[6tisch-security] certificate cache discussion recap from 2014-06-16
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 18 June 2014 00:59 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD7C1A00BD for <6tisch-security@ietfa.amsl.com>; Tue, 17 Jun 2014 17:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.532
X-Spam-Level:
X-Spam-Status: No, score=-2.532 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_MIME_NO_TEXT=0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-Jlro9WjGOs for <6tisch-security@ietfa.amsl.com>; Tue, 17 Jun 2014 17:59:43 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5996A1A013B for <6tisch-security@ietf.org>; Tue, 17 Jun 2014 17:59:42 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CE80C20011 for <6tisch-security@ietf.org>; Tue, 17 Jun 2014 21:03:36 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 9412563B0E; Tue, 17 Jun 2014 20:59:06 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7E86E63B0A for <6tisch-security@ietf.org>; Tue, 17 Jun 2014 20:59:06 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: 6tisch-security@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Tue, 17 Jun 2014 20:59:06 -0400
Message-ID: <31337.1403053146@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch-security/DT-K0_qd_wd-GmqB4YVqQtbhC6Q
Subject: [6tisch-security] certificate cache discussion recap from 2014-06-16
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 00:59:45 -0000
Monday, on the call I asked the group a couple of questions relating to the
time sequence diagram from Jonathan.
1) given assymetric crypto is there any reason for the JOIN REQUEST from the
joining node to the PCE (message 4) to be *encrypted* to the PCE?
(Clearly, it needs to be signed by the joining node)
The conclusion was that there are things in WirelessHART which were decided
were sensitive, and thus the packet was encrypted. It was concluded that if
there is anything left that is sensitive that it can probably be moved to
step 5/6.
Leaving out the asymmetric encryption likely saves around 300 bits in the
packet as well.
2) having gotten rid of the (assymetric) encryption, the question then
becomes: do we need to do a certificate request/response at all? (steps 2/3).
Some things that were said on the call:
a) it has been suggested that the address of the PCE would be an attribute
on the certificate that is returned.
b) it has been suggested that the certificate (chain) that would permit the
joining node to be able to validate the PCE's identity, and therefore
determine if this network is worth joining.
c) there are some significant concerns if (b) is the only way that the joining
node can determine if this is the correct network, that this is putting
far too much policy and intelligence in the joining node.
d) there is concern that given the complexity; that consumer devices may
well just join whatever network they see first.
e) at the same time, there is concern that message 2/3 does not involve any
opportunity for a trip to an online database for higher value joining
nodes.
f) it was suggested that a joining node should record PANIDs to which it
has attempted to connect to, and failed, and therefore it would not
continuously failing to connect.
g) it was suggested (by me) that even a partical certificate chain could
be useful in selected a network to join.
The question was asked, if the message 2/3 exchange can never provide enough
authorization for a joining node to determine which network to join, then an
alternate question was asked:
- is there something which can be cached by the proxy, such as part of
the PCE certificate chain, which would usefully reduce the number of
messages that need to traverse the entire LLN for each joining node.
A number of people expressed an interest in keeping the message 2/3 exchange
as an optional part of the protocol. I don't like optional pieces, and I
would want to signal if message 2/3 should occur in the EB, or to always do
the message 2 request, and permit empty replies.
If you go back to my email at:
https://mailarchive.ietf.org/arch/msg/6tisch-security/2kObJLkLlhuI-HU9s5yqfRm0n00
I had four links in the particular certificate chain that would permit the
joining node to authenticate the PCE.
*1* Factory: ACME
*2* National-VAR: Cadabra
*3* Regional-Var: Sesame
*4* Plant: Coyote
The factory certificate (1) would be built into the joining node as a trust
anchor. If message (3) contained certificate *2*, perhaps also *3*, then that
would significant help the joining node to know that this might be the right
network to join, and it would reduce the number of bytes sent all the way.
Some problems/issues with this include:
i. certificate *2* of the chain could be very specific to a particular
device, so might be unsuitable for caching.
ii. request (2) would have to include the DN of the trust anchor
certificate *1* in order to indicate which vendor's certificate should
be returned from the proxy. Naturally, this opens things up to having
as many certificates cached as there are factories X VARs.
iii. at the DTLS stage, if additional parts of the trust path have been
cached, then this needs to be indicated when the joining nodes issues
it's CertificateRequest as part of it's ServerHello exchange, so
that only part of the certificate chain is sent.
iv. worse case, the entire certificate chain has to be sent at the DTLS
stage.
If the PCE has a certificate chain which is not per-IDevID, and yet is
anchored at the factory installed trust anchor, then maybe this would have
higher utility.
While I can see the PCE having a certificate anchored in a local CA, and I
can see that as part of the join process, the joining node would have this
new trust anchor installed (along with a certificate of its own), I think it
is important to remember that this occurs *post* join.
In particular I want to make sure that everyone understands that the
(successful) join protocol occurs only once after the device has been turned
on (and/or factory defaulted in some OOB way). It does not occur every time
the device powers up --- the join protocol would have installed the correct
PANID, L2-Key, etc. into the device.
So my conclusion is that there is little that we can cache on the proxy.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [6tisch-security] certificate cache discussion re… Michael Richardson
- Re: [6tisch-security] certificate cache discussio… Jonathan Simon