Thoughts on KeySec John Viega

Thoughts on KeySec
John Viega
Review of phases
• In Orlando, seemed to agree on .af phases:
Discovery (insecure)
Key Management
Authentication issues
• Where does the cipher suite get negotiated?
– … along with any other options
• Have to be very careful with message design
in authentication phase
• Authorization phase: no real handle on req’s
– To what degree are we specifying this, or is it for
• Proposed solution:
– Carefully design into authentication protocol.
Authentication issues
• What are the semantics for cipher suite
– If we both support A and B, and prefer different
algorithms, who wins? The initiator?
• Once we’ve authenticated a single time:
– We almost certainly want fast reconnects
– Can someone change algorithms on a fast reconnect?
• I think this should be possible.
• Should fast reconnects occur even if the box was out of
commission for 2 months (e.g., being repaired)
Fast reconnects
• Initial authentication decisions usually made
with help of some authority (e.g., PKI, Radius
• Authority’s endorsement is good for some
period of validity
• Once mutual identities are established, two
parties generally share a symmetric key
• We can keep using this key until it’s lifetime
ends, and can leverage it to choose a
replacement before that happens
Authentication issues
• When *shouldn’t* we use a fast reconnect?
• Authorization can still occur after a fast
• Only time we can’t do a fast reconnect is
when bootstrapping a connection for the first
• In the two-party case, we can leave it
– SNMP, enter into console, or whatever the vendor
– This way, very lightweight and easier to make robust
• Central management is an issue here
We should not use EAP
• Even w/o methods, EAP is large and complex
Will implementations really be robust?
How often will there be a failure?
Is this a DoS risk?
No one could ever put this in hardware
• EAP is designed for a different environment
– Designed for dial-up to modem pool
– Popular methods fail on shared media (prone to
– Even today, the slant is customer interfacing
– “customer interfacing” vs. infrastructure ports
More EAP issues
• “pass-through” model is not ideal
– EAP effectively has both parties auth to AAA server
– Hardware should directly auth with HELP from AAA
• Does not support dual pass-through (switchto-switch case)
– Realistic, but will generally both backend to same
– No support for trusted third parties, either!
• It makes key management decisions for us
– An artifact of an ad hoc design
– Ensuring conformance will add complexity
AAA servers
• Do we care about specifying pass-through?
• Let a vendor worry about it if they really
want it
• Trusted-third party model is more useful
• “TTP, I am A and I want to connect to B.
Give me a key for it.”
• B doesn’t even need to talk to the TTP to
determine the key A got, just A’s identity
Some authentication recommendations
• Keep it simple
– No EAP
– No pluggable methods
– Leverage the mandatory cipher suite
• We should only support “fast reconnect”
• It may be useful to support a TTP protocol for
centralized management
Towards a protocol
• Many ways to do fast reconnects
– Just pick up the old connection where you left off
– Use the old key to create a new key, and replace the
old key
– Use one key long-term, just to generate transient
• Third solution makes key management much,
much easier
• A and B share S (long-term secret)
• A and B each maintain two counters
– Last key ID set by A, last key ID set by B (nonces)
• A can say, “if this is successful, I’d like to
change our long-term key”
– Necessary but hopefully rare key-lifetime issue
– Call additional information O
– What else should go in here?
• Cipher suite?
Partial protocol
A sends identities of A& B, key ID and GCM(A&B, O)
A increments key ID
B validates the MAC
B ensures key ID of A is higher than the previous
(successful) key ID of A
• B uses specified key to generate authentication
– Key for authorization discussion
– Key for use in .ae
• B Beginning authorization signals valid
• Might need to finish cipher-suite negotiation here.
• What happens if an attacker doesn’t allow B
to respond?
– A will eventually run out of nonces
– Fall-back to a challenge-response protocol
• If nonce is too low, B assumes it is randomly chosen
(though it could be a replay)
• B chooses his own random nonce of a particular form
• B GCM-encrypts a new key and the nonce value it had
stored. It authenticates A’s original packet as well.
• A validates the packet then tries to connect with new key.
• On failure, A discards new key.
• On success, A discards old key.
• B keeps old key until he is sure he and A agree on keys.
• What happens in race condition?
– Highest MAC address wins
Key Management, etc.
• Time to rekey?
– Redo the fast authentication protocol
• Need to choose a new random key?
– Reserve a low key ID that B will reject (e.g., zero)
– Use a trusted third party
– Have it be part of the “other” data