IETF Logo Mail Archive

Re: [sidr] preventing SKI collisions

Sean Turner <turners@ieca.com> Thu, 06 August 2015 23:52 UTC

Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1A81B3D5E for <sidr@ietfa.amsl.com>; Thu, 6 Aug 2015 16:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNvlkQaBoNLE for <sidr@ietfa.amsl.com>; Thu, 6 Aug 2015 16:52:15 -0700 (PDT)
Received: from gateway32.websitewelcome.com (gateway32.websitewelcome.com [192.185.145.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 049801ACEAE for <sidr@ietf.org>; Thu, 6 Aug 2015 16:52:15 -0700 (PDT)
Received: by gateway32.websitewelcome.com (Postfix, from userid 500) id 5D5DCC699555B; Thu, 6 Aug 2015 18:52:14 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway32.websitewelcome.com (Postfix) with ESMTP id 497C9C699552D for <sidr@ietf.org>; Thu, 6 Aug 2015 18:52:14 -0500 (CDT)
Received: from [96.231.221.219] (port=61497 helo=[172.16.0.112]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.85) (envelope-from <turners@ieca.com>) id 1ZNUxJ-000VWB-FQ; Thu, 06 Aug 2015 18:52:13 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <555F436F.3080003@bbn.com>
Date: Thu, 06 Aug 2015 19:52:11 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BF75857-6A5F-4260-B13B-0B9F6CE3FD98@ieca.com>
References: <555F436F.3080003@bbn.com>
To: Richard Hansen <rhansen@bbn.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.221.219
X-Exim-ID: 1ZNUxJ-000VWB-FQ
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([172.16.0.112]) [96.231.221.219]:61497
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/Fv2IXnjHdu_yM11tP9Ie0ZIpv8g>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] preventing SKI collisions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 23:52:17 -0000

On May 22, 2015, at 10:55, Richard Hansen <rhansen@bbn.com> wrote:

> Hi all,
> 
> A while back Sean Turner raised the idea of switching to SHA-256 for the
> Subject Key Identifier while discussing rfc6487bis (see
> <http://article.gmane.org/gmane.ietf.sidr/6878>).  I see a couple of
> reasons to do this:
> 
>  *  If/when additional weaknesses are found in SHA-1, 3rd party
>     cryptographic libraries that implement SHA-1 may become hard to
>     find.
> 
>  *  If/when a serious weakness is found in SHA-1, someone might be
>     able to exploit the weakness to attack some aspect of RPKI/BGPsec.
> 
> Thinking about the latter, I believe there is a not-entirely-implausible
> attack that might justify a change:
> 
>  1. An attacker uses a weakness in SHA-1 to generate a large number of
>     BGPsec router certificates for an AS, where each certificate has a
>     different key but the same SKI.
> 
>  2. The attacker uses one of those certificates to generate a
>     signature segment in the BGPsec_Path attribute, and sends the
>     BGPsec Update message to a peer.
> 
>  3. The peer starts the process of validating the signature segment
>     generated by the attacker.  Due to the numerous keys with the same
>     SKI, the peer is forced to test each of the attacker's keys one by
>     one until a match is found.  This could take a considerable amount
>     of time.
> 
>  4. While it is validating the signature, the peer processes all
>     Update messages as if they were unsigned because there is not
>     enough CPU available at the moment.  The attacker has succeeded in
>     (temporarily) disabling BGPsec.
> 
> One way to block the above attack is to use a stronger hash function
> (e.g., SHA-256) for the SKI.  Unfortunately, because the SKI extension
> doesn't have an algorithm identifier field, there's no way to switch
> without a flag day.
> 
> We could make a proactive change now while deployment is low, but it
> would still be unpleasant.
> 
> An alternative idea suggested by Matt Lepinski is to prohibit router
> certificate SKI collisions within an AS if the keys differ.  In other
> words, if there are two valid BGPsec router certs in the same AS with
> different keys but the same SKI, then RPs MUST mark them both as
> invalid.  Thanks to the RFC3779 checks, it would not be possible for
> someone in a different AS to invalidate your certs even if a weakness in
> SHA-1 was discovered.
> 
> So I propose we add something like the following to the end of Section 3
> in draft-ietf-sidr-bgpsec-pki-profiles:
> 
>    o To prevent denial-of-service attacks against RPs, Subject Key
>      Identifier collisions within an AS are not permitted.  Any
>      BGPsec Router Certificate that:
>        *  references the same AS number in the Autonomous System
>           Identifier Delegation extension,
>        *  has a different key, and
>        *  has the same value in the Subject Key Identifier extension
>      as another otherwise valid certificate MUST NOT be considered
>      valid.
> 
> We may also want to add something to rfc6487bis to invalidate a
> certificate if its SKI matches an ancestor (and the key differs), though
> I can't think of a way to take advantage of such a collision at the moment.
> 
> Thoughts?
> 
> Thanks,
> Richard

I’m all for switching to using a better hash algorithm to avoid collisions, but why can’t we just do it anytime we want?  The SKI/AKI fields are only ever generated by a CA so the RPs don’t need to know the algorithm used.

What I am/was suggesting we do is make the following change in Section 4.8.2/3 to RFC 6487:

OLD:

  The Key Identifier used for resource certificates is the 160-bit
  SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the
  Subject Public Key, as described in Section 4.2.1.1/2 of [RFC5280].

NEW:

  The Key Identifier used for resource certificates is the 160-bit
  SHA-256 hash of the value of the DER-encoded ASN.1 bit string of the
  Subject Public Key, as described in Section 2 of [RFC7093].

As far as you tweaks to the bgpsec-pki-profile draft, if we can do these checks without calculating the AKI/SKI values I’m all for this [0], but I guess I’m curious why collisions outside the AS would be allowed? Shouldn’t it be:

  To prevent denial-of-service attacks against RPs, Subject Key
  Identifier collisions are not permitted.  Any BGPsec Router
  Certificate that:
       *  references the same AS number in the Autonomous System
          Identifier Delegation extension,
       *  has a different key, and
       *  has the same value in the Subject Key Identifier extension
          as another otherwise valid certificate MUST NOT be
          considered valid.

spt

[0] Full disclosure: I co-authored RFC 7093 "Additional Methods for Generating Key Identifiers Values”.

v2.39.1 | Report a Bug | By Email | System Status