IETF Logo Mail Archive

Re: [Drip] Secdir last call review of draft-ietf-drip-arch-22

Valery Smyslov <valery@smyslov.net> Thu, 12 May 2022 13:37 UTC

Return-Path: <valery@smyslov.net>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684BDC157B52; Thu, 12 May 2022 06:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=smyslov.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rMZgxljcJSY; Thu, 12 May 2022 06:37:43 -0700 (PDT)
Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9CCC14F736; Thu, 12 May 2022 06:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3oC1qT9er90C0Vg5f7hBKOE4qYSju5uRet9O+foGfCc=; b=INTC19+UOaepGEyNFzOHWQH4Dh vRBgijWKZTDQ2eKa8cU+HBX4vU98KVgWCOsFItCXNip5QzTpp0BtC+2AwWeDPsJHWaE0MICmNrkST v4jm5SzGRmYGziQsWmCVkTiH2HZeP0C+fbaDwtVoNb3s7um+QRd8ENvdRmyBTvJI57g+9nXowbxeT 0OPJPEQMXGk7G2b97AL4gZd9OZwEHBx/9+hGM+lIJIvQTXD9rUOeHlBa+7cmCsuagX8iLi9BEEETq TagAy4oSupXl4zZEsWBBaaxdtY8IWA7ltoIXH0WnEKlhMsYbJGUkJnHJv6UbKec4nf4wKZtiebwpn N1+944BA==;
Received: from [93.188.44.204] (port=52524 helo=buildpc) by direct.host-care.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <valery@smyslov.net>) id 1np90b-0004zW-0Z; Thu, 12 May 2022 09:37:37 -0400
From: Valery Smyslov <valery@smyslov.net>
To: 'shuai zhao' <shuai.zhao@ieee.org>, "'Stuart W. Card'" <stu.card@axenterprize.com>, 'Robert Moskowitz' <rgm@htt-consult.com>
Cc: draft-ietf-drip-arch.all@ietf.org, last-call@ietf.org, tm-rid@ietf.org, secdir@ietf.org
References: <164864828914.19999.4038160950945043224@ietfa.amsl.com> <PH0PR17MB5728869B4521B619367A133AF4CB9@PH0PR17MB5728.namprd17.prod.outlook.com>
In-Reply-To: <PH0PR17MB5728869B4521B619367A133AF4CB9@PH0PR17MB5728.namprd17.prod.outlook.com>
Date: Thu, 12 May 2022 16:37:36 +0300
Message-ID: <316c01d86605$738d9d80$5aa8d880$@smyslov.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_316D_01D8661E.98DD94A0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHAkWuyxQUkzf87mu+hlPYoCbOlNwHqI8oqrTuPzbA=
Content-Language: ru
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - direct.host-care.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - smyslov.net
X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net
X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/aEQPyjMrQ_DypDPfR9Pp-_N51ww>
Subject: Re: [Drip] Secdir last call review of draft-ietf-drip-arch-22
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 13:37:47 -0000

Hi Shuai,

 

From: shuai zhao [mailto:shuai.zhao@ieee.org] 
Sent: Thursday, May 12, 2022 3:11 AM
To: Valery Smyslov; Stuart W. Card; Robert Moskowitz
Cc: draft-ietf-drip-arch.all@ietf.org; last-call@ietf.org; tm-rid@ietf.org; secdir@ietf.org
Subject: Re: Secdir last call review of draft-ietf-drip-arch-22

 

Hi Valery, 

 

We have this  <https://github.com/ietf-wg-drip/draft-ietf-drip-arch/issues/40> Github issue tracker for your comments. Please see
our response below.  

 

          thanks for the github reference. Please see my comments inline.

 

From: Valery Smyslov via Datatracker <noreply@ietf.org>
Date: Wednesday, March 30, 2022 at 6:51 AM
To: secdir@ietf.org <secdir@ietf.org>
Cc: draft-ietf-drip-arch.all@ietf.org <draft-ietf-drip-arch.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, tm-rid@ietf.org
<tm-rid@ietf.org>
Subject: Secdir last call review of draft-ietf-drip-arch-22

Reviewer: Valery Smyslov
Review result: Has Issues

The topic of the draft is complex and involves many fields which I'm not expert
of. The overall architecture looks secure, however it's difficult for me to
analyse all the details. Nevertheless, it seems to me that there are some
security issues with the draft.

1. Section 3.2

   A UA equipped for Broadcast RID SHOULD be provisioned not only with
   its HHIT but also with the HI public key from which the HHIT was
   derived and the corresponding private key, to enable message
   signature.  A UAS equipped for Network RID SHOULD be provisioned
   likewise; the private key resides only in the ultimate source of
   Network RID messages (i.e., on the UA itself if the GCS is merely
   relaying rather than sourcing Network RID messages).  Each Observer
   device SHOULD be provisioned either with public keys of the DRIP
   identifier root registries or certificates for subordinate
   registries.


I wonder why SHOULDs are used here and not MUSTs. In which cases it's OK not to
equip e.g. UAs with private keys and how they will perform digital signatures
in this case? Am I missing something?

Shuai/ Solution: change first SHOULD to MUST in section 3.2

          Fine.


2. It is not clear for me how revocation is done in case the private key of UA
is compromised. While the Security considerations section states that
revocation procedures are yet to be determined, I think that some text about
the directions in which they are planned to be determined should be present.

Bob/ Since these are raw keys, revocation is not directly possible. The drip-registry draft may evolve various methodologies for
providing

revocation information. At this writing, we would be really speculating. Perhaps, black-holing in DNS; if a DET has been revoked, a

DNSSEC protected response on looking up the DET would say so. We might be able to include this as an example for revocation, but
only an

example at this point.

Shuai/ Nothing to be updated.

          OK, I understand that it's premature to talk about concrete revocations methods.


3. Section 9.

   The size of the public key hash in the HHIT is also of concern.  It
   is well within current server array technology to compute another key
   pair that hashes to the same HHIT.

If I understand the draft correctly, the size of public key hash is 20 or 19
octets (Section 3.1).

Bob/ The architecture document does not detail the format of an HHIT.

It turns out that in draft-ietf-drip-rid, the hash size is 64 bits so this attack is real and details about it are in the Security
Considerations

of that draft. Perhaps say: 

The size of the public key hash in the HHIT (64 bits) is also of concern

Finding another key pair that hashes to the same hash
requires second preimage attack, which must take in this case 2^160 or 2^152.
In my understanding of the state-of-art, it's still beyond possibilities of
current computers. Am I missing something?

Bob/ Unfortunately you have to see: draft-ietf-drip-rid-17 sec 10.

[Med] The initial point was to record the potential security consideration that should be further examined in the solution spec. 

I'm not convinced we need to call out solution-specific details (e.g., 64 bits) here or call out ietf-drip-rid.

             I still think that the current text is confusing: it states
          that the size of public key hash in the HHIT allows
          to find second preimage without any hint on what the size is or can be.

          I think that a way to eliminate this confusion without mentioning a concrete value would be to modify the text 
          that *if* the size of public key hash in the HHIT is chosen not large enough by solution spec, 
          then it may be possible to find second preimage and so on.
          

4. The Security Considerations section is silent about possible impact of
Cryptographically Relevant Quantum Computers. While it's not clear whether such
computers will be ever build, the proposed architecture looks fragile with
respect to them. First, from my understanding the architecture, private/public
key pairs in UA are relatively long-lived and difficult to update. This gives
an attacker plenty of time to break them and once they are broken, enough time
to exploit. Second, the impact of breaking can be substantial due to the nature
of UA (a potentially dangerous object). Third, while many protocols involved in
this architecture can be upgraded with quantum safe cryptographic primitives,
it seems to me that for some pieces it will be really challenging (e.g. the
draft discusses limitations on payload size for Bluetooth, which will be more
severe with PQ cryptography with much larger keys and signatures). I think this
issue must be addressed somehow, at least mentioned.

Bob/ Intentionally so. We could get lost in the weeds. We are extremely
size and computing constrained and current QSC is just not providing
solutions. IF such a crypto suite is invented, it can be slotted in, as
we have designed for crypto-agility. Also, we do not spell it out, but
we do say that a DET may be used for only a single 'operation' (flight
to us non-UAS operators). Thus a concerned implementor could use a
fresh DET, making the exposure for only the duration of the operation.
We do not spell this out, as there are other operational reasons for a
UAS operator to constantly change DETs.

Suggests adding the following text to Section 8 Security Considerations

8.1 Post Quantum Computing out of scope
There has been no effort, at this time, to address post quantum
computing cryptography. UAs and Broadcast Remote ID communications
are so constrained that current post quantum computing cryptography
is not applicable. Plus since a UA may use a unique HHIT for each
operation, the attack window could be limited to the duration of the
operation.

Finally, as the HHIT contains the ID for the cryptographic suite used
in its creation, a future post quantum computing safe algorithm that
fits the Remote ID constraints may readily be added.

 

          Works for me, thank you.


5. While an example when one UA physically steals UAS RID sender of another UA
is clever, I think that such scenarios (physical security) are not in scope of
IETF work. I believe that many others similar schemes can be invented, so I
suggest to discuss physical security in a separate subsection of Section 9.

 

Bob/ Proposed Text below:

9.1 Private key physical security

The security provided by asymmetric cryptographic techniques depends

upon protection of the private keys. It may be necessary for the GCS

to have the key pair to register the HHIT to the USS. Thus it may be

the GCS that generates the key pair and delivers it to the UA, making

the GCS a part of the key security boundary. Leakage of the private

key either from the UA or GCS to the component manufacturer is a

valid concern and steps need to be in place to ensure safe keeping of

the private key.

 

Since it is possible for the UAS RID sender of a small harmless UA (or the entire UA)

to be carried by a larger dangerous UA as a "false flag", it is out of scope to deal

wtih secure store for the private key.

          Fine, thank you.



Not related to security:

Section 3.2:

   A self-attestation of a HHIT used as a UAS ID can be done in as
   little as 84 bytes when Ed25519 [RFC8032] is used, by avoiding an
   explicit encoding technology like ASN.1 or Concise Binary Object
   Representation (CBOR [RFC8949]).  This attestation consists of only
   the HHIT, a timestamp, and the EdDSA signature on them.

If no encoding is used then how extensibility is achieved?

Bob: Extensibility is in the HHIT which includes the Suite ID (Ed25519/cSHAKE

here). A different HHIT Suite ID will result in a differently

structured self-attestation. None exist right now, so no attempt is

made to consider what other results would look like.

 

          Understood.


I also wonder how algorithm agility property is achieved for broadcast RID
messages.

 

Bob: As above the HHIT includes the Suite ID. Note that the HHIT is an

extension of the HIT in rfc7401 that also provided algorithm agility

through the included Suite ID.

Out of scope. Nothing to do here....

          OK.

          Regards,
          Valery.

v2.23.0 | Report a Bug | By Email