Multipath Use Case and Requirement for Security

Document Type Active Internet-Draft (individual)
Last updated 2019-09-10
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet                                                         S. Rass
Internet-Draft                                   Universitaet Klagenfurt
Intended status: Informational                                     Y. Qu
Expires: March 13, 2020                                           L. Han
                                                      September 10, 2019

            Multipath Use Case and Requirement for Security


   This document describes a use case of multipath to achieve full CIA+
   by using symmetric cryptography and point-to-point shared secrets.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 13, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Rass, et al.             Expires March 13, 2020                 [Page 1]
Internet-Draft           Mpath security use case          September 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  Assumptions . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Multipath Routing . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Multi-path Service and User-Network Interface . . . . . .   4
     3.2.  Path and Routing Reliability  . . . . . . . . . . . . . .   4
     3.3.  Cross Domain Path Reliability . . . . . . . . . . . . . .   5
     3.4.  Cross Domain Network Connections  . . . . . . . . . . . .   5
     3.5.  Updates upon Changing Network Topologies  . . . . . . . .   5
     3.6.  Enforced Device Pairing and De-Pairing  . . . . . . . . .   6
   4.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  Cryptographic and Graph-Theoretic Basics . . . . . .   9
     A.1.  Secret Sharing  . . . . . . . . . . . . . . . . . . . . .   9
     A.2.  Network Connectivity  . . . . . . . . . . . . . . . . . .   9
   Appendix B.  Multipath Transmission and Game-Theoretic Security .  10
     B.1.  End-to-end Confidentiality - Parallel Version . . . . . .  10
     B.2.  End-to-end Confidentiality - Sequential-Parallel Version   10
     B.3.  Randomized Routing to Maximize Security against Node
           (Failures)  . . . . . . . . . . . . . . . . . . . . . . .  11
     B.4.  Availability  . . . . . . . . . . . . . . . . . . . . . .  12
     B.5.  End-to-End Authenticity . . . . . . . . . . . . . . . . .  12
       B.5.1.  Non-Repudiation . . . . . . . . . . . . . . . . . . .  13
     B.6.  Integrity . . . . . . . . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Introduction

   Public-key cryptography is a convenient tool for end-to-end security,
   but in practice can be cumbersome or complicated for non-expert users
   to apply.  Certificate- and key management rely on complex
   infrastructures and to a significant extent impose monetary cost and
   human effort.

   This document describes a method of using symmetric cryptography and
   point-to-point shared secrets to establish full CIA+
   (confidentiality, integrity, availability and authenticity) end-to-
   end security.  The respective schemes rely on multipath transmission
   and threshold cryptography, and are intended to work transparently
   for the users, i.e., entirely below the application layer.  The only
   involvement of human action is for the key establishment, which is in

Rass, et al.             Expires March 13, 2020                 [Page 2]
Internet-Draft           Mpath security use case          September 2019

   our setting equivalent to a pairing of devices, as is familiar from
   other contexts, such as Bluetooth.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Assumptions

   We assume a network of bidirectional links, represented as an
   undirected graph G=(V,E).  An edge e=(v_1, v_2) in the set E
   represents a point-to-point connection between the nodes v_1 and v_2
   in the network.  We assume that every such pair (v_i, v_j) in E
   shares an individual secret k_ij, which is individually distinct for
   all edges (i.e., no two pairs have, other than by coincidence, the
   same secret).  The secret exchange or establishment is left to
   arbitrary means, e.g., any device pairing scheme
   [I-D.ietf-dnssd-pairing] or cryptographic methods like Diffie-Hellman
   key exchange [RFC2631] would be admissible, up to quantum key
   distribution [BB84].  Indeed, end-to-end security in quantum networks
   is the most natural application area of multipath transmission as we
   discuss here.

   We further assume that keys between adjacent nodes in the network
   have been exchanged in an authentic manner; say, by sufficient
   proximity during the device pairing (e.g., near field communication).

3.  Multipath Routing

   Multipath routing offers the remarking ability of establishing
   public-key like security without computational intractability.  This
   means that periodic updates of keys or server certificates are no
   longer required in such systems; updates to keys for symmetric crypto
   are much easier by device re-pairing or refreshing keys from existing
   key material, such as is done in quantum key distribution (QKD).
   Multipath transmission, requiring no quantum technology per se,
   offers nonetheless the same level of security QKD [BB84] and can
   resist attacks by quantum computers (like post-quantum cryptography

   The key element to this end is using multiple paths to send a
   message, which in the simplest instance is just like humble symmetric
   encryption: consider two nodes A and B that have no direct connection
   between them (i.e., A and B are several hops apart).  Let us assume
   that two paths connect A to B, where those paths intersect only at A
   and B (we call such paths node-disjoint).  If so, then A can choose a

Rass, et al.             Expires March 13, 2020                 [Page 3]
Internet-Draft           Mpath security use case          September 2019

   session key k that it sends to B over the first path, and deliver the
   encrypted payload over the second path.  If the encryption is chosen
   properly (e.g., Vernam cipher [Ver55]) and the adversary does not
   intercept both paths, the connection remains secure.

   The scheme straightforwardly generalizes to more than two paths,
   where the payload is (always) split into shares and transmitted over
   separate paths in parallel or sequentially.  Security comes from the
   proper encoding/creation of the pieces so that an attacker needs to
   intercept a certain number of paths in order to breach
   confidentiality, insert a forged message, or cause a denial of
   service.  The fundamental circumstance implying security here is the
   existence of k (>= 2) node and link disjoint paths, so that an
   adversary needs to conquer at least k nodes in the network to breach
   security (by mounting a person-in-the-middle attack).

   Security (up to QKD without trusted relays) thus hinges on the
   following network-related assumptions:

3.1.  Multi-path Service and User-Network Interface

   There are at least two disjoint paths between node A and node B, so A
   can send packets to node B via different paths efficiently and

   New User-Network Interface (UNI) should be defined to exchange
   information between end device/application and network.  The
   information may include but not limited to:

   o  User expectation: such as number of paths, bandwidth required etc.

   o  Path aware info: the network should dynamically provide end-device
      information such as number of paths available, each path's
      attributes: path reliability, routing quality, bandwidth, path
      elements etc.

3.2.  Path and Routing Reliability

   The sender A can deliberately choose any among the existing paths to
   its receiver B to transmit a message.  The routing is reliable in the
   sense that there is at least a probabilistic guarantee for the packet
   to travel over exactly the chosen route with a likelihood p that A
   can quantify (not necessarily control).  In other words, the chances
   for the path to be blocked, or for the packet to take a detour for
   any reason (e.g., load balancing, temporary congestions, or similar)
   is at most 1-p, with the value of p being known to A.  The ideal case
   p = 1 expresses that the chosen route has a perfect reliability
   (i.e., no deviations and guaranteed delivery).

Rass, et al.             Expires March 13, 2020                 [Page 4]
Internet-Draft           Mpath security use case          September 2019

   It is admissible to express the path reliability in terms of several
   such probabilities, referring to different dimensions for the quality
   of service.  That is, we may define a probability p_1 for the packet
   to stay on the chosen route, another probability p_2 for the packet
   to be delivered at all (i.e., not being blocked), or similar.

   There are per se no stringent constraints regarding latencies or for
   several packets to arrive in the order of transmission, since the
   outer (cryptographic) transmission protocols can handle this.
   However, the aforementioned probabilities quantifying the quality of
   routing need to be accurately known to the sender A.  Suitable
   protocols to handle path deviations (temporary detours) and to
   optimize quality-of-service tradeoffs based on such knowledge are
   found in the literature [Ras13], [RK12].

3.3.  Cross Domain Path Reliability

   If two distinct network domains are joined together, the topologies
   of both networks are reliably made known to the nodes in the
   respective other network.  Chosen routes from one network into the
   other must remain quantifiably reliable in the sense of section 3.2
   above, i.e., a node A in one network must still be able to determine
   a probability p for a packet to stay on its route and to arrive at
   the designated destination across all network domains that it

3.4.  Cross Domain Network Connections

   Whenever a node A has an outside connection to a node in another
   network domain N_2, A should not have a second connection to another
   node in the same network domain N_2.  That is, if two network domains
   N_1 and N_2 are joined together via k links, those links should
   pairwise connect k distinct nodes in N_1 to another k distinct nodes
   in N_2.  This assures that the so-constructed larger network retains
   the necessary number of (at least) k node disjoint paths across the
   domains (by avoiding bottle-neck connections between networks N_1 and

3.5.  Updates upon Changing Network Topologies

   The information described under the preceding sections needs to
   remain up-to-date whenever A wishes to send a packet somewhere.
   Changing topologies such as in ad hoc networks call for a proper and
   reliable updating scheme to A's local information about the network
   topology.  This includes also changes in topologies of remote network
   domains (that the sender does not itself belong to).

Rass, et al.             Expires March 13, 2020                 [Page 5]
Internet-Draft           Mpath security use case          September 2019

3.6.  Enforced Device Pairing and De-Pairing

   Whenever a node X joins a network, it must establish shared secrets
   (for cryptography) with any neighbor with whom it has a direct point-
   to-point connection.  Whenever a node X leaves the network, nodes
   losing the connection to X need to abandon their cryptographic key
   formerly assigned to the connection with X.  The key exchange
   protocols can be arbitrary (cf.  section 2), but the device pairing
   must in any case be authenticated.

4.  Summary

   The ability to route messages along chosen paths in a network,
   together with sufficient vertex connectivity and unique neighborhoods
   for each node opens up the possibility to achieve end-to-end

   o  without public-key cryptography.

   o  using only light-weight symmetric cryptographic primitives
      (encryption and hashing).

   o  and with the most trivial key-management consisting of only the
      exchange of keys between directly connected devices (along device

5.  Security Considerations


6.  Acknowledgements


7.  References

7.1.  Normative References

              Huitema, C. and D. Kaiser, "Device Pairing Using Short
              Authentication Strings", draft-ietf-dnssd-pairing-05 (work
              in progress), October 2018.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              DOI 10.17487/RFC2104, February 1997,

Rass, et al.             Expires March 13, 2020                 [Page 6]
Internet-Draft           Mpath security use case          September 2019

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC2631]  Rescorla, E., "Diffie-Hellman Key Agreement Method",
              RFC 2631, DOI 10.17487/RFC2631, June 1999,

   [RFC5510]  Lacan, J., Roca, V., Peltotalo, J., and S. Peltotalo,
              "Reed-Solomon Forward Error Correction (FEC) Schemes",
              RFC 5510, DOI 10.17487/RFC5510, April 2009,

   [RFC6824]  Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,

7.2.  Informative References

   [FFGV07]   Matthias Fitzi, Matthew K. Franklin, Juan Garay, and S.
              Harsha Vardhan, TCC, LNCS, vol. 4392, Springer, 2007, pp.
              311--322., "Towards Optimal and Efficient Perfectly Secure
              Message Transmission".

   [MS81]     R. J. McElice and D. V. Sarwate, Commun. ACM 24 (1981),
              no. 9, 583--584., "On Sharing Secrets and Reed-Solomon

   [Ras13]    Stefan Rass, Springer Journal of Network and Systems
              Management 21 (2013), no. 1, 47--64., "On Game-Theoretic
              Network Security Provisioning".

   [Ras14]    Stefan Rass, International Journal of Advanced Computer
              Science and Applications 5 (2014), no. 2, 148--157.,
              "Complexity of Network Design for Private Communication
              and the P-vs-NP question".

   [Ras18]    Stefan Rass, CoRR abs/1810.05602 (2018)., "Perfectly
              secure communication, based on graph- topological
              addressing in unique-neighborhood networks".

   [RS10]     Stefan Rass and Peter Schartner, Proceedings of the
              International Conference on Security and Management (SAM),
              vol. 1, CSREA Press, 2010, pp. 111--115., "Multipath
              Authentication without shared Secrets and with
              Applications in Quantum Networks".

Rass, et al.             Expires March 13, 2020                 [Page 7]
Internet-Draft           Mpath security use case          September 2019

   [Sha49]    C. E. Shannon, Bell System Technical Journal 28 (1949),
              656--715., "Communication Theory of Secrecy Systems".

   [Sha79]    Adi Shamir, ACM 22 (1979), no.  11, 612--613., "How to
              share a secret".

Rass, et al.             Expires March 13, 2020                 [Page 8]
Internet-Draft           Mpath security use case          September 2019

Appendix A.  Cryptographic and Graph-Theoretic Basics

A.1.  Secret Sharing

   We assume a message m to come as a binary string of length L.  A
   simple k-out-of-k secret sharing is by picking a set of k-1 random
   strings s_1, s_2, ..., s_(k-1) of the same length as m and computes
   s_k := m XOR s_1 XOR s_2 XOR ... XOR s_(k-1).  Information-
   theoretically, one can prove [Sha49] that the recovery of m is
   impossible from any set of less than k of the strings s_1, ..., s_k
   (since the missing string effectively acts as a one-time pad
   concealing m).

   The sharing as just described is replaceable by more sophisticated
   schemes, such as Shamir's polynomial sharing [Sha79], which adds
   error correction capabilities [MS81] via using an isomorphy to Reed-
   Solomon encoding.  We shall, however, hereafter not further relate to
   standardized versions of Reed-Solomon forward error correcting codes
   [LRPP09], but rather work with the above simple scheme instead.

   Abstractly, we shall introduce a sharing function SPLIT(m, k) that
   decomposes an input message m into a set of k shares according to any
   scheme of choice (for the description in this document, the above
   XOR-based scheme will suffice).  The inverse of SPLIT will be the
   function COMBINE(s_1, ..., s_k), taking k (out of a potentially
   larger set) of shares to reconstruct the message m from it.  Note
   that COMBINE internally may invoke error correction algorithms
   [LRPP09], which we do not further expand here.

A.2.  Network Connectivity

   If a node A wants to transmit a message m to a node B, we assume that
   A can choose a path, or a set of paths through the network along a
   physical connection (over multiple hops) to the end-node B.  Further,
   we assume that the network's node connectivity is such that more than
   one route from A to B exists, and that at least two routes exist that
   do not intersect other than at A and B (node-disjoint paths).  It is
   known that the existence of k node-disjoint paths is equivalent to
   the graph admitting a k-vertex cut; equivalently, we call such a
   graph k-vertex-connected.  The smallest graph with that property is
   the complete graph with k+1 nodes.  Furthermore, if two k-vertex-
   connected graphs are given, we can combine them into one (big) k-
   vertex connected graph G as follows: we pick k distinct nodes u_1,
   ..., u_k in G_1 and another k distinct nodes v_1, ..., v_k in G_2,
   and connect the two graphs by adding edges (u_i, v_i) for all
   i=1,2,...,k.  The resulting graph contains all nodes and edges from
   G_1 and G_2, plus the connecting edges between the two graphs.  It is
   provably a k-vertex-connected graph, admitting at least k node-

Rass, et al.             Expires March 13, 2020                 [Page 9]
Internet-Draft           Mpath security use case          September 2019

   disjoint paths between any two nodes in either graph and from any
   node in G_1 to any node in G_2 and vice versa.

   While it may not be too optimistic to hope for a large k in the
   existing internet topology, matters of resilience against failure of
   single nodes in the network call for a least k=2, so that the network
   remains connected if one node (and hence the adjacent edge) fails.

   Let A's available routes to B be enumerated as R_1, ..., R_k, which A
   picks with likelihoods p_1, ..., p_k, say, p_i := 1/i for an
   equiprobable choice of a single route.  Moreover, we let each
   transmission use their point-to-point shared secrets to encrypt a
   message along the network edge (v_i, v_j) under the key k_ij (e.g.,
   by means of the Advanced Encryption Standard or others).

Appendix B.  Multipath Transmission and Game-Theoretic Security

B.1.  End-to-end Confidentiality - Parallel Version

   To confidentially transmit the message m, A proceeds as follows:

   1.  Decompose m into shares {s_1, ..., s_k} := SPLIT(m)

   2.  Send each share s_i over the route R_i (for i = 1, ..., k) in
       parallel to B.

   3.  B, upon receiving all shares recovers the message as m :=
       COMBINE(r_1, ..., r_k).

   By construction, the attacker needs to gather all k shares to recover
   m, so that if the attacker can intercept only less than k paths, the
   message m remains perfectly concealed (by the aforementioned
   arguments).  A picture of the scheme is found at

B.2.  End-to-end Confidentiality - Sequential-Parallel Version

   The above scheme can be further strengthened by a two-stage sharing
   as follows: as before, let m the message that A wishes to send to B
   in perfect privacy.  It proceeds as follows:

   1.  Decompose m into n shares {s_1, ..., s_n} := SPLIT(m)

   2.  For i = 1, 2, ..., n: send each share s_i by the parallel scheme
       described above; resulting in the transmission of shares r_i1,
       ..., r_ik for the share s_i

Rass, et al.             Expires March 13, 2020                [Page 10]
Internet-Draft           Mpath security use case          September 2019

   3.  The receiver B then needs to (i) reconstruct every share s_i :=
       COMBINE(r_i1, ..., r_ik) (as in the parallel version above), and
       (ii) reconstruct the overall message as m := COMBINE(s_1, ...,

   An attacker needs to intercept the entirety of shares for each
   individual transmission, as well as for all the sequential
   transmissions.  Unless the attacker can mount a full person-in-the-
   middle attack, the message m remains perfectly concealed.  Even if
   the attacker has a positive probability q < 0 to catch all shares for
   a single transmission in step 2, the probability to catch the
   entirety of n sequential shares (created in step 1) equals (1-q)^n
   (the path choices are made stochastically independent).  In choosing
   n large enough, A can make the adversary's success chances
   exponentially small.

B.3.  Randomized Routing to Maximize Security against Node (Failures)

   Suppose that the attacker can intercept a fixed maximum number t < k
   of nodes, where k is the network's vertex connectivity.  If the
   network is such that certain routes are more or less reliable than
   others (e.g., some routes may be easier to intercept for the
   adversary or temporarily be unavailable), there is no obligation in
   the above scheme to use the full set of paths per parallel
   transmission.  Instead, to transmit a share (whether in the parallel
   or sequential-parallel version of the transmission), the sender may
   randomly pick the route R_i with likelihood p_i, and transmit the
   share over the chosen route.

   Knowing the choice rules p_1, ..., p_k for the k routes that A can
   choose from, the attacker may seek to compute an optimal strategy for
   intercepting, resulting in probabilities q_1, ..., q_|V| for nodes to
   attack (excluding the nodes for A and B here, since our security goal
   is confidentiality, disregarding impersonation attacks for the

   The optimal computation of probabilities to choose routes, and
   individual likelihoods to intercept nodes amounts to a simple two-
   person matrix game [Ras13], whose saddle-point value (computable by
   means of linear optimization) systematically quantifies (bounds) the
   likelihood for the attacker to succeed.  For a simplified example,
   assuming that all nodes are equally "easy" for the attacker to
   conquer, yet with a bound to no more than 1 node to be under the
   adversary's control at a time, the optimal choice for the sender A
   would be an equiprobable pick among the routes, i.e., p_i := 1/k for
   all i, and an equiprobable choice of victim nodes for the attacker
   (here, we assumed that the sender uses only a single path at a time).

Rass, et al.             Expires March 13, 2020                [Page 11]
Internet-Draft           Mpath security use case          September 2019

B.4.  Availability

   The XOR sharing used in Section 2.1 is vulnerable against packet loss
   (whether this happens by coincidence or due the attacker's actions;
   DoS attacks).  Making the scheme resilient against packet loss or
   damage calls for error correction capabilities within the COMBINE
   function, e.g., using the methods described in [LRPP09].  A full-
   fledged scheme using Reed-Solomon error correction towards optimized
   availability and confidentiality is described by [FFGV07].

B.5.  End-to-End Authenticity

   Using a similar idea [RS10], authenticity of messages is
   accomplishable by message authentication codes.  Since the sender A
   shares secrets only with her/his direct neighbors, it can only use
   their secrets to attach a message authentication code.  The receiver
   B, being several hops away from A, does not know the secrets to
   verify the MAC, but, thanks to its ability of chosen path routing,
   can ask A's neighbors to verify the MACs on B's behalf.

   Putting this to practice, A authenticates a message m for B as
   follows, using the keys {k_1, ..., k_n} that A shares with its direct
   neighbors in the network.  We write MAC(m,k) to denote a message
   authentication code (MAC) for a message m computed under the (secret)
   key k.  Moreover, let H be a cryptographically strong hash function
   (e.g., SHA-3 or likewise).

   1.  A computes hash-MACs, e.g., using the HMAC scheme in [RFC2104],
       and attaches the MACs {a_i := MAC(H(m), k_i) | i=1,2,...,n} to
       the message.

   2.  B receives the message m' (say, over a multipath transmission
       scheme with chosen routes as described above).  To verify that m'
       is authentic, B computes the hash h' = H(m') and asks A's
       neighbors to verify the respective MACs.  To this end, B contacts
       the i-th neighbor of A on a chosen route, and sends the data {h',
       a_i'} to A's neighbor with whom A shares the secret k_i.  Here,
       the value a_i' is the MAC that B received (which could equally
       well have been corrupted).

   3.  A's neighbor no. i uses its secret k_i to verify if MAC(h',k_i)
       =?= a_i'.  It replies the result ("yes" or "no") back over the
       same route as how the query came in.  This process happens
       concurrently at all of A's neighbors (for i = 1, ..., n).

   4.  B collects all replies and takes either a majority decision or
       (in the most stringent setting) rejects if any of the replies
       comes back negative.

Rass, et al.             Expires March 13, 2020                [Page 12]
Internet-Draft           Mpath security use case          September 2019

   A picture of the scheme is found at

   The condition upon which B accepts A's message as authentic may
   depend on how resilient one needs to be about an adversary
   potentially manipulating the verification query to B.  If B rejects
   upon a single negative verification, then even an attacker that can
   conquer only a single node on any of the chosen paths can mount a
   denial-of-service.  On the contrary, if B accepts the majority vote,
   then the attacker needs to intercept (and manipulate) more than half
   of the routes chosen.

   The security of this scheme follows by similar arguments as in the
   case for confidentiality: the scheme is secure as long as the
   adversary cannot mount a full person-in-the-middle attack,
   conditional on the attacker's inability to find hash-collisions (in
   that sense, the scheme is, unlike the multipath transmission for
   confidentiality), only computationally secure.

   Note that confidentiality of the message against the verifying
   neighbors is not directly addressed here beyond the point of sending
   a hash of m for verification instead of the full message.
   Heuristically, the message thus remains concealed to the extent of
   the neighbor's inability to find a meaningful pre-image for the
   received value h'.  We assumed the neighbors to be honest, unless
   being under the attacker's control, so that a denial-of-service or
   intentionally incorrect response is in any case possible, and cannot
   be ruled out by this protocol.

B.5.1.  Non-Repudiation

   Under proper graph topological properties, the above authentication
   scheme, though based on symmetric cryptography only, shares the non-
   repudiation feature of public-key digital signatures.  In fact, if
   the set of secrets shared between a node and its direct neighbors (or
   a subset thereof) is unique, i.e., distinct, for each node, then no
   other node than A can create the MAC-set attached to the message m.
   Networks with that property are easy to recognize based on their
   adjacency matrix [Ras18]; moreover, the "unique-neighborhood
   property" is preserved upon the same network merging operations as
   described above for k-vertex-connectivity.

B.6.  Integrity

   From the construction of Section 3.4, integrity is directly implied
   by the use of hashes that additionally act as checksums.  That is,
   any distortion on the transmission line will with overwhelming

Rass, et al.             Expires March 13, 2020                [Page 13]
Internet-Draft           Mpath security use case          September 2019

   probability invalidate the MAC or inner hash, thus causing the
   protocol to indicate this error.  Conversely, if B accepts A's
   message as authentic, integrity verification is accomplished in the
   same blow, unless the attacker managed to forge the message as a
   whole (in which case, integrity is also unhedgeable).

Authors' Addresses

   Stafan Rass
   Universitaet Klagenfurt


   Yingzhen Qu
   2330 Central Expressway
   Santa Clara, CA  95050


   Lin Han
   2330 Central Expressway
   Santa Clara, CA  95050


Rass, et al.             Expires March 13, 2020                [Page 14]