IETF Logo Mail Archive

Re: [Drip] Secdir last call review of draft-ietf-drip-arch-22

"Card, Stu" <stu.card@axenterprize.com> Thu, 12 May 2022 15:32 UTC

Return-Path: <stu.card@axenterprize.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D189AC159525 for <tm-rid@ietfa.amsl.com>; Thu, 12 May 2022 08:32:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=axenterprize.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZ0ioJjquPMI for <tm-rid@ietfa.amsl.com>; Thu, 12 May 2022 08:32:08 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E037BC1594BB for <tm-rid@ietf.org>; Thu, 12 May 2022 08:32:08 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id z19so6703411edx.9 for <tm-rid@ietf.org>; Thu, 12 May 2022 08:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axenterprize.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1AlhOO4YsVqkKQo49m+cBqe7S8TTlGumPUis6rDJIq4=; b=D4kYxWCpk0NB7WMS4WQ1tmXqwGVF1HXKhhuaBQIZf0MCq09nyrZXQZ98Xvv6ToCELG A7MipZOw3XgFFhxmGolFJ+yxm8NApwHQgAL/14O3ngB3KDorEDLdIFLLS97M7zltZZOL OWuoByHAjD3Y1TVR3H3TdHftwhB/6lEyZ4+ow=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1AlhOO4YsVqkKQo49m+cBqe7S8TTlGumPUis6rDJIq4=; b=NXekSmX0SO6PxPk0migoiR6knVPQMSd4g6vgMboFzLPZjudjXYwo2uW4BPHgmGRA8L P5dzyhk27fZE9z1lf9ulYoJc6fYja9iMwKVj9pf2w3AfxJbLOTsRZvwCU/bzDAHvAKrV NGXXVd1cHjOmVEdZmQ2Q0AIz3C1obapghK30XLw4uy6+g4eks8DPtjxZjrsjMjTLvdYe 4tAG18URhsQiV95ThOHVw1+yclmbRrqDFF7uiSzVAmq8wz57enGrTAezIMVga8XQ9yFl LYQNfWtWzaqd2Lxd1c0RMWyQ8sYEIMu4rSylJtCjb2fwCv642i85Blk1y5HlRnSbyc7m RLtg==
X-Gm-Message-State: AOAM532UzHW39RVYDwx90vQFVKpBJk7xfLmmu9e7hfHTRmM4WKj94yjI nKVqEpkt4HomrsU0khwyPykPxzl3k3ZvwgWQb69WYg==
X-Google-Smtp-Source: ABdhPJyM/OHAyh3DtfrG+luQK3ZiTrvRdXAr6N9pGoy5L5k1rDE4mmTZrgwhfx0zE9SRnUWSDiy5PKHBJ0sTKdpO+78=
X-Received: by 2002:a05:6402:43c4:b0:41d:9403:8dca with SMTP id p4-20020a05640243c400b0041d94038dcamr35372161edc.184.1652369526582; Thu, 12 May 2022 08:32:06 -0700 (PDT)
MIME-Version: 1.0
References: <164864828914.19999.4038160950945043224@ietfa.amsl.com> <PH0PR17MB5728869B4521B619367A133AF4CB9@PH0PR17MB5728.namprd17.prod.outlook.com> <316c01d86605$738d9d80$5aa8d880$@smyslov.net>
In-Reply-To: <316c01d86605$738d9d80$5aa8d880$@smyslov.net>
From: "Card, Stu" <stu.card@axenterprize.com>
Date: Thu, 12 May 2022 11:31:53 -0400
Message-ID: <CAKM0pYNctCz=LxDWuMbqFH85ch5ES9NQxMG-+riKGL0gKH+chg@mail.gmail.com>
To: Valery Smyslov <valery@smyslov.net>
Cc: shuai zhao <shuai.zhao@ieee.org>, Robert Moskowitz <rgm@htt-consult.com>, draft-ietf-drip-arch.all@ietf.org, last-call@ietf.org, tm-rid@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ab910c05ded2421e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/s_gstX1m67PFTOXL5zxH4LH-K_Q>
Subject: Re: [Drip] Secdir last call review of draft-ietf-drip-arch-22
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 15:32:12 -0000

My point in describing a large hostile UA carrying a small harmless UA as a
RID "false flag" was not to suggest that was in our threat model and that
we must somehow mitigate it, but quite the reverse.

As there is little we could do in IETF about such a threat, I was
describing it to discourage our getting too distracted with trying to
ensure private key material cannot be extracted. For example, we should not
require anti-tamper hardware protection of keymat when this simple false
flag attack would entirely circumvent the anti-tamper.

This is not meant to minimize potential threats associated with keymat
getting into the wrong hands, nor to suggest we should have e.g.
registration procedures that make it easy for keymat to leak or be stolen.
It is to highlight that, despite whatever precautions we advise, keymat
_will_ sometimes get into the wrong hands, so thinking about this intrinsic
vulnerability and considering defense in depth strategies are prudent.

Whatever change we make to the language should still make this point.

On Thu, May 12, 2022, 09:37 Valery Smyslov <valery@smyslov.net> wrote:

> Hi Shuai,
>
>
>
> *From:* shuai zhao [mailto:shuai.zhao@ieee.org]
> *Sent:* Thursday, May 12, 2022 3:11 AM
> *To:* Valery Smyslov; Stuart W. Card; Robert Moskowitz
> *Cc:* draft-ietf-drip-arch.all@ietf.org; last-call@ietf.org;
> tm-rid@ietf.org; secdir@ietf.org
> *Subject:* Re: Secdir last call review of draft-ietf-drip-arch-22
>
>
>
> Hi Valery,
>
>
>
> We have this Github issue tracker
> <https://github.com/ietf-wg-drip/draft-ietf-drip-arch/issues/40> for your
> comments. Please see our response below.
>
>
>
>           thanks for the github reference. Please see my comments inline.
>
>
>
> *From: *Valery Smyslov via Datatracker <noreply@ietf.org>
> *Date: *Wednesday, March 30, 2022 at 6:51 AM
> *To: *secdir@ietf.org <secdir@ietf.org>
> *Cc: *draft-ietf-drip-arch.all@ietf.org <draft-ietf-drip-arch.all@ietf.org>,
> last-call@ietf.org <last-call@ietf.org>, tm-rid@ietf.org <tm-rid@ietf.org>
> *Subject: *Secdir last call review of draft-ietf-drip-arch-22
>
> Reviewer: Valery Smyslov
> Review result: Has Issues
>
> The topic of the draft is complex and involves many fields which I'm not
> expert
> of. The overall architecture looks secure, however it's difficult for me to
> analyse all the details. Nevertheless, it seems to me that there are some
> security issues with the draft.
>
> 1. Section 3.2
>
>    A UA equipped for Broadcast RID SHOULD be provisioned not only with
>    its HHIT but also with the HI public key from which the HHIT was
>    derived and the corresponding private key, to enable message
>    signature.  A UAS equipped for Network RID SHOULD be provisioned
>    likewise; the private key resides only in the ultimate source of
>    Network RID messages (i.e., on the UA itself if the GCS is merely
>    relaying rather than sourcing Network RID messages).  Each Observer
>    device SHOULD be provisioned either with public keys of the DRIP
>    identifier root registries or certificates for subordinate
>    registries.
>
>
> I wonder why SHOULDs are used here and not MUSTs. In which cases it's OK
> not to
> equip e.g. UAs with private keys and how they will perform digital
> signatures
> in this case? Am I missing something?
>
> Shuai/ Solution: change first SHOULD to MUST in section 3.2
>
>           Fine.
>
>
> 2. It is not clear for me how revocation is done in case the private key
> of UA
> is compromised. While the Security considerations section states that
> revocation procedures are yet to be determined, I think that some text
> about
> the directions in which they are planned to be determined should be
> present.
>
> Bob/ Since these are raw keys, revocation is not directly possible. The
> drip-registry draft may evolve various methodologies for providing
>
> revocation information. At this writing, we would be really speculating.
> Perhaps, black-holing in DNS; if a DET has been revoked, a
>
> DNSSEC protected response on looking up the DET would say so. We might be
> able to include this as an example for revocation, but only an
>
> example at this point.
>
> Shuai/ Nothing to be updated.
>
>           OK, I understand that it’s premature to talk about concrete
> revocations methods.
>
>
> 3. Section 9.
>
>    The size of the public key hash in the HHIT is also of concern.  It
>    is well within current server array technology to compute another key
>    pair that hashes to the same HHIT.
>
> If I understand the draft correctly, the size of public key hash is 20 or
> 19
> octets (Section 3.1).
>
> Bob/ The architecture document does not detail the format of an HHIT.
>
> It turns out that in draft-ietf-drip-rid, the hash size is 64 bits so this
> attack is real and details about it are in the Security Considerations
>
> of that draft. Perhaps say:
>
> The size of the public key hash in the HHIT (64 bits) is also of concern
>
> Finding another key pair that hashes to the same hash
> requires second preimage attack, which must take in this case 2^160 or
> 2^152.
> In my understanding of the state-of-art, it's still beyond possibilities of
> current computers. Am I missing something?
>
> Bob/ Unfortunately you have to see: draft-ietf-drip-rid-17 sec 10.
>
> [Med] The initial point was to record the potential security consideration
> that should be further examined in the solution spec.
>
> I'm not convinced we need to call out solution-specific details (e.g., 64
> bits) here or call out ietf-drip-rid.
>
>              I still think that the current text is confusing: it states
>           that the size of public key hash in the HHIT allows
>           to find second preimage without any hint on what the size is or
> can be.
>
>           I think that a way to eliminate this confusion without
> mentioning a concrete value would be to modify the text
>           that **if** the size of public key hash in the HHIT is chosen
> not large enough by solution spec,
>           then it may be possible to find second preimage and so on.
>
>
> 4. The Security Considerations section is silent about possible impact of
> Cryptographically Relevant Quantum Computers. While it's not clear whether
> such
> computers will be ever build, the proposed architecture looks fragile with
> respect to them. First, from my understanding the architecture,
> private/public
> key pairs in UA are relatively long-lived and difficult to update. This
> gives
> an attacker plenty of time to break them and once they are broken, enough
> time
> to exploit. Second, the impact of breaking can be substantial due to the
> nature
> of UA (a potentially dangerous object). Third, while many protocols
> involved in
> this architecture can be upgraded with quantum safe cryptographic
> primitives,
> it seems to me that for some pieces it will be really challenging (e.g. the
> draft discusses limitations on payload size for Bluetooth, which will be
> more
> severe with PQ cryptography with much larger keys and signatures). I think
> this
> issue must be addressed somehow, at least mentioned.
>
> Bob/ Intentionally so. We could get lost in the weeds. We are extremely
> size and computing constrained and current QSC is just not providing
> solutions. IF such a crypto suite is invented, it can be slotted in, as
> we have designed for crypto-agility. Also, we do not spell it out, but
> we do say that a DET may be used for only a single 'operation' (flight
> to us non-UAS operators). Thus a concerned implementor could use a
> fresh DET, making the exposure for only the duration of the operation.
> We do not spell this out, as there are other operational reasons for a
> UAS operator to constantly change DETs.
>
> Suggests adding the following text to Section 8 Security Considerations
>
> 8.1 Post Quantum Computing out of scope
> There has been no effort, at this time, to address post quantum
> computing cryptography. UAs and Broadcast Remote ID communications
> are so constrained that current post quantum computing cryptography
> is not applicable. Plus since a UA may use a unique HHIT for each
> operation, the attack window could be limited to the duration of the
> operation.
>
> Finally, as the HHIT contains the ID for the cryptographic suite used
> in its creation, a future post quantum computing safe algorithm that
> fits the Remote ID constraints may readily be added.
>
>
>
>           Works for me, thank you.
>
>
> 5. While an example when one UA physically steals UAS RID sender of
> another UA
> is clever, I think that such scenarios (physical security) are not in
> scope of
> IETF work. I believe that many others similar schemes can be invented, so I
> suggest to discuss physical security in a separate subsection of Section 9.
>
>
>
> Bob/ Proposed Text below:
>
> 9.1 Private key physical security
>
> The security provided by asymmetric cryptographic techniques depends
>
> upon protection of the private keys. It may be necessary for the GCS
>
> to have the key pair to register the HHIT to the USS. Thus it may be
>
> the GCS that generates the key pair and delivers it to the UA, making
>
> the GCS a part of the key security boundary. Leakage of the private
>
> key either from the UA or GCS to the component manufacturer is a
>
> valid concern and steps need to be in place to ensure safe keeping of
>
> the private key.
>
>
>
> Since it is possible for the UAS RID sender of a small harmless UA (or the
> entire UA)
>
> to be carried by a larger dangerous UA as a "false flag", it is out of
> scope to deal
>
> wtih secure store for the private key.
>
>           Fine, thank you.
>
>
>
> Not related to security:
>
> Section 3.2:
>
>    A self-attestation of a HHIT used as a UAS ID can be done in as
>    little as 84 bytes when Ed25519 [RFC8032] is used, by avoiding an
>    explicit encoding technology like ASN.1 or Concise Binary Object
>    Representation (CBOR [RFC8949]).  This attestation consists of only
>    the HHIT, a timestamp, and the EdDSA signature on them.
>
> If no encoding is used then how extensibility is achieved?
>
> Bob: Extensibility is in the HHIT which includes the Suite ID
> (Ed25519/cSHAKE
>
> here). A different HHIT Suite ID will result in a differently
>
> structured self-attestation. None exist right now, so no attempt is
>
> made to consider what other results would look like.
>
>
>
>           Understood.
>
>
> I also wonder how algorithm agility property is achieved for broadcast RID
> messages.
>
>
>
> Bob: As above the HHIT includes the Suite ID. Note that the HHIT is an
>
> extension of the HIT in rfc7401 that also provided algorithm agility
>
> through the included Suite ID.
>
> Out of scope. Nothing to do here....
>
>           OK.
>
>           Regards,
>           Valery.
>
>
>
>

v2.23.0 | Report a Bug | By Email