IETF Logo Mail Archive

Re: [6tisch-security] EALS and how to go from 6tisch-minimal-security to zero-touch enrollment

Göran Selander <goran.selander@ericsson.com> Fri, 10 March 2017 05:08 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18FEB129469 for <6tisch-security@ietfa.amsl.com>; Thu, 9 Mar 2017 21:08:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qrdVNmbD1c2 for <6tisch-security@ietfa.amsl.com>; Thu, 9 Mar 2017 21:07:57 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F25E1288B8 for <6tisch-security@ietf.org>; Thu, 9 Mar 2017 21:07:57 -0800 (PST)
X-AuditID: c1b4fb3a-ea7ff7000000484c-7f-58c234a9c9e5
Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id AD.6F.18508.9A432C85; Fri, 10 Mar 2017 06:07:56 +0100 (CET)
Received: from ESESSMB107.ericsson.se ([169.254.7.76]) by ESESSHC016.ericsson.se ([153.88.183.66]) with mapi id 14.03.0319.002; Fri, 10 Mar 2017 06:07:53 +0100
From: Göran Selander <goran.selander@ericsson.com>
To: "6tisch-security@ietf.org" <6tisch-security@ietf.org>
Thread-Topic: EALS and how to go from 6tisch-minimal-security to zero-touch enrollment
Thread-Index: AQHSmTY/aARWPGYP1kiGOVpVTtU2C6GNhhyA
Date: Fri, 10 Mar 2017 05:07:52 +0000
Message-ID: <D4E7F01F.78F49%goran.selander@ericsson.com>
References: <D4E34D31.783F2%goran.selander@ericsson.com> <7579.1488907684@obiwan.sandelman.ca> <14442.1489106136@obiwan.sandelman.ca>
In-Reply-To: <14442.1489106136@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <173246F8ED0EEE4FB9694891BF800CA1@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOIsWRmVeSWpSXmKPExsUyM2K7k+4ak0MRBk/uM1o0r1zEbrHz/GUm i6eNt5kdmD2WLPnJ5DHpxSEWj6VNm5kCmKO4bFJSczLLUov07RK4Mq7/1S/Yp14xe3YjWwPj HrUuRg4OCQETiReHs7oYuTiEBNYxSrzfP4MFwlnMKDHv+XPWLkZODjYBF4kHDY+YQGwRAUuJ 7av/sYHYzALpEm2L+8FqhAXCJe4+/MYKMlREIEJi0mFZiHIjiXMHrjOD2CwCqhKH990HK+cV sJBYe3g+E8SudkaJpfNOgCU4BYwlur4eYASxGQXEJL6fWsMEsUtc4taT+WC2hICAxJI955kh bFGJl4//gfWKCuhJLH++BiquJNG45AnYPcwCmhLrd+lDjLGW2DP5A9T5ihJTuh+yQ9wjKHFy 5hOWCYzis5Bsm4XQPQtJ9ywk3bOQdC9gZF3FKFqcWlycm25kpJdalJlcXJyfp5eXWrKJERh9 B7f8ttrBePC54yFGAQ5GJR7eD7kHI4RYE8uKK3MPMUpwMCuJ8JbqHYoQ4k1JrKxKLcqPLyrN SS0+xCjNwaIkzmu28n64kEB6YklqdmpqQWoRTJaJg1OqgXE9+/XarJ0ZNbVxIc+atV+znfti yZ3A5xWp7tccuq8ttsdGdF/0qfI70z8GtLT9rldbHPwqMF9Q6wxf7Y8z+3wiwhwchDyYPitN zl2w6u3GIzIsmq9nrWYrKNumNFEl/z+b7PFnq9j/3Z1xXLuPz6mM/b/D25tuKef2OGmxzPZJ Pn5ud7mprxJLcUaioRZzUXEiAMFlvJu6AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch-security/gHBFUS5fL9-KGJ5y6r3tOKEyzQo>
Cc: Mališa Vučinić <malisa.vucinic@inria.fr>, Shahid Raza <shahid.raza@ri.se>
Subject: Re: [6tisch-security] EALS and how to go from 6tisch-minimal-security to zero-touch enrollment
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 05:08:00 -0000


On 2017-03-10 01:35, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:

>
><#secure method=pgpmime mode=sign>
>
>reply set to list.
>
>Goran and co have produced a version/profile of EDHOC for use with the
>zero-touch join process.  It is presently at:
>           https://ericssonresearch.github.io/EALS/
>    [Annoyingly, not posted as draft-selander-ace-eals-00 yet.]

:-)

So now we all know one source of Michael’s recent thread on ietf.org.
Thanks for presenting the content to 6tisch security. One comment inline.

>
>I had previously written privately that in trying to merge 6tisch-minimal
>and
>zero-touch secure join that I am now considering a compromise where the
>zero-touch process would simply start with the 6tisch-minimal EDHOC
>transaction.  This is described in
>draft-ietf-6tisch-dtsecurity-secure-join-01.
>
>In order for the pledge to be passive, and the JRC to manage the bulk
>(certificates and vouchers take a dozen fraglets, sadly), I would like
>the zero-touch process to be driven by the JRC.
>
>In draft-ietf-6tisch-dtsecurity-secure-join-00, I had suggested that the
>security protocol be initiated from the JRC. The JRC would become aware of
>the pledge through a combination of the pledge doing a DAD process, and
>the Join Proxy running a query to the JRC.  In -00 that query was
>implemented in GRASP, but that could be replaced with some other
>query/response protocol, built upon CoAP if desired.  This was described
>in
>    
>https://tools.ietf.org/html/draft-ietf-6tisch-dtsecurity-secure-join-00#se
>ction-2.2.4
>
>This was removed in -01: in -01 the "notification" of the JRC of the new
>pledge is when the pledge performs the EDHOC process which is common to
>zero-touch and one-touch.
>
>But, EALS suggests something slightly different again.
>
>Figure 5, reproduced below from:
>       https://ericssonresearch.github.io/EALS/#rfc.section.3.2
>
> EALS                                     EALS
>client                                   server
>
>  |                                        |
>  |      MESSAGE TO BE DETERMINED          |
>  +--------------------------------------->|
>  |                                        |
>  |             EDHOC message_1            |
>  |<---------------------------------------+
>  |                                        |
>  |            EDHOC message_2             |
>  +--------------------------------------->|    Third party
>  |                                        | < - - - - - - - - >
>  |  EDHOC message_3 (EXT_3 = Authz info)  |    authorization
>  |<---------------------------------------+
>  |                                        |
>
>
>EALS also proposes to move the voucher nonce and ownership voucher into
>the
>protocol itself, eliminating the provisional state, and ownership voucher.
>
>This moves the entire exchange control back to the JRC.
>No CoMI interface would be needed for communicating the voucher.
>
>EALS suggests that the enrollment occur over CoAP, driven by the pledge.

Actually, we mention that the EDHOC protocol may be reversed, and it may
be driven by the JRC, but first authenticating the pledge enables the
authorization step to come earlier.

Göran


>The initial network key(s) can be returned by the EALS server just as in
>the
>6tisch-minimal-security case, so the pledge will be full on the network
>when
>it performs certificate enrollment.
>It is much closer to
>https://datatracker.ietf.org/doc/draft-vanderstok-ace-coap-est/
>
>
>
>--
>Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>

v2.23.0 | Report a Bug | By Email