IETF Logo Mail Archive

[6tisch-security] ***SPAM*** 5.568 (5) authz in the form a cert chain.. from SIDR work

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 May 2014 19:52 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8458F1A033B for <6tisch-security@ietfa.amsl.com>; Fri, 16 May 2014 12:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 5.568
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.568 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_111=0.6, J_CHICKENPOX_12=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_17=0.6, J_CHICKENPOX_19=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_26=0.6, J_CHICKENPOX_28=0.6, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_MIME_NO_TEXT=0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hD2Rrk4QzjMc for <6tisch-security@ietfa.amsl.com>; Fri, 16 May 2014 12:52:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.252.184]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62321A0339 for <6tisch-security@ietf.org>; Fri, 16 May 2014 12:52:06 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4C18A2002A; Fri, 16 May 2014 15:54:02 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 39AA263B1C; Fri, 16 May 2014 15:51:54 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 2306163B17; Fri, 16 May 2014 15:51:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: tisch-security <6tisch-security@ietf.org>
X-Attribution: mcr
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Fri, 16 May 2014 15:51:54 -0400
Message-ID: <13616.1400269914@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00
Cc: Robert Moskowitz <rgm@htt-consult.com>
Subject: [6tisch-security] ***SPAM*** 5.568 (5) authz in the form a cert chain.. from SIDR work
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 19:52:08 -0000

In my original 802.1AR enabled device claim idea, I imagine a certificate
chain rooted in the Factory CA that would already be present in the mote.

To make it easier to explain, and talk about, I'm going to give some names.
   Factory:       ACME
   National-VAR:  Cadabra
   Regional-Var:  Sesame
   Plant:         Coyote

So, the manager (Wiley) at the Coyote Plan, has just received 1000 new
(wireless) Road-Runner Detector, and plans to spread them along the highway.
The detectors are IDevID 210001 through 210999.  Each Detector has
an 802.1AR certificate pre-installed that looks like:
        Issuer: C=US, ST=New Jersey, L=Fairfield,
                O=ACME Rocket-Powered Products,
                OU=Sensor-Network-Division
        Validity
            Not Before: Feb 17 19:51:50 2010 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: CN=roadrunner210001
        Data:
            Serial Number: 21:00:01
        Subject Public Key Info: ...


When ACME Factory's Sensor Netowrk Division ships 100 crates of sensors to
Cadabra, it issues a certificate:

        Issuer: C=US, ST=New Jersey, L=Fairfield,
                O=ACME Rocket-Powered Products,
                OU=Sensor-Network-Division
        Validity
            Not Before: Feb 17 19:51:50 2010 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: C=US,ST=Washington,L=Seattle,O=Cadabra,OU=Logistics
                 RFC3779-Like-Extension: Range(210000, 219999)

When Cadabra ships cases 1-20 to Sesame, it issues a certificate:

        Issuer: C=US,ST=Washington,L=Seattle,O=Cadabra,OU=Logistics
        Validity
            Not Before: Feb 17 19:51:50 2010 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: C=US, ST=Arkansus, L=Bentonville,
                O=Sesame Bix Box Retail,
                OU=Small Stuff Distribution
                RFC3779-Like-Extension: Range(210000, 211999)

When Coyote Inc buys those 10 boxes of 100 sensors, the bill of sale includes:

        Issuer: C=US, ST=Arkansus, L=Bentonville,
                O=Sesame Bix Box Retail,
                OU=Small Stuff Distribution
        Validity
            Not Before: Feb 17 19:51:50 2010 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: C=US, ST=Nevada, L=Tonopah,
                 O=Coyote Inc, OU=Supper
                 RFC3779-Like-Extension: Range(210000, 210099)
                 RFC3779-Like-Extension: Range(210200, 210299)
                 RFC3779-Like-Extension: Range(210400, 210499)
                 RFC3779-Like-Extension: Range(210600, 210699)
                 RFC3779-Like-Extension: Range(210800, 210899)
                 RFC3779-Like-Extension: Range(211000, 211099)
                 RFC3779-Like-Extension: Range(211200, 211299)
                 RFC3779-Like-Extension: Range(211600, 211699)
                 RFC3779-Like-Extension: Range(211800, 211899)
(cause, a shipper sent them every other box, the ranges are not contiguous)

The mote/sensor when it sees this certificate, can verity that it's DevID
is in the range, and therefore knows that it has found the right network.

Should Coyote find that they had too many, they can sell some of these
sensors to Sheepdog Sam Inc, by issuing a certificate:

        Issuer: C=US, ST=Nevada, L=Tonopah,
                 O=Coyote Inc, OU=Supper
        Validity
            Not Before: Feb 17 19:51:50 2010 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: C=GB, ST=Scotland, L=Edinburgh,
                 O=SheepsRUs, OU=Sheepdog
                 RFC3779-Like-Extension: Range(210050, 210099)
                 RFC3779-Like-Extension: Range(211611, 211623)

of course, since Coyote actually still has a valid certificate, all parties
would be advised to use the Enrollment over Secure Transport or an API into
802.1AR, to put an operational certificate in place.    Getting back to
factory default might be impossible (WirelessHart does this, I think), or
at least, will wipe the private key associated with the new certificate from
the device.

BTW: the extension is likely about 20 bytes base, with 5 bytes per IDEVID.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email