X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/2fe58dfd10216a37f1ece081f926971882de112e..baa06aeb963965b4b6a8a8051ec15b72372080dd:/NOTES diff --git a/NOTES b/NOTES index 272e359..8e53ac7 100644 --- a/NOTES +++ b/NOTES @@ -1,9 +1,10 @@ -#* Design of new, multi-subnet secnet protocol +* Design of new, multi-subnet secnet protocol -Like the first version, we're tunnelling IP packets inside UDP -packets. To defeat various restrictions which may be imposed on us by -network providers (like the prohibition of incoming TCP connections) -we're sticking with UDP for everything this time, including key setup. +Like the first (1995/6) version, we're tunnelling IP packets inside +UDP packets. To defeat various restrictions which may be imposed on us +by network providers (like the prohibition of incoming TCP +connections) we're sticking with UDP for everything this time, +including key setup. Other new features include being able to deal with subnets hidden behind changing 'real' IP addresses, and the ability to choose @@ -21,62 +22,6 @@ convenient for every gateway machine to use the same name for each tunnel endpoint, but this is not vital. Individual tunnels are identified by their two endpoint names. - -The configuration is held in memory as a data structure as follows: - -The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys -are atoms. Values are lists, dictionaries or closures. Lists can hold -the following types: string, number. - -Closures cannot be constructed directly; they are added to the -'default' dictionary before the configuration file is read. Invocation -of a closure can return any type of value. - - -Configuration file format: the file describes a dictionary. - -key value; - -value is item[,item...] - -item can be "string", number, path (looks up in dictionary), -{dictionary}, value(value), value{dictionary}. If item is a list it -is copied into the list - we can't have lists of lists. - -A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup -from the current dictionary (or parents) or the root. If a key refers -to a list of more than one item then an index number (base 0) in -square brackets can be used to specify the list item number. - -Items of the form value1(value2) invoke executable value1 with an -argument of value2. The return value can be a string or dictionary, -but not a list. (Invocation happens after the entire configuration -file has been read.) - -Items of the form value{dict} invoke executable value with an argument -of a single-element list, containing dict. It's just syntactic sugar -for value({dict}). - - -When a key is used (rather than defined) it is looked up in the -current dictionary, and if it isn't found it is looked up in the -(lexical) parent, until the root is reached. - - - - -What sorts of crypto-related things do we need to define? - -sources of randomness -block algorithms -block cipher modes? -hash functions -padding functions -public key signature algorithms -public key crypto key stores -key setup algorithms - - ** Protocols *** Protocol environment: @@ -132,14 +77,14 @@ is always fresh. Messages: -1) A->B: *,iA,msg1,A,B,nA +1) A->B: *,iA,msg1,A,B,protorange-A,nA -2) B->A: iA,iB,msg2,B,A,nB,nA +2) B->A: iA,iB,msg2,B,A,chosen-protocol,nB,nA (The order of B and A reverses in alternate messages so that the same code can be used to construct them...) -3) A->B: {iB,iA,msg3,A,B,nA,nB,g^x mod m}_PK_A^-1 +3) A->B: {iB,iA,msg3,A,B,protorange-A,chosen-protocol,nA,nB,g^x mod m}_PK_A^-1 If message 1 was a replay then A will not generate message 3, because it doesn't recognise nA. @@ -147,11 +92,18 @@ it doesn't recognise nA. If message 2 was from an attacker then B will not generate message 4, because it doesn't recognise nB. -4) B->A: {iA,iB,msg4,B,A,nB,nA,g^y mod m}_PK_B^-1 +If an attacker is trying to manipulate the chosen protocol, B can spot +this when it sees A's message 3. + +4) B->A: {iA,iB,msg4,B,A,protorange-B,chosen-protocol,nB,nA,g^y mod m}_PK_B^-1 At this point, A and B share a key, k. B must keep retransmitting message 4 until it receives a packet encrypted using key k. +A can abandon the exchange if the chosen protocol is not the one that +it would have chosen knowing the acceptable protocol ranges of A and +B. + 5) A: iB,iA,msg5,(ping/msg5)_k 6) B: iA,iB,msg6,(pong/msg6)_k @@ -172,6 +124,8 @@ retransmit or confirm reception. It is suggested that this message be sent when a key times out, or the tunnel is forcibly terminated for some reason. +XXX not yet implemented. + 8) i?,i?,NAK/msg8 If the link-layer can't work out what to do with a packet (session has @@ -186,8 +140,11 @@ The attacker can of course forge NAKs since they aren't protected. But if they can only forge packets then they won't be able to stop the ping/pong working. Trust in NAKs can be rate-limited... -Alternative idea: if you receive a packet you can't decode, because -there's no key established, then initiate key setup... +Alternative idea (which is actually implemented): if you receive a +packet you can't decode, because there's no key established, then +initiate key setup... + +Keepalives are probably a good idea. **** Protocol sub-goal 3: send a packet