[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] On "jack-down" models



% This has obvious security implications which will, in effect, require a % security association between hosts. That security association effectively % requires some security token ... so that the correspondent host can be assured
% that the component connections are indeed related.

It is unclear to me that one needs to have a cryptographic security
association in all cases, or indeed even in common deployments.

For example, an unpredictable nonce present in control traffic ... In such a model, the nonce would be the "security token", but it would not be derived from any session key, from any public/private key, or from any public/private key pair).

Alternatively, as a middle ground between a public key and a simple token would be various techniques based on reverse hash chains and other similar methods. TESLA-like, if you will. LHIP is one option in that space.

% This security token is, for all intents and purposes, a host identifier.
% ...

It isn't obvious to me that the claim above is necessarily true.
Using the example of a nonce, the nonce might be very short-lived
(e.g. for the duration of a single IP session or flow) and hence
not be suitable for use as a node identifier.

I agree.

HIP makes the identity of a node a function of the public key of the node. A corollary to that practice seems to be that if a node's public key were compromised, and in my experience all cryptographic keys are eventually
compromised, then the node necessarily would lose its identity.

That is how the HIP architecture has been written today.

However, there is some work on using separate node-level or application-level identifiers (still preferably but not necessarily public keys), separate from the HIP-layer HI, and then using (delegation) certificates to bind these identities to the HIs, with channel bindings. That work hasn't found its way to internet-drafts yet, though. (I know a few people have talked about writing IDs in that space, but I haven't seen any published yet. But maybe I've just missed that.)

So it seems distinctly undesirable (to me) for the identity of a node
to be derived (directly or indirectly) from any cryptographic key used
by that node.

Instead, I'd prefer to have the cryptographic keys used by a node
(if any) bound to the identity of the node using some other method.
One example might be some sort of X.509v3 (PKIX) certificate, but
other examples can be imagined.

But then you just shift the burden to the secrecy of the CA private key. That is, if all keys are eventually compromised, what do you do when the CA private key gets compromised? You have to reconfigure all hosts, I guess.

To me, it would be better to not to concentrate the trust too much. If (manual) reconfiguration is inevitable, it might pay off to make sure that a) its probability is minimised and b) when it happens, only a small fraction of all hosts are affected. Hence, maybe threshold certs at the top of the tree, or a forest instead of a single tree, or both?

--Pekka Nikander


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg