IETF Logo Mail Archive

[6tisch-security] EALS and how to go from 6tisch-minimal-security to zero-touch enrollment

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 10 March 2017 03:04 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B5A12953C for <6tisch-security@ietfa.amsl.com>; Thu, 9 Mar 2017 19:04:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnSNiSQ-TJo9 for <6tisch-security@ietfa.amsl.com>; Thu, 9 Mar 2017 19:04:51 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5565129530 for <6tisch-security@ietf.org>; Thu, 9 Mar 2017 19:04:50 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4A22BE1FD; Thu, 9 Mar 2017 19:58:23 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 511FF6381A; Thu, 9 Mar 2017 19:35:36 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: 6tisch-security@ietf.org
In-Reply-To: <7579.1488907684@obiwan.sandelman.ca>
References: <D4E34D31.783F2%goran.selander@ericsson.com> <7579.1488907684@obiwan.sandelman.ca>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain
Date: Thu, 09 Mar 2017 19:35:36 -0500
Message-ID: <14442.1489106136@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch-security/SOOx6vuOLu_RNYExpGP02aRUIrI>
Cc: =?us-ascii?Q?=3D=3Futf-8=3FB=3FTWFsacWhYS BWdcSNaW5pxIc=3D=3F=3D?= <malisa.vucinic@inria.fr>, =?us-ascii?Q?=3D=3Futf-8=3FB=3FR8O2cmFuIF NlbGFuZGVy=3F=3D?= <goran.selander@ericsson.com>, Shahid Raza <shahid@sics.se>
Subject: [6tisch-security] EALS and how to go from 6tisch-minimal-security to zero-touch enrollment
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: 6tisch-security@ietf.org
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 03:04:53 -0000

<#secure method=pgpmime mode=sign>

reply set to list.

Goran and co have produced a version/profile of EDHOC for use with the
zero-touch join process.  It is presently at:
           https://ericssonresearch.github.io/EALS/
    [Annoyingly, not posted as draft-selander-ace-eals-00 yet.]

I had previously written privately that in trying to merge 6tisch-minimal and
zero-touch secure join that I am now considering a compromise where the
zero-touch process would simply start with the 6tisch-minimal EDHOC
transaction.  This is described in draft-ietf-6tisch-dtsecurity-secure-join-01.

In order for the pledge to be passive, and the JRC to manage the bulk
(certificates and vouchers take a dozen fraglets, sadly), I would like
the zero-touch process to be driven by the JRC.

In draft-ietf-6tisch-dtsecurity-secure-join-00, I had suggested that the
security protocol be initiated from the JRC. The JRC would become aware of
the pledge through a combination of the pledge doing a DAD process, and
the Join Proxy running a query to the JRC.  In -00 that query was
implemented in GRASP, but that could be replaced with some other
query/response protocol, built upon CoAP if desired.  This was described
in
    https://tools.ietf.org/html/draft-ietf-6tisch-dtsecurity-secure-join-00#section-2.2.4

This was removed in -01: in -01 the "notification" of the JRC of the new
pledge is when the pledge performs the EDHOC process which is common to
zero-touch and one-touch.

But, EALS suggests something slightly different again.

Figure 5, reproduced below from:
       https://ericssonresearch.github.io/EALS/#rfc.section.3.2

 EALS                                     EALS
client                                   server

  |                                        |
  |      MESSAGE TO BE DETERMINED          |
  +--------------------------------------->|
  |                                        |
  |             EDHOC message_1            |
  |<---------------------------------------+
  |                                        |
  |            EDHOC message_2             |
  +--------------------------------------->|    Third party
  |                                        | < - - - - - - - - >
  |  EDHOC message_3 (EXT_3 = Authz info)  |    authorization
  |<---------------------------------------+
  |                                        |


EALS also proposes to move the voucher nonce and ownership voucher into the
protocol itself, eliminating the provisional state, and ownership voucher.

This moves the entire exchange control back to the JRC.
No CoMI interface would be needed for communicating the voucher.

EALS suggests that the enrollment occur over CoAP, driven by the pledge.
The initial network key(s) can be returned by the EALS server just as in the
6tisch-minimal-security case, so the pledge will be full on the network when
it performs certificate enrollment.
It is much closer to https://datatracker.ietf.org/doc/draft-vanderstok-ace-coap-est/



--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email