Re: [sidr] preventing SKI collisions
Sean Turner <turners@ieca.com> Thu, 06 August 2015 23:52 UTC
Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1A81B3D5E for <sidr@ietfa.amsl.com>; Thu, 6 Aug 2015 16:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNvlkQaBoNLE for <sidr@ietfa.amsl.com>; Thu, 6 Aug 2015 16:52:15 -0700 (PDT)
Received: from gateway32.websitewelcome.com (gateway32.websitewelcome.com [192.185.145.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 049801ACEAE for <sidr@ietf.org>; Thu, 6 Aug 2015 16:52:15 -0700 (PDT)
Received: by gateway32.websitewelcome.com (Postfix, from userid 500) id 5D5DCC699555B; Thu, 6 Aug 2015 18:52:14 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway32.websitewelcome.com (Postfix) with ESMTP id 497C9C699552D for <sidr@ietf.org>; Thu, 6 Aug 2015 18:52:14 -0500 (CDT)
Received: from [96.231.221.219] (port=61497 helo=[172.16.0.112]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.85) (envelope-from <turners@ieca.com>) id 1ZNUxJ-000VWB-FQ; Thu, 06 Aug 2015 18:52:13 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <555F436F.3080003@bbn.com>
Date: Thu, 06 Aug 2015 19:52:11 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BF75857-6A5F-4260-B13B-0B9F6CE3FD98@ieca.com>
References: <555F436F.3080003@bbn.com>
To: Richard Hansen <rhansen@bbn.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.221.219
X-Exim-ID: 1ZNUxJ-000VWB-FQ
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([172.16.0.112]) [96.231.221.219]:61497
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/Fv2IXnjHdu_yM11tP9Ie0ZIpv8g>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] preventing SKI collisions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 23:52:17 -0000
On May 22, 2015, at 10:55, Richard Hansen <rhansen@bbn.com> wrote: > Hi all, > > A while back Sean Turner raised the idea of switching to SHA-256 for the > Subject Key Identifier while discussing rfc6487bis (see > <http://article.gmane.org/gmane.ietf.sidr/6878>). I see a couple of > reasons to do this: > > * If/when additional weaknesses are found in SHA-1, 3rd party > cryptographic libraries that implement SHA-1 may become hard to > find. > > * If/when a serious weakness is found in SHA-1, someone might be > able to exploit the weakness to attack some aspect of RPKI/BGPsec. > > Thinking about the latter, I believe there is a not-entirely-implausible > attack that might justify a change: > > 1. An attacker uses a weakness in SHA-1 to generate a large number of > BGPsec router certificates for an AS, where each certificate has a > different key but the same SKI. > > 2. The attacker uses one of those certificates to generate a > signature segment in the BGPsec_Path attribute, and sends the > BGPsec Update message to a peer. > > 3. The peer starts the process of validating the signature segment > generated by the attacker. Due to the numerous keys with the same > SKI, the peer is forced to test each of the attacker's keys one by > one until a match is found. This could take a considerable amount > of time. > > 4. While it is validating the signature, the peer processes all > Update messages as if they were unsigned because there is not > enough CPU available at the moment. The attacker has succeeded in > (temporarily) disabling BGPsec. > > One way to block the above attack is to use a stronger hash function > (e.g., SHA-256) for the SKI. Unfortunately, because the SKI extension > doesn't have an algorithm identifier field, there's no way to switch > without a flag day. > > We could make a proactive change now while deployment is low, but it > would still be unpleasant. > > An alternative idea suggested by Matt Lepinski is to prohibit router > certificate SKI collisions within an AS if the keys differ. In other > words, if there are two valid BGPsec router certs in the same AS with > different keys but the same SKI, then RPs MUST mark them both as > invalid. Thanks to the RFC3779 checks, it would not be possible for > someone in a different AS to invalidate your certs even if a weakness in > SHA-1 was discovered. > > So I propose we add something like the following to the end of Section 3 > in draft-ietf-sidr-bgpsec-pki-profiles: > > o To prevent denial-of-service attacks against RPs, Subject Key > Identifier collisions within an AS are not permitted. Any > BGPsec Router Certificate that: > * references the same AS number in the Autonomous System > Identifier Delegation extension, > * has a different key, and > * has the same value in the Subject Key Identifier extension > as another otherwise valid certificate MUST NOT be considered > valid. > > We may also want to add something to rfc6487bis to invalidate a > certificate if its SKI matches an ancestor (and the key differs), though > I can't think of a way to take advantage of such a collision at the moment. > > Thoughts? > > Thanks, > Richard I’m all for switching to using a better hash algorithm to avoid collisions, but why can’t we just do it anytime we want? The SKI/AKI fields are only ever generated by a CA so the RPs don’t need to know the algorithm used. What I am/was suggesting we do is make the following change in Section 4.8.2/3 to RFC 6487: OLD: The Key Identifier used for resource certificates is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the Subject Public Key, as described in Section 4.2.1.1/2 of [RFC5280]. NEW: The Key Identifier used for resource certificates is the 160-bit SHA-256 hash of the value of the DER-encoded ASN.1 bit string of the Subject Public Key, as described in Section 2 of [RFC7093]. As far as you tweaks to the bgpsec-pki-profile draft, if we can do these checks without calculating the AKI/SKI values I’m all for this [0], but I guess I’m curious why collisions outside the AS would be allowed? Shouldn’t it be: To prevent denial-of-service attacks against RPs, Subject Key Identifier collisions are not permitted. Any BGPsec Router Certificate that: * references the same AS number in the Autonomous System Identifier Delegation extension, * has a different key, and * has the same value in the Subject Key Identifier extension as another otherwise valid certificate MUST NOT be considered valid. spt [0] Full disclosure: I co-authored RFC 7093 "Additional Methods for Generating Key Identifiers Values”.
- [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions George Michaelson
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Randy Bush
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Richard Hansen
- Re: [sidr] preventing SKI collisions Stephen Kent
- Re: [sidr] preventing SKI collisions Tim Bruijnzeels
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Russ Housley
- Re: [sidr] preventing SKI collisions David Mandelberg
- Re: [sidr] preventing SKI collisions Sandra Murphy
- Re: [sidr] preventing SKI collisions Sean Turner
- Re: [sidr] preventing SKI collisions Randy Bush
- Re: [sidr] preventing SKI collisions Rob Austein