Network Working Group K. Rose Internet-Draft J. Holland Intended status: Experimental Akamai Technologies, Inc. Expires: January 9, 2020 July 08, 2019 Asymmetric Loss-Tolerant Authentication draft-krose-mboned-alta-01 Abstract Establishing authenticity of a stream of datagrams in the presence of multiple receivers is naively achieved through the use of per-packet asymmetric digital signatures, but at high computational cost for both senders and receivers. Timed Efficient Stream Loss-Tolerant Authentication (TESLA) instead employs relatively cheap symmetric authentication, achieving asymmetry via time-delayed key disclosure, while adding latency to verification and imposing requirements on time synchronization between receivers and the sender to prevent forgery. This document introduces Asymmetric Loss-Tolerant Authentication (ALTA), which employs an acyclic graph of message authentication codes (MACs) transmitted alongside data payloads, with redundancy to enable authentication of all received payloads in the presence of certain patterns of loss, along with regularly paced digital signatures. ALTA requires no time synchronization and enables authentication of payloads as soon as sufficient authentication material has been received. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 9, 2020. Rose & Holland Expires January 9, 2020 [Page 1] Internet-Draft ALTA July 2019 Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 4. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 6 4.1. ALTA Payload . . . . . . . . . . . . . . . . . . . . . . 6 4.1.1. Authentication Tag . . . . . . . . . . . . . . . . . 7 4.2. Digital Signature . . . . . . . . . . . . . . . . . . . . 8 4.2.1. Application Data . . . . . . . . . . . . . . . . . . 8 4.3. Scheme Construction . . . . . . . . . . . . . . . . . . . 8 5. ALTA Configuration . . . . . . . . . . . . . . . . . . . . . 9 5.1. Performance Considerations . . . . . . . . . . . . . . . 9 5.1.1. MAC selection . . . . . . . . . . . . . . . . . . . . 9 5.1.2. Digital signature selection . . . . . . . . . . . . . 9 5.2. Out-of-band Metadata . . . . . . . . . . . . . . . . . . 9 6. Operational Considerations . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7.1. Parsing an ill-formed or inconsistent payload . . . . . . 9 7.2. Index overflow . . . . . . . . . . . . . . . . . . . . . 9 7.3. Truncated MACs . . . . . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 9 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction Authenticity of streaming data may be inexpensively established via symmetric message authentication codes (MACs) using keys pre-shared exclusively between two parties, as the receiver knows it did not Rose & Holland Expires January 9, 2020 [Page 2] Internet-Draft ALTA July 2019 originate the data and that only one other party has access to the key. In the presence of multiple receivers, however, this is not possible because all receivers must have access to the same key, giving any one of them the ability to forge messages. Consequently, authentication must be made asymmetric, such that only the sender has the ability to produce messages that correct receivers will verify as authentic. Naively, a sender may sign individual datagrams using an asymmetric digital signature algorithm, such as RSA or Ed25519, but this carries high computational cost for both the sender and receivers. In the case of streaming video delivery, while the sender's computational load may be dominated by CPU-intensive video encoding, the receiver is often a device with hardware dedicated to efficient video decoding and with limited general purpose computing hardware and/or battery available for high-rate digital signature authentication. Timed Efficient Stream Loss-Tolerant Authentication (TESLA) [RFC4082] addresses this problem through the use of symmetric authentication by delaying the release of keying material to a deadline at which any packets protected by said key that are subsequently received must be discarded by a receiver. While this reintroduces asymmetry between sender and receiver, it requires the sender and each receiver to (loosely) synchronize clocks and imposes authentication latency relative to RTT and to a pre-declared upper bound on clock skew. Clock synchronization is not as trivial as it appears: internet- connected hosts often have significant clock skew relative to stratum 0 NTP servers [timeskew], and anyway enterprises serving valuable assets do not regard NTP as a reliable interdomain security protocol. Together with the need to avoid attacks that delay packets required for synchronization, this implies the need for an interactive unicast authenticated clock synchronization protocol, which is complicated by the need to maintain clock synchronization across both the stream publisher and multiple geographically-distributed nodes in a content delivery network (CDN). This document introduces Asymmetric Loss-Tolerant Authentication (ALTA), which eschews time synchronization for an application of digital signatures to an acyclic graph of symmetric message authentication codes with redundancy sufficient to tolerate certain patterns of loss, and with digital signature authentication load greatly reduced relative to the naive approach. This algorithm is based on research by Golle and Modadugu, as published in [STRAUTH]. Live multicast streaming over an unreliable transport is the intended application for ALTA: object-based integrity solutions or transport security may be more appropriate for unicast transmission or for static objects pulled on-demand. Rose & Holland Expires January 9, 2020 [Page 3] Internet-Draft ALTA July 2019 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Protocol Overview ALTA is intended for streaming datagram use cases in which the receiving application has a deadline for the utility of received data and can tolerate a degree of random packet loss. It combines a segment of application data with a variable-length authentication tag into an ALTA payload to be sent as a unit in a single datagram, with the authentication tags constructed in such a way that a receiver will be able to authenticate nearly all such ALTA payloads received by the deadline under certain patterns of random packet loss. An authentication tag is a combination of zero or more symmetric message authentication codes (MACs) and either zero or one digital signature. Each MAC is of another ALTA payload in the stream, while the digital signature is of the containing ALTA payload with the signature field itself replaced by all zeroes. The MACs included in a given authentication tag are determined by a scheme, as defined in section 3 of [STRAUTH]. Conceptually, a scheme is a mostly backward-looking directed acyclic graph of ALTA payloads such that the MAC of a given payload is contained in two or more other payloads in the stream, enabling the loss of one of these to be tolerated without losing the ability to authenticate the given payload. For purposes of illustration, a simple example scheme is one in which the ith ALTA payload's authentication tag contains MACs for the (i-1)th and (i-2)th payload: Rose & Holland Expires January 9, 2020 [Page 4] Internet-Draft ALTA July 2019 . . . +-------------+------+ | | payload i+1 | MACs | | | | | | | | i <---------------------+ | | | i-1 <-----------------+ | | +---------+---+------+ | | | | +----------+---------+ +------------------->| MAC of payload i+1 | +--------------------+ +-------------+------+ | | | payload i | MACs | | | | | | | | | | i-1 <-----------------+ | | | i-2 <-------------+ | | +---------+---+------+ | | | | +--------+---------+ +------------------->| MAC of payload i | +------------------+ +-------------+------+ | | | payload i-1 | MACs | | | | | | | | | | i-2 <-------------+ | | | i-3 <--------+ | | +---------+---+------+ | | | | | +----+-+-------------+ +------------------->| MAC of payload i-1 | | +--------------------+ +-------------+------+ | | | payload i-2 | MACs | | | | | | | | | | i-3 <--------+ | | | i-4 <----+ | | +---------+---+------+ | | | | | | ++-+-----------------+ +------------------->| MAC of payload i-2 | | | +--------------------+ | | | | . . . . . . The recommended scheme is more complex and will be covered in detail in Section 4.3. Rose & Holland Expires January 9, 2020 [Page 5] Internet-Draft ALTA July 2019 Encoding a scheme relies on ALTA payloads being addressable deterministically by an index even in the presence of reordering or loss. This index may be deduced from the application data (e.g., making use of an existing sequence number) or by a payload index explicitly encoded in the authentication tag. Two modes are supported: o If the index starts at zero and increments by exactly one for each payload in the stream, and if the scheme is known to both sender and receiver, then indices are not required to be encoded for each MAC in an authentication tag as they can be deduced from a given payload's index and from the DAG associated with the scheme. Hereafter, this is referred to as _implicit offset mode_. o If the index increments unpredictably, or if the scheme is not known to the receiver, then each MAC in an authentication tag must be paired with the explicit index of the ALTA payload from which the MAC is computed. For compactness, this index will be encoded as an offset relative to the index of the containing payload. Hereafter this is referred to as _explicit offset mode_. Authenticity of a payload is established by a chain of MACs rooted in an ALTA payload whose authentication tag contains a digital signature created by a key in which trust has been established out-of-band. Delivery of application data must be delayed until a payload has been authenticated. Note that a given payload may be authenticated by a digital signature as well as by one or more MAC chains; within authentication deadline constraints, receivers should prefer to authenticate by MAC, minimizing the computational load imposed by digital signature authentication. The variable length of authentication tags in ALTA has implications for application data segmentation when constant-length datagrams are desired (e.g., to maximize data per UDP packet with a given path MTU while avoiding fragmentation). 4. Protocol Details 4.1. ALTA Payload An ALTA payload comprises the following elements (defined below) concatenated in-order: o Authentication tag * Options octet * Optional payload index Rose & Holland Expires January 9, 2020 [Page 6] Internet-Draft ALTA July 2019 * Sequence of chained MACs * Optional digital signature o Application data 4.1.1. Authentication Tag The authentication tag is the metadata emitted by an ALTA-compliant sender that is required, in combination with other out-of-band metadata, by an ALTA-compliant receiver to authenticate a stream of packets in a manner tolerant to loss and reordering. 4.1.1.1. Options Octet 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |MACct|S| rsvd | +-+-+-+-+-+-+-+-+ Figure 1: Options Octet The first octet of the authentication tag contains the count of MACs included ("MACct") as well as a flag "S" indicating whether the tag also contains a digital signature. It also contains four reserved bits which MUST be set to 0 by senders and ignored by receivers. 4.1.1.2. Payload Index 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | payload index ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Figure 2: Payload Index If the payload index cannot be deduced from the application data in this payload, it must be specified explicitly in the authentication tag as an unsigned quantity of a fixed length specified by out-of- band metadata. Whether explicit or deduced, the payload index uniquely identifies a single ALTA stream payload within a rollover window of size "2^N" for some "N" specified in out-of-band metadata. The payload index MUST start at zero and increment by one for each payload transmitted, with rollover to zero on overflow. Rose & Holland Expires January 9, 2020 [Page 7] Internet-Draft ALTA July 2019 4.1.1.3. Chained MACs 0 1 0 1 2 3 4 5 6 7 8 9 0 1 ... +-+-+-+-+-+-+-+-+-+-+-+-+-+- | offset | MAC ... +-+-+-+-+-+-+-+-+-+-+-+-+-+- Figure 3: Example MAC with explicit index In explicit offset mode, each MAC encoded in the payload comprises an offset from the payload's index, expressed as a signed octet in two's complement, followed by a fixed-length MAC. The length and semantics of the MAC are a function of the MAC algorithm, which is specified by out-of-band metadata. The offset space given in the example in Figure 3 is one octet, ranging from -128 to 127, but may be of any number of whole octets, as specified by out-of-band metadata. In implicit offset mode, the receiver knows the scheme being employed and so can deduce the indices of the chained MACs from the current payload's index. Consequently, the MACs are simply concatenated in ascending order of source index according to the scheme. 4.2. Digital Signature 0 1 2 3 4 5 6 ... +-+-+-+-+-+-+-+-+- | signature ... +-+-+-+-+-+-+-+-+- Figure 4: Digital Signature If "S=1" in the options octet, then a digital signature is included in the tag. The length and content of this digital signature are a function of the signature algorithm, which is specified by out-of- band metadata. 4.2.1. Application Data The application data is opaque, with the exception of the payload index if not specified explicitly in the authentication tag. 4.3. Scheme Construction In the ALTA context, a scheme describes the directed acyclic graph of payload MACs embedded in other payloads for purposes of chained authentication. The recommended scheme is that described in section 3.2 of [STRAUTH], with "a=3" and "p=5". Rose & Holland Expires January 9, 2020 [Page 8] Internet-Draft ALTA July 2019 FIXME: Describe how to construct this scheme in pseudocode. 5. ALTA Configuration 5.1. Performance Considerations 5.1.1. MAC selection 5.1.2. Digital signature selection 5.2. Out-of-band Metadata 6. Operational Considerations As ALTA requires an out-of-band channel for provisioning of metadata, including digital signature keys and cryptographic algorithms, versioning of the protocol to support a future ALTA revision may be performed there and acted upon by the application. 7. Security Considerations 7.1. Parsing an ill-formed or inconsistent payload 7.2. Index overflow 7.3. Truncated MACs 8. IANA Considerations This document has no IANA actions. 9. References 9.1. Normative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 9.2. Informative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Rose & Holland Expires January 9, 2020 [Page 9] Internet-Draft ALTA July 2019 [RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B. Briscoe, "Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction", RFC 4082, DOI 10.17487/RFC4082, June 2005, . [STRAUTH] Modadugu, N., "Authenticating Streamed Data in the Presence of Random Packet Loss", 2001, . ISOC Network and Distributed System Security Symposium [timeskew] "FIXME reference for how bad time sync is", n.d.. Acknowledgments The author wishes to acknowledge Eric Rescorla, who introduced the author to the paper describing the loss-tolerant symmetric authentication scheme used as the basis for ALTA. Authors' Addresses Kyle Rose Akamai Technologies, Inc. 150 Broadway Cambridge, MA 02144 United States of America Email: krose@krose.org Jake Holland Akamai Technologies, Inc. 150 Broadway Cambridge, MA 02144 United States of America Email: jakeholland.net@gmail.com Rose & Holland Expires January 9, 2020 [Page 10]