Re: [sidr] preventing SKI collisions
Richard Hansen <rhansen@bbn.com> Tue, 11 August 2015 23:59 UTC
Return-Path: <rhansen@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B339E1A0141 for <sidr@ietfa.amsl.com>; Tue, 11 Aug 2015 16:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hchVEpFAlUq for <sidr@ietfa.amsl.com>; Tue, 11 Aug 2015 16:59:05 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57C81A0120 for <sidr@ietf.org>; Tue, 11 Aug 2015 16:59:05 -0700 (PDT)
Received: from socket.bbn.com ([192.1.120.102]:42728) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rhansen@bbn.com>) id 1ZPJRY-000Q0n-CS; Tue, 11 Aug 2015 19:58:56 -0400
X-Submitted: to socket.bbn.com (Postfix) with ESMTPSA id 345973FED5
Message-ID: <55CA8C3F.5050402@bbn.com>
Date: Tue, 11 Aug 2015 19:58:55 -0400
From: Richard Hansen <rhansen@bbn.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>
References: <555F436F.3080003@bbn.com> <2BF75857-6A5F-4260-B13B-0B9F6CE3FD98@ieca.com> <197E8AEA-D554-4DB4-885E-CFD55EF9E774@ripe.net> <m2wpx7pes6.wl%randy@psg.com> <55C4D7C8.4000401@bbn.com> <97B4FBD1-BCE6-4D37-BC0C-07A211347FBF@ieca.com> <55CA51A6.1070209@bbn.com>
In-Reply-To: <55CA51A6.1070209@bbn.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/7ChmpaMb0HWskKJUC646YbQ0Grk>
Cc: sidr@ietf.org
Subject: Re: [sidr] preventing SKI collisions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 23:59:07 -0000
On 2015-08-11 15:48, Stephen Kent wrote: > Sean, > >> ... >> Okay so I want to agree. But, I’m still trying to grok something >> you sent in an earlier msg >> (https://mailarchive.ietf.org/arch/msg/sidr/9vVsAheeeZMj7GI00nyGBDHBqPI) >> that I think is related when you said: >> >> RPs would not have to calculate/validate the SKI value; they would only >> need to check for collisions within an AS. > > No, and yes. > > I was chatting with Sandy and noted that a compliant RP does have to > check that the SKI is the hash of the public key, as per RFC 6487. > That RFC says that KI values are computed as SHA-1 hashes of the > (relevant) public key (section 4.8.2), and that RPs are supposed to > confirm this, as per item #3 in Section 7.2: > > The certificate contains all fields that MUST be present, as > defined by this specification, *and contains values for > selected fields that are defined as allowable values by this > specification.* > > This requirement is more stringent than what 5280 mandates. 5280 > imposes requirements on CAs wrt cert generation, but does not require > that RPs verify that a CA has adhered to these requirements. This > one-sided approach has not worked out well in the PKI arena in > general, which is why the RPKI adopted a more symmetric model, i.e., > specify what each CA is supposed to do, and then have every RP verify > that the CAs are doing what they are supposed to. Yes, you're absolutely correct. I hadn't noticed that requirement until both you and Sean quoted it today. I did not intend to imply that RPs can or should stop validating the SKI value if the proposed change was accepted. Indeed, I think it is a good idea to require a strong hash algorithm and to require RPs to validate the value. What I meant to say is: If the proposed change was accepted, the ability to defend against the attack would no longer depend on validating the SKI; merely identifying and invalidating certs in an AS with colliding SKIs is sufficient. Similarly, when I said the following in <http://article.gmane.org/gmane.ietf.sidr/7119>: The above procedure does not require RPs to compute the SHA-1 hash, yet it's secure against an attacker who wants to create colliding certs to overwhelm routers with computational work. This validation procedure would enable CAs to use a simple counter or any other algorithm for the SKI value because the RPs wouldn't be validating the SKI. That's OK -- the security of BGPsec would not be compromised (I think). I didn't intend to imply that we should stop validating the SKI or switch to a weak algorithm, only that if we did so then I believe that the security of BGPsec would remain intact (assuming we adopted the proposed change). With apologies for the confusion, Richard
- [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions George Michaelson
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Randy Bush
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Russ Housley
- Re: [sidr] preventing SKI collisions David Mandelberg
- Re: [sidr] preventing SKI collisions Sandra Murphy
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Randy Bush
- Re: [sidr] preventing SKI collisions Rob Austein