IETF Logo Mail Archive

Re: [sidr] preventing SKI collisions

Richard Hansen <rhansen@bbn.com> Tue, 11 August 2015 23:59 UTC

Return-Path: <rhansen@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B339E1A0141 for <sidr@ietfa.amsl.com>; Tue, 11 Aug 2015 16:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hchVEpFAlUq for <sidr@ietfa.amsl.com>; Tue, 11 Aug 2015 16:59:05 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57C81A0120 for <sidr@ietf.org>; Tue, 11 Aug 2015 16:59:05 -0700 (PDT)
Received: from socket.bbn.com ([192.1.120.102]:42728) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rhansen@bbn.com>) id 1ZPJRY-000Q0n-CS; Tue, 11 Aug 2015 19:58:56 -0400
X-Submitted: to socket.bbn.com (Postfix) with ESMTPSA id 345973FED5
Message-ID: <55CA8C3F.5050402@bbn.com>
Date: Tue, 11 Aug 2015 19:58:55 -0400
From: Richard Hansen <rhansen@bbn.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>
References: <555F436F.3080003@bbn.com> <2BF75857-6A5F-4260-B13B-0B9F6CE3FD98@ieca.com> <197E8AEA-D554-4DB4-885E-CFD55EF9E774@ripe.net> <m2wpx7pes6.wl%randy@psg.com> <55C4D7C8.4000401@bbn.com> <97B4FBD1-BCE6-4D37-BC0C-07A211347FBF@ieca.com> <55CA51A6.1070209@bbn.com>
In-Reply-To: <55CA51A6.1070209@bbn.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/7ChmpaMb0HWskKJUC646YbQ0Grk>
Cc: sidr@ietf.org
Subject: Re: [sidr] preventing SKI collisions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 23:59:07 -0000

On 2015-08-11 15:48, Stephen Kent wrote:
> Sean,
> 
>> ...
>> Okay so I want to agree.  But, I’m still trying to grok something
>> you sent in an earlier msg
>> (https://mailarchive.ietf.org/arch/msg/sidr/9vVsAheeeZMj7GI00nyGBDHBqPI)
>> that I think is related when you said:
>>
>>   RPs would not have to calculate/validate the SKI value; they would only
>>   need to check for collisions within an AS.
>
> No, and yes.
> 
> I was chatting with Sandy and noted that a compliant RP does have to 
> check that the SKI is the hash of the public key, as per RFC 6487.
> That RFC says that KI values are computed as SHA-1 hashes of the
> (relevant) public key (section 4.8.2), and that RPs are supposed to 
> confirm this, as per item #3 in Section 7.2:
> 
>           The certificate contains all fields that MUST be present, as
>           defined by this specification, *and contains values for
>           selected fields that are defined as allowable values by this
>           specification.*
> 
> This requirement is more stringent than what 5280 mandates. 5280
> imposes requirements on CAs wrt cert generation, but does not require
> that RPs verify that a CA has adhered to these requirements. This
> one-sided approach has not worked out well in the PKI arena in
> general, which is why the RPKI adopted a more symmetric model, i.e.,
> specify what each CA is supposed to do, and then have every RP verify
> that the CAs are doing what they are supposed to.

Yes, you're absolutely correct.  I hadn't noticed that requirement until
both you and Sean quoted it today.

I did not intend to imply that RPs can or should stop validating the SKI
value if the proposed change was accepted.  Indeed, I think it is a good
idea to require a strong hash algorithm and to require RPs to validate
the value.  What I meant to say is:

    If the proposed change was accepted, the ability to defend against
    the attack would no longer depend on validating the SKI; merely
    identifying and invalidating certs in an AS with colliding SKIs is
    sufficient.

Similarly, when I said the following in
<http://article.gmane.org/gmane.ietf.sidr/7119>:

    The above procedure does not require RPs to compute the SHA-1
    hash, yet it's secure against an attacker who wants to create
    colliding certs to overwhelm routers with computational work.
    This validation procedure would enable CAs to use a simple counter
    or any other algorithm for the SKI value because the RPs wouldn't
    be validating the SKI.  That's OK -- the security of BGPsec would
    not be compromised (I think).

I didn't intend to imply that we should stop validating the SKI or
switch to a weak algorithm, only that if we did so then I believe that
the security of BGPsec would remain intact (assuming we adopted the
proposed change).

With apologies for the confusion,
Richard

v2.23.0 | Report a Bug | By Email