aWdCG/Z2gXDl4nauKdI9hJ9Kmkz0L9dksdqR/4/ch85qMWtqCVOt+M0jVOJf0YjLXO3tyrzI9joT3EGvXxWaXfJP6WxtB/coVUm4XPe6ZGG5284mKCGie0EUN9hjepABlx5MMCIvkBFUu++T9XlcR+MoZODJ0tNHUXMmuDnQ2jvdFqe1Ofa6bevfvgFIGlwO+irmZutlN0ZvsovYt3Q3nhX3pvgVCdxebpxu+I/n
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5606.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 198b5d59-267f-4a63-7d30-08d97ec8bf2f
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2021 19:31:31.5197 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uliEUEF+XvaJl2c7FjCRh1h7vfvc5kDXiUXkhEUfKfUP2nbddeNBu3ejt75NCgU3pMZTwPT5qd2ZbkblLOkxuw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5655
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/A6iiyT1QGJ84Z-mMBR5IiZjJRgk>
Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2021 19:32:03 -0000
Hi Christian, Thanks a lot for your detailed review. Please see inline. > -----Original Message----- > From: Christian Huitema via Datatracker <noreply@ietf.org> > Sent: Monday, 20 September 2021 05:48 > To: secdir@ietf.org > Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org; last-call@ietf.org; sfc@ietf.org > Subject: Secdir last call review of draft-ietf-sfc-proof-of-transit-08 > > Reviewer: Christian Huitema > Review result: Serious Issues > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any > other last call comments. > > This document proposes a security mechanism to prove that traffic transited > through all specified nodes in a path. The mechanism works by adding a short > option to each packet for which transit shall be verified. The option consists of a > random number set by the originator of the packet, and a sum field to which > each transit node adds a value depending on public parameters, on the random > number and on secrets held by the node. The destination has access to all the > secrets held by the nodes on the path, and can verify whether or not the final > sum corresponds to the sum of expected values. The proposed size of the > random number and the sum field is 64 bits. > > In the paragraph above, I described the mechanism without mentioning the > algorithm used to compute these 64 bit numbers. The 64 bit size is obviously a > concern: for cryptographic applications, 64 bits is not a large number, and that > might be a weakness whatever the proposed algorithm. The actual algorithm > appears to be a bespoke derivation of Shamir's Secret Sharing algorithm (SSS). In > other word, it is a case of "inventing your own crypto". ...FB: SSS is a well know algorithm and draft-ietf-sfc-proof-of-transit does not modify it. All draft-ietf-sfc-proof-of-transit does is to operationalize the SSS algorithm for the proof of transit use case. Also note that the draft does not require the use of 64 bit numbers. Nor does draft require a minimum time between changing the secrets. What particular attack are you concerned about where 64 bit numbers are a concern? > > SSS relies on the representation of polynomials as a sum of Lagrange Basis > Polynomials. Each of the participating nodes holds a share of the secret > represented by a point on the polynomial curve. A polynomial of degree K on the > field of integers modulo a prime number N can only be revealed if at list K+1 > participants reveal the value of their point. The safety of the algorithm relies on > the size of the number N and on the fact that the secret shall be revealed only > once. But the algorithm does not use SSS directly, so it deserves its own security > analysis instead of relying simply on Shamir's work. > > The proposed algorithm uses two polynomials of degree K for a path containing > K+1 nodes, on a field defined by a prime number N of 64 bits. One of the > polynomial, POLY-1, is secret, and only fully known by the verifying node. > The other, POLY-2 is public, with the constant coefficient set at a random value > RND for each packet. > > For each packet, the goal is compute the value of POLY-1 plus POLY-2 at the > point 0 -- that is, the constant coefficient of POLY-3 = POLY-1 + POLY-2. > > Without going in too much details, one can observe that the constant > coefficient of POLY-3 is equal to the sum of the constant coefficients of POLY-1 > and POLY-2, and that the constant coefficient of POLY-2 is the value RND > present in each packet. In the example given in section 3.3.2, the numbers are > computed modulo 53, the constant coefficient of POLY-1 is 10, and the value > RND is 45. The final sum CML is indeed > 10 + 45 = 2 mod 53. > > To me, this appears as a serious weakness in the algorithm. If an adversary can > observe the value RND and CML for a first packet, it can retrieve the constant > coefficient of POLY-1, and thus can predict the value of CML for any other > packet. That does not seem very secure. ...FB: There seems to be a bit of confusion or misreading of how the method works. In the above statement you seem to assume that the verifier would not be part of the proof-chain, so that the final CML value would be somehow exposed to an external entity along with RND. This is not the case. The verifier is the last node (k+1) in the proof-chain. At concept level, the method reconstructs the polynomial hop by hop, picking up a point on the curve at every hop. Only final node in the proof-chain, which is also the verifier, acts on the information of all the k+1 points and as such is able to reconstruct the polynomial. In section 3.2.1, the draft explicitly states that the verifier *is* part of the proof-chain: "Each of the k+1 nodes (including verifier) are assigned a point on the polynomial i.e., shares of the SECRET." The fact that the verifier, i.e., the last node in the proof-chain ("k+1"), can retrieve the secret, is desired and intentional, because the verifier needs to compare the result of the iterative construction of the secret with the secret value it received from the controller. This is how the system is designed, and the calculation of (10+45) mod 53 = 2 is part of the verification. Cheers, Frank > > My recommendation would be to present the problem and ask the CFRG for > algorithm recommendations. >
- [sfc] Secdir last call review of draft-ietf-sfc-p… Christian Huitema via Datatracker
- Re: [sfc] Secdir last call review of draft-ietf-s… Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Joel M. Halpern
- Re: [sfc] [Last-Call] Secdir last call review of … Martin Vigoureux