I do not have time to assess this claim. I would encourage the security ADs to do so.
On Fri, Feb 21, 2020 at 6:36 AM Miika Komu <[email protected]> wrote: > Hi Eric, > > so your original question was: > > "The concern is what's known as a "cross-protocol" attack. Is there > any situation in which there might be ambiguity about two message > types that are protected with the same key?" > > No ambiguity about the message types, because the messages between > relay client and relay server carry always either a RELAY_FROM or > RELAY_TO parameter (depending on direction) and this is covered by the > HMAC. > > In the rendezvous case, you have different FROM and VIA_RVS parameters, > also covered by HMACs. > > pe, 2020-02-21 kello 05:34 -0800, Eric Rescorla kirjoitti: > > Typically in security protocols we look for demonstrations of this. > > What is your argument for why it cannot? > > > > -Ekr > > > > > > On Fri, Feb 21, 2020 at 4:25 AM Miika Komu <[email protected]> > > wrote: > > > Hi, > > > > > > to, 2020-02-20 kello 08:58 -0800, Eric Rescorla kirjoitti: > > > > > > > > > > > > On Thu, Feb 20, 2020 at 7:38 AM Miika Komu < > > > [email protected]> > > > > wrote: > > > > > Hi Eric, > > > > > > > > > > to, 2020-02-20 kello 06:04 -0800, Eric Rescorla kirjoitti: > > > > > > > > > > > > > > > > > > On Wed, Feb 19, 2020 at 10:50 PM Miika Komu < > > > > > [email protected]> > > > > > > wrote: > > > > > > > Hi Eric, > > > > > > > > > > > > > > ke, 2020-02-19 kello 13:20 -0800, Eric Rescorla kirjoitti: > > > > > > > > > > > > S 5.8. > > > > > > > > > > > >> > > > > > > > > > > > >> 5.8. RELAY_HMAC Parameter > > > > > > > > > > > >> > > > > > > > > > > > >> As specified in Legacy ICE-HIP [RFC5770], > > > the > > > > > > > > > RELAY_HMAC > > > > > > > > > > > parameter > > > > > > > > > > > >> value has the TLV type 65520. It has the > > > same > > > > > > > > > semantics > > > > > > > > > > > as RVS_HMAC > > > > > > > > > > > >> [RFC8004]. > > > > > > > > > > > > > > > > > > > > > > > > What key is used for the HMAC? > > > > > > > > > > > > > > > > > > > > > > clarified this as follows: > > > > > > > > > > > > > > > > > > > > > > [..] It has the same semantics as RVS_HMAC as > > > specified > > > > > in > > > > > > > > > section > > > > > > > > > > > 4.2.1 > > > > > > > > > > > in [RFC8004]. Similarly as with RVS_HMAC, also > > > > > RELAY_HMAC > > > > > > > is > > > > > > > > > is > > > > > > > > > > > keyed > > > > > > > > > > > with the HIP integrity key (HIP-lg or HIP-gl as > > > > > specified > > > > > > > in > > > > > > > > > > > section 6.5 > > > > > > > > > > > in [RFC7401]), established during the relay > > > > > registration > > > > > > > > > procedure > > > > > > > > > > > as > > > > > > > > > > > described in Section 4.1. > > > > > > > > > > > > > > > > > > > > This seems like it might have potential for cross- > > > > > protocol > > > > > > > > > attacks on > > > > > > > > > > the key. Why > > > > > > > > > > is this OK> > > > > > > > > > > > > > > > > > > this is standard way of deriving keys in HIP. The > > > keying > > > > > > > procedure > > > > > > > > > is > > > > > > > > > the same as with specified in RFC8004. If there is some > > > > > attack > > > > > > > > > scenario, please describe it in detail? > > > > > > > > > Or is there some editorial issue here? > > > > > > > > > > > > > > > > I'm not sure. When I read this text it appears to say > > > that > > > > > you > > > > > > > should > > > > > > > > be using the same key for two kinds of messages. Is that > > > > > correct? > > > > > > > > > > > > > > the key is always specific to a Host Association, i.e., > > > unique > > > > > > > between > > > > > > > a Relay Client and a Relay Server. So if there is a > > > Rendezvous > > > > > > > server > > > > > > > (used with RVS_HMAC), this would be a different host and > > > > > different > > > > > > > Host > > > > > > > Association. If the same host provides both rendezvous and > > > > > relay > > > > > > > service, it should be fine to reuse the same key. > > > > > > > > > > > > Why is that OK? Generally we try not to do this. Do you have > > > a > > > > > proof > > > > > > that it is not possible to have one message mistaken for > > > another? > > > > > > > > > > so I assume we are talking about the (artificial) case where a > > > > > single > > > > > host provides both Relay and Rendezvous service, and is > > > > > communicating > > > > > with a single registered Client? It's the same control channel, > > > so > > > > > I > > > > > don't see any need to have different HMAC keys for different > > > > > messages > > > > > since it's still the same two hosts. Or maybe I misunderstood > > > your > > > > > scenario, so please elaborate? > > > > > > > > The concern is what's known as a "cross-protocol" attack. Is > > > there > > > > any situation in which there might be ambiguity about two message > > > > types that are protected with the same key? > > > > > > I don't see any case where this could occur. >
_______________________________________________ Hipsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/hipsec
