Comments (10)
emanjon
commented on August 17, 2024
Should the client and server endpoint shared secrets use the same Shared Key ID? Or should they use different?
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
gloinul
commented on August 17, 2024
Should the client and server endpoint shared secrets use the same Shared Key ID? Or should they use different?
I don't think with RFC 4895 and the SCTP-API for it in RFC 6458 that you can have per direction different keys while using only one key-ID. To my understanding one will have to deploy two shared keys from each DTLS connection, intending to use one Key-ID per direction. I think the easiest algorithm is to have the SCTP association use odd number key-ID as there active sending key, and even number as the SCTP association server sending direction. That should be compatible with these specs. However, final wording need to ensure that the roles are watertight in face of simultaneous open of the SCTP association.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
gloinul
commented on August 17, 2024
Actually the requirement is a bit different for this "Require that no more than 2^32 DATA chunks are sent over a single DTLS connection". I think to be secure the requirement is:
Senders MUST retire the shared key before 2^32 DATA chunks have been sent since the first SCTP-AUTH protected packet with that key, i.e. before the TSN turns over the shared key that was previously used must no longer be valid to be received when any TSN number protected by that key would be accepted by the SCTP receiver.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
Actually the requirement is a bit different for this "Require that no more than 2^32 DATA chunks are sent over a single DTLS connection". I think to be secure the requirement is:
Senders MUST retire the shared key before 2^32 DATA chunks have been sent since the first SCTP-AUTH protected packet with that key, i.e. before the TSN turns over the shared key that was previously used must no longer be valid to be received when any TSN number protected by that key would be accepted by the SCTP receiver.
I changed my original text quite a lot before reading this. The current formulation talks about TSN as there can also be I-DATA chunks. Can you check the new formulation?
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
DTLS/SCTP does not provide replay protection for authenticated control
chunks such as ERROR, RE-CONFIG, or SACK when sent in a SCTP packet
without DATA or I-DATA chunks. Such replay could disrupt the SCTP association
and could therefore be a denial-of-service attack. To prevent such attacks
on availability it is RECOMMENDED to send control chunks in SCTP packets that
also contains DATA or I-DATA chunks. Note that DATA or I-DATA chunks MAY contain
zero bytes of user data.
Is this good enough? Can we enforce something stronger? Could we mandate DATA chunks for everything except the init and shutdown chunks? Do implementations support sending DATA chunks with zero length? I know that some TLS implementations dont support sending records with zero length even if it is allowed by the spec.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
Thinking more, just placing control chunks in the same packet as DATA does not help. SCTP-AUTH of course just authenticates everything and then SCTP process all of the chunks. Failure in a DATA chunk would not invalidate the ERROR chunk. Such behaivior would be a new processing step.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
To protect control chunks a sequence number for AUTH chunks is needed. Could be a AUTH2 chunk or it could be a new HMAC algorithm for AUTH that puts the sequence number in the HMAC field. We should analyze the impact of replayed control chunks.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
Should the indexes be
- 1 and 2 so that 65535 is never used?
- 2 and 3 so that 1 is never used?
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
emanjon
commented on August 17, 2024
In addition to not being possible with the RFC 6458 API, directional keys are actually changing RFC 4895.
Receiving authenticated chunks
...
If the endpoint has at least one endpoint pair shared key for the peer,
it MUST use the key specified by the Shared Key Identifier if a key
has been configured for that Shared Key Identifier.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
gloinul
commented on August 17, 2024
Leaving issue open until we have had some discussion in the WG if this mitigation is sufficient. But the draft to be releasted (-05) will have text on this.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.
Related Issues (20)
- Define how the SCTP-AUTH keys are derived HOT 5
- Don't reuse the RFC 6803 exporter label HOT 1
- EC(DHE) -> (EC)DHE HOT 1
- Resumption performance HOT 3
- Cryptographic considerations is very long HOT 1
- How do you limit new connections HOT 1
- Mandatory mutual authentication HOT 3
- Use RFC 7525(bis) HOT 3
- Authenticating fallback to RFC 6083 HOT 6
- DTLS 1.3 Only
- Editorial alignment in style of the IANA sub sections needed HOT 1
- DTLS considerations need to be clear that AEAD limits MUST be handled by new connection
- DTLS Considerations for Handling of Endpoint Pair Shared Secrets HOT 5
- Clarify that COOKIE-ECHO and COOKIE-ACK are not authenticated
- Align terminology with RFC 9260 HOT 10
- Create DTLS/SCTP Control Message IANA registry
- Update solution properties description
- Add text on how SCTP restart works
- Overstated Security Properties
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-westerlund-tsvwg-dtls-over-sctp-bis.