[sldev] Cryptographic signing of UDP packets

[Meadhbh Hamrick (Infinity)]

fwiw... there is a protocol and an implementation to do a lot of this  
already... DTLS. and, it's implemented in recent versions of OpenSSL.

but let's just say for a moment we go out and design our own crypto  
protocol. one would hope we (we being both LL and OpenSim folks) would  
look carefully at Flurher and McGrew's work with the RTP security  
profile over at the IETF.

fwiw.. it is extremely unlikely that we're talking about a public key  
digital signature per packet. this would be prohibitively expensive in  
terms of CPU load. it is not, however, a problem for bandwidth. while  
most applications of digital signatures append/prepend a signature or  
authenticator to a packet (as is the case with the IPSec AH  
(Authentication Header)), if we wanted to do the crypto in the  
application layer, we could use the "signature with message recovery"  
construction (google 9796-4 for more info), though we would likely  
want to use something more like "message authentication code with  
message recovery" which i haven't seen in the wild. and honestly...  
one should be very careful about inventing new crypto.

in other words... if we care about security, then we should attempt to  
look at well-worn solutions (like IPSec or DTLS.) if we've learned  
anything in the past two decades about applying crypto to problems,  
it's that it's extremely easy to build bad solutions.

-cheers
-m/∞

On Dec 16, 2008, at 3:35 AM, Robin Cornelius wrote:

> Though this was worth kicking around here for a discussion.
>
> It was mentioned by Soft that adding a cryptographic hash/signature to
> each UDP packet was on the way, and given that the last 2 security
> updates were both UDP packet injection issues this could be a very
> good thing, but there may be unforced pitfalls and this is not in
> anyway aimed at LL, but its easy to balls up cryptography (And i for
> one is certainly not an expert in the field).
>
> The problems i see are
>
> 1) Increase of packet size and therefore bandwidth
>
> Is this going to be ALL UDP packets or just certain ones that are
> certainly more sensitive than others? Not applying to all still leaves
> a potential attack point but wastes bandwidth. This is also related to
> the size of the signature. If the signature is too small a brute force
> attack may be possible by just trying combinations of packets and
> getting a reply from the server, too large a signature and we have
> massive UDP packets so more bandwidth and lag?
>
> 2) Key exchange,
>
> I guess that this can occur over caps using https as part of the
> login, if we trust https for login then it should be trust worthy for
> key exchange?
>
> Also would this be some kind of direct symmetrical private key or
> would this be a public/private key asymmetrical system where
> essentially anyone could verify a packet if they can obtain a
> servers/clients public key.
>
> Keys could also be re-negotiated periodically to keep the actual keys
> in use rotating to make packet sniffing for brute force harder
>
>
> Any Thoughts?
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting  
> privileges