From: Joel Halpern
Before that, I would also ask them for the data plane document for an analysis of what the implications are if a key shared by all the SCION routers of an AS is compromised. It is ahrd to tell if the design assumptions are workable without that.
We should better clarify this, we don't say what an attacker can do if an attacker gets the AS forwarding key.
Current text is:
5.1.1. Forwarding key compromise
For the current default MAC algorithm, AES-CMAC truncated to 48 bits,
key recovery attacks from (any number of) known plaintext/MAC
combinations is computationally infeasible, as far as publicly known.
In addition, the MAC algorithm can be freely chosen by each AS,
enabling algorithmic agility for MAC computations. Should a MAC
algorithm be discovered to be weak or insecure, each AS can quickly
switch to a secure algorithm without the need for coordination with
other ASes.
A more realistic risk to the secrecy of the forwarding key is
exfiltration from a compromised router or control plane service. An
AS can optionally rotate its forwarding key at regular intervals to
limit the exposure after a temporary device compromise. However, as
is perhaps self-evident, such a key rotation scheme cannot mitigate
the impact of an undiscovered, permanent compromise of a device.
We should better clarify this, we don't say what an attacker can do if an attacker gets the AS forwarding key. Current text is: