Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
Christian Huitema <huitema@huitema.net> Fri, 24 September 2021 15:16 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2C83A08ED for <sfc@ietfa.amsl.com>; Fri, 24 Sep 2021 08:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.111
X-Spam-Level: ***
X-Spam-Status: No, score=3.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbeqJxySlBnE for <sfc@ietfa.amsl.com>; Fri, 24 Sep 2021 08:16:24 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C10483A08FA for <sfc@ietf.org>; Fri, 24 Sep 2021 08:16:24 -0700 (PDT)
Received: from xse465.mail2web.com ([66.113.197.211] helo=xse.mail2web.com) by mx136.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mTmvu-00029N-Tb for sfc@ietf.org; Fri, 24 Sep 2021 17:16:21 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4HGFws6239zDWg for <sfc@ietf.org>; Fri, 24 Sep 2021 08:16:13 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mTmvt-0006qs-Mz for sfc@ietf.org; Fri, 24 Sep 2021 08:16:13 -0700
Received: (qmail 18678 invoked from network); 24 Sep 2021 15:16:13 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.0]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <krishna.sashank@gmail.com>; 24 Sep 2021 15:16:13 -0000
To: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "shwetha.bhandari@gmail.com" <shwetha.bhandari@gmail.com>, "last-call@ietf.org" <last-call@ietf.org>, "Youell, Stephen" <stephen.youell@jpmorgan.com>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-proof-of-transit.all@ietf.org" <draft-ietf-sfc-proof-of-transit.all@ietf.org>, "krishna.sashank@gmail.com" <krishna.sashank@gmail.com>
References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <DM8PR11MB5606222AA0739CE8093A6777DAA39@DM8PR11MB5606.namprd11.prod.outlook.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> <DM8PR11MB56061C0D02BC169F39D41407DAA49@DM8PR11MB5606.namprd11.prod.outlook.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net>
Date: Fri, 24 Sep 2021 08:16:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <DM8PR11MB56061C0D02BC169F39D41407DAA49@DM8PR11MB5606.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.211
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.13)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/CZNiEfG5h0ymcjMxjEvvwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5wC9QKR8x3cqbo833Y5QPZUj3CSdYahsEhiizd3WfZtEe73 N+SttdynMG+ZUTI1RyTlYLLlWSy3OGfGBNeqx2anHyJxjDLo4/ugN15VVJm4KWrxEaaKeSxe0Wrx 6M4G5/Wm4Zd53xWOh54QqC5fJ2uRp/HAJy4pHy/8uhgy9Mxqulxh7hoyMoWHMkqYfQEaAmuTN39V SAGznwTrlYf+WLCVpbt3W3gfNnuKkqGP09ZKLP25Cgscc2Nqd9azmDa4ZbYxn04qRLKGrOrEzQDq o2Fe5e0H1p2YD3fIDgqE3F/hSENKwnAR2oVisY+bnEqWCKi5klmK1va3wJScg92pg//jdNpXP/ul EV6DIUDLc0Yd6iTlYE+Zcn8p1rPpG64P1y7nVrUQfxkYoV3jt7fqlPgR0kaOEXLuWd+6zLg4wp8u X1nsyWu8Q0HDoORE+fy5gr3LgKffTIgl7nuGO/IJU1342OUMeHyTpNN0eXybX/w7/4a+Zyc1sUYl ckMDbruAhxfaTSRjFdfhbaOt3LLrhebQ6tEBc/jeO8LqYflYiCA5ag3Ubmat6szQt01VO73bjaW2 Q2/CHbJG3uFkHK5UCRMVEnFzsC48bTEFY06/YbB87Ww8G0LoS8V3Mt1pta8qAcLtCB3G1CwpaI3Z 4ESkMWDVJEenxBoIht3V0nekAoxXAhFpK+qgSYKcKb+D8MLKQiKyuLfHqAnAj7rgKH7+eCmmxMkI z8WNy2qsq567/5cEbFShcA6Xvva2QAVEjpqzANbJ1UfXmet2cbFKoyT/OdZL3NUlbmunHZ46khGd SkjPKW0AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/zy4WN95Q5wMkpkC_Y9YBOtWhAUY>
Subject: Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2021 15:16:39 -0000
On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote: > Hi Christian, > > Thanks a lot for the detailed follow-up. Please see inline. > >> -----Original Message----- >> From: Christian Huitema <huitema@huitema.net> >> Sent: Thursday, 23 September 2021 22:13 >> To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; secdir@ietf.org >> Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen >> <stephen.youell@jpmorgan.com>; sfc@ietf.org; draft-ietf-sfc-proof-of- >> transit.all@ietf.org >> Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit- >> 08 >> >> >> On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote: >>> Hi Christian, >>> >>> Thanks a lot for your detailed review. Please see inline. >>> >>>> -----Original Message----- >>>> From: Christian Huitema via Datatracker <noreply@ietf.org> >>>> Sent: Monday, 20 September 2021 05:48 >>>> To: secdir@ietf.org >>>> Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org; last-call@ietf.org; >>>> sfc@ietf.org >>>> Subject: Secdir last call review of >>>> draft-ietf-sfc-proof-of-transit-08 >>>> >>>> Reviewer: Christian Huitema >>>> Review result: Serious Issues >>>> >>>> I have reviewed this document as part of the security directorate's >>>> ongoing effort to review all IETF documents being processed by the >>>> IESG. These comments were written primarily for the benefit of the security >> area directors. >>>> Document editors and WG chairs should treat these comments just like >>>> any other last call comments. >>>> >>>> This document proposes a security mechanism to prove that traffic >>>> transited through all specified nodes in a path. The mechanism works >>>> by adding a short option to each packet for which transit shall be >>>> verified. The option consists of a random number set by the >>>> originator of the packet, and a sum field to which each transit node >>>> adds a value depending on public parameters, on the random number and >>>> on secrets held by the node. The destination has access to all the >>>> secrets held by the nodes on the path, and can verify whether or not >>>> the final sum corresponds to the sum of expected values. The proposed size >> of the random number and the sum field is 64 bits. >>>> In the paragraph above, I described the mechanism without mentioning >>>> the algorithm used to compute these 64 bit numbers. The 64 bit size >>>> is obviously a >>>> concern: for cryptographic applications, 64 bits is not a large >>>> number, and that might be a weakness whatever the proposed algorithm. >>>> The actual algorithm appears to be a bespoke derivation of Shamir's >>>> Secret Sharing algorithm (SSS). In other word, it is a case of "inventing your >> own crypto". >>> ...FB: SSS is a well know algorithm and draft-ietf-sfc-proof-of-transit does not >> modify it. >>> All draft-ietf-sfc-proof-of-transit does is to operationalize the SSS algorithm >> for the proof of transit use case. >>> Also note that the draft does not require the use of 64 bit numbers. >>> Nor does draft require a minimum time between changing the secrets. >>> What particular attack are you concerned about where 64 bit numbers are a >> concern? >>>> SSS relies on the representation of polynomials as a sum of Lagrange >>>> Basis Polynomials. Each of the participating nodes holds a share of >>>> the secret represented by a point on the polynomial curve. A >>>> polynomial of degree K on the field of integers modulo a prime number >>>> N can only be revealed if at list K+1 participants reveal the value >>>> of their point. The safety of the algorithm relies on the size of the >>>> number N and on the fact that the secret shall be revealed only once. >>>> But the algorithm does not use SSS directly, so it deserves its own security >> analysis instead of relying simply on Shamir's work. >>>> The proposed algorithm uses two polynomials of degree K for a path >>>> containing >>>> K+1 nodes, on a field defined by a prime number N of 64 bits. One of >>>> K+the >>>> polynomial, POLY-1, is secret, and only fully known by the verifying node. >>>> The other, POLY-2 is public, with the constant coefficient set at a >>>> random value RND for each packet. >>>> >>>> For each packet, the goal is compute the value of POLY-1 plus POLY-2 >>>> at the point 0 -- that is, the constant coefficient of POLY-3 = POLY-1 + POLY- >> 2. >>>> Without going in too much details, one can observe that the constant >>>> coefficient of POLY-3 is equal to the sum of the constant >>>> coefficients of POLY-1 and POLY-2, and that the constant coefficient >>>> of POLY-2 is the value RND present in each packet. In the example >>>> given in section 3.3.2, the numbers are computed modulo 53, the >>>> constant coefficient of POLY-1 is 10, and the value RND is 45. The >>>> final sum CML is indeed >>>> 10 + 45 = 2 mod 53. >>>> >>>> To me, this appears as a serious weakness in the algorithm. If an >>>> adversary can observe the value RND and CML for a first packet, it >>>> can retrieve the constant coefficient of POLY-1, and thus can predict >>>> the value of CML for any other packet. That does not seem very secure. >>> ...FB: There seems to be a bit of confusion or misreading of how the method >> works. In the above statement you seem to assume that the verifier would not >> be part of the proof-chain, so that the final CML value would be somehow >> exposed to an external entity along with RND. This is not the case. The verifier is >> the last node (k+1) in the proof-chain. >>> At concept level, the method reconstructs the polynomial hop by hop, picking >> up a point on the curve at every hop. Only final node in the proof-chain, which is >> also the verifier, acts on the information of all the k+1 points and as such is able >> to reconstruct the polynomial. >>> In section 3.2.1, the draft explicitly states that the verifier *is* part of the >> proof-chain: "Each of the k+1 nodes (including verifier) are assigned a point on >> the polynomial i.e., shares of the SECRET." The fact that the verifier, i.e., the last >> node in the proof-chain ("k+1"), can retrieve the secret, is desired and >> intentional, because the verifier needs to compare the result of the iterative >> construction of the secret with the secret value it received from the controller. >> This is how the system is designed, and the calculation of (10+45) mod 53 = 2 is >> part of the verification. >> >> OK. That's slightly less bad. But it is still very bad crypto, because you are >> effectively doing a linear combination. >> >> You are evaluating POLY-3 = POLY-1 + POLY-2 >> >> POLY-2 can be written as POLY-2 = RND + POLY-2-NC, in which POLY2-NC only >> contains the non constant terms -- that is, POLY-2-NC(0) = 0 >> >> Then for any point X, we get POLY-3(X) = POLY-1(X) + POLY2-NC(X) + RND For a >> given value Xj of X, this means we can express : POLY-3(Xj) = Vj + RND In which Vj >> is a constant term = POLY-1(Xj) + POLY2-NC(Xj) >> >> Each node will increment the cumul by the value LPCj * POLY-3(Xj) = LPCj >> * (Vj + RND) >> >> Suppose that an adversary can observe the value of CML before and after being >> incremented by node Xj. Suppose that it could do that twice. Then it has the >> values: >> >> CML1-before-j = C1b >> CML1-after-j = C1a >> D1 = C1a - C1b = LPCj * (Vj + RND1) >> >> CML1-before-j = C2b >> CML1-after-j = C2a >> D2 = C2a - C2b = LPCj * (Vj + RND2) >> >> D2-D1 = LPCj*(RND2-RND1) >> >> LPCj = (RND2-RND1)/(D2-D1) >> Vj = D2/LPCj - RND2 >> >> The inverse of numbers modulo a prime P is easily computed -- see Fermat's >> little theorem. >> >> Once the input and output of a node have been observed twice, it becomes easy >> to update the cumulative sum CML while bypassing these nodes. > ...FB: This is great. Thanks for spelling out the details. You raise a good point: For the solution to make sense, we need to ensure that an attacker cannot observe the input and output of a node. > To ensure this does not happen, we must require the communication to/from the node to be encrypted, e.g., through link layer encryption of at least the proof-of-transit data fields. > We'll add this requirement to the draft - and also detail the threat you describe above in detail in the security considerations section. That still will not be sufficient, because you also have to deal with the nodes themselves. By definition, they see the intermediate results of other nodes. For example, if the function chain is A->B->C->D->E, the node B sees the output of B and the node D sees the input of D. If B and D collude, they have access to the input and output of C. They can easily find the secrets of C, and then execute a chain A->B---->D->E in which the input of D is "corrected" to hide the absence of C from the evaluator E. The linear combination scheme in the draft is not sound crypto. My recommendation is to present the problem and the threat model clearly to the crypto community, for example by presenting to the CFRG, and solicit advice on better algorithms. -- Christian Huitema
- [sfc] Secdir last call review of draft-ietf-sfc-p… Christian Huitema via Datatracker
- Re: [sfc] Secdir last call review of draft-ietf-s… Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Joel M. Halpern
- Re: [sfc] [Last-Call] Secdir last call review of … Martin Vigoureux