Cryptographically Generated IPv6 Addresses (CGA) Basic idea: - - PowerPoint PPT Presentation

▶

Jul 23, 2023 471 likes •542 views

Cryptographically Generated IPv6 Addresses (CGA) Basic idea: Interface Id = hash (Public Key) The public key is used to authenticate messages sent from the CGA address. Proof of address ownership without security infrastructure. Prior

SLIDE 1

56th IETF, San Francisco draft-aura-cga-00 1

Cryptographically Generated IPv6 Addresses (CGA)

ß Basic idea:

Interface Id = hash (Public Key) The public key is used to authenticate messages sent from the CGA address. Ë Proof of address ownership without security infrastructure.

ß Prior work:

draft-roe-mobileip-updateauth, draft-montenegro-sucv, draft-nikander-ipng-pbk-addresses, draft-moskowitz-hip

ß Covered by IPR

SLIDE 2

56th IETF, San Francisco draft-aura-cga-00 2

Problems

ß 64 bit limit for hash length

Ë eventual failure because of Moore’s law Ë pre-computation attacks (2^64 memory)

ß Detailed formats and algorithms missing ß Drafts incompatible with each other and

with standard authentication protocols

SLIDE 3

56th IETF, San Francisco draft-aura-cga-00 3

draft-aura-cga-00

ß Fully specified address formats and address-

generation and verification algorithms

ß The 64-bit limit effectively removed:

ß security parameter (Sec) Ë cost of generating an address multiplied by 212Sec Ë cost of attacks increased from ~262 to 259+12Sec Ë cost of authentication remains constant

ß CGA address indicated by g=1, u=1

(not essential but allows mixing of authenticated and unauthenticated nodes)

SLIDE 4

56th IETF, San Francisco draft-aura-cga-00 4

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

SLIDE 5

56th IETF, San Francisco draft-aura-cga-00 5

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

New requirement: Modifier must be chosen so that Hash2 begins with 12*Sec zero bits. Hash2 = h (Public Key, Modifier)

SLIDE 6

56th IETF, San Francisco draft-aura-cga-00 6

Two CGA Parameter Formats

1. Certificate format:

ß Public key and parameters stored in a self-signed X.509 certificate _ Easy to use in certificate-based authentication protocols ß New certificate extension contains the parameters: Modifier, Routing Prefix, Collision Count

Cryptographically Generated IPv6 Addresses (CGA) Basic idea: - - PowerPoint PPT Presentation

Cryptographically Generated IPv6 Addresses (CGA)

ß Basic idea:

Interface Id = hash (Public Key) The public key is used to authenticate messages sent from the CGA address. Ë Proof of address ownership without security infrastructure.

ß Prior work:

draft-roe-mobileip-updateauth, draft-montenegro-sucv, draft-nikander-ipng-pbk-addresses, draft-moskowitz-hip

ß Covered by IPR

Problems

ß 64 bit limit for hash length

Ë eventual failure because of Moore’s law Ë pre-computation attacks (2^64 memory)

ß Detailed formats and algorithms missing ß Drafts incompatible with each other and

with standard authentication protocols

draft-aura-cga-00

ß Fully specified address formats and address-

generation and verification algorithms

ß The 64-bit limit effectively removed:

ß security parameter (Sec) Ë cost of generating an address multiplied by 212Sec Ë cost of attacks increased from ~262 to 259+12Sec Ë cost of authentication remains constant

ß CGA address indicated by g=1, u=1

(not essential but allows mixing of authenticated and unauthenticated nodes)

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

New requirement: Modifier must be chosen so that Hash2 begins with 12*Sec zero bits. Hash2 = h (Public Key, Modifier)

Two CGA Parameter Formats

ß Public key and parameters stored in a self-signed X.509 certificate _ Easy to use in certificate-based authentication protocols ß New certificate extension contains the parameters: Modifier, Routing Prefix, Collision Count

ß Concatenation of the public key and parameters ß Public key + 29 bytes

ß

Verifier needs: signed message (e.g. NA),

source IP address, and parameters in either format

Cryptographically Generated IPv6 Addresses (CGA)

ß Basic idea:

Interface Id = hash (Public Key) The public key is used to authenticate messages sent from the CGA address. Ë Proof of address ownership without security infrastructure.

ß Prior work:

draft-roe-mobileip-updateauth, draft-montenegro-sucv, draft-nikander-ipng-pbk-addresses, draft-moskowitz-hip

ß Covered by IPR

Problems

ß 64 bit limit for hash length

Ë eventual failure because of Moore’s law Ë pre-computation attacks (2^64 memory)

ß Detailed formats and algorithms missing ß Drafts incompatible with each other and

with standard authentication protocols

draft-aura-cga-00

ß Fully specified address formats and address-

generation and verification algorithms

ß The 64-bit limit effectively removed:

ß security parameter (Sec) Ë cost of generating an address multiplied by 212*Sec Ë cost of attacks increased from ~262 to 259+12*Sec Ë cost of authentication remains constant

ß CGA address indicated by g=1, u=1

(not essential but allows mixing of authenticated and unauthenticated nodes)

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

CGA Address Format

Routing Prefix Interface Id Security Parameter (Sec) Hash1 = h (Public Key, Modifier, Routing Prefix, Collision Count)

64 bits

ug=11

3 bits 59 hash bits

New requirement: Modifier must be chosen so that Hash2 begins with 12*Sec zero bits. Hash2 = h (Public Key, Modifier)

Two CGA Parameter Formats

ß Public key and parameters stored in a self-signed X.509 certificate _ Easy to use in certificate-based authentication protocols ß New certificate extension contains the parameters: Modifier, Routing Prefix, Collision Count

ß Concatenation of the public key and parameters ß Public key + 29 bytes

ß

Verifier needs: signed message (e.g. NA),

source IP address, and parameters in either format

ß security parameter (Sec) Ë cost of generating an address multiplied by 212Sec Ë cost of attacks increased from ~262 to 259+12Sec Ë cost of authentication remains constant