IETF Logo Mail Archive

Re: [6tisch] 2nd WG LC on draft-ietf-6tisch-minimal-security

Göran Selander <goran.selander@ericsson.com> Fri, 29 March 2019 06:19 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91D60120132 for <6tisch@ietfa.amsl.com>; Thu, 28 Mar 2019 23:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tr16sg_Ult3v for <6tisch@ietfa.amsl.com>; Thu, 28 Mar 2019 23:19:19 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140051.outbound.protection.outlook.com [40.107.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 591AD120196 for <6tisch@ietf.org>; Thu, 28 Mar 2019 23:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fr61nLE1zrjAUZGgANSkGlKNtKCUIELshTScWv7+btw=; b=Q3wrivcRnL0tpegeu7E2F0x2GSAqG/vpz0WC5kgAzUjdFMBoWzp9TITB+WxE8mK69c7BDE9wILPlHUs7QGnJaW61fD5ReqxqEeDzyu31pxtOJqG7iXYasVFHnX1UcWTLBRUMJ6Z+iTR98bdgLbm8l7NmLG8NfIGT3wwl4uozDKk=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB4265.eurprd07.prod.outlook.com (20.176.166.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.6; Fri, 29 Mar 2019 06:19:15 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::2464:1071:5050:f397]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::2464:1071:5050:f397%2]) with mapi id 15.20.1771.006; Fri, 29 Mar 2019 06:19:15 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>, "6tisch@ietf.org" <6tisch@ietf.org>
CC: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Thread-Topic: [6tisch] 2nd WG LC on draft-ietf-6tisch-minimal-security
Thread-Index: AQHU4oDZ/DdlrW6JIEaAmirRY27M2qYgEGOAgAHk9gA=
Date: Fri, 29 Mar 2019 06:19:15 +0000
Message-ID: <72B13862-DE96-4343-9C27-9D83512A96B7@ericsson.com>
References: <A37DDEAC-BEDA-47E0-9E54-DB78D4C8463C@ericsson.com> <B0650F57-2BAC-4563-863B-B407E21BA372@inria.fr>
In-Reply-To: <B0650F57-2BAC-4563-863B-B407E21BA372@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [62.168.35.67]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 23b1c019-e5dd-4d19-22da-08d6b40e7809
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4265;
x-ms-traffictypediagnostic: HE1PR07MB4265:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <HE1PR07MB426534316A5CE27004FC2699F45A0@HE1PR07MB4265.eurprd07.prod.outlook.com>
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(366004)(136003)(39860400002)(51914003)(199004)(189003)(3846002)(316002)(15650500001)(71190400001)(71200400001)(83716004)(66574012)(81156014)(8936002)(6486002)(82746002)(4326008)(5660300002)(81166006)(97736004)(66066001)(68736007)(53936002)(26005)(85182001)(6436002)(6512007)(6306002)(6246003)(99286004)(229853002)(25786009)(106356001)(85202003)(110136005)(186003)(36756003)(2906002)(102836004)(7736002)(58126008)(105586002)(305945005)(2501003)(486006)(33656002)(446003)(476003)(2616005)(14444005)(256004)(76176011)(11346002)(86362001)(8676002)(966005)(14454004)(6116002)(6506007)(478600001)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4265; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QsjNV/fj8aHAF2/66QXzcpT3JM3k+FKiDhpx2c4/+sAgKJir21lrsds156wpmdBHEChmIRjoKpl2eBptA3OxZ+TNHSiAA31WwDtbnRqP9jlsbAhaovIk3aLzWQDq41lgs7osJL1QfUnzbURMNrRifssXC+WbC9BTMH2VLXFkUFltpEOojXAZL6TaCKw8ubD/YqzGac/jPeM9HGOjQ3iC4Al5IRZq8nG5F72xf/7pIV8rarFqcKpjroScZp1EqbFBr+hIkK4+KRmSbb14fofMZb/eYAfU06XvD8OaVeOUCe+2vgDoa38njSvzc19rLo+Req9sl8GXiz5HXWDD1ZCZpliTAgkgf1TVm2PfYdavs13sxs+Otm9s52u++3wFoPeV76iXhyNUgsfLtav9YU4kMXrIVnWotnjng/AYWkSa32I=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A8702CC3CA460648B2F8BB8D9A081F71@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 23b1c019-e5dd-4d19-22da-08d6b40e7809
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 06:19:15.4559 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4265
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/GmTJdFnJ6W1NXplSUOmXlS7LXuA>
Subject: Re: [6tisch] 2nd WG LC on draft-ietf-6tisch-minimal-security
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 06:19:23 -0000

Hi Mališa,

Thanks for the update, this addresses my concerns. 

Editorial: Replace "entirely defined" with "specified".

Göran

On 2019-03-27, 23:16, "Mališa Vučinić" <malisa.vucinic@inria.fr> wrote:
    
    Dear Göran,
    
    
    Many thanks for the review! As we discussed during the WG meeting, I added new text in the draft to stress that the procedure in Appendix B.2 of OSCORE should be used in the case of a failure event occurring at the JRC. The use of this procedure
     is now RECOMMENDED, and in case it is not supported by a particular pledge implementation, we require the reprovisioning of the affected devices with fresh parameters.
    
    
    Other comments have also been taken into account and the draft has been aligned with the references in oscore-16.
    
    
    The related diff providing changes in respect to your comments is available at:
    https://bitbucket.org/6tisch/draft-ietf-6tisch-minimal-security/branch/minimal-security-10-goran#diff
    
    
    Please let me know if this addresses your review.
    
    
    Mališa
    
    
    On 24 Mar 2019, at 23:08, Göran Selander <goran.selander@ericsson.com> wrote:
    
    Dear 6TiSCH,
    
    Sorry for very late response, here are a some post-2nd WGLC comments on draft-ietf-6tisch-minimal-security-09:
    
    Summary: With one exception detailed below the draft seems to be in good shape and essentially only need some harmonizing updates following the last changes to OSCORE which has now completed IESG review.
    
    Main concern:
    
    Section 8.3:
    The recovery from complete failure of the JRC as currently described is not satisfactory and may lead to loss of confidentiality of data sent from the JRC to the pledge.  During reinitialization of pledges due to complete failure of JRC, the new JRC cannot
     detect replays of old initialization messages, nor does it know the latest sequence number used by the failed JRC:
    
    * It is not described how the new JRC reacts to a received CoJP request to avoid accepting a replay request or why it is not a problem with nonce reuse in the CoJP response.
    * The procedure for the first Parameter Update with randomized payload may have different known CoAP header parameter values than the message with which nonce is reused, leading to a two-time pad which may to break confidentiality. It should at least be described
     why this is not an issue.
    * There is no security consideration about properties of the encryption algorithm, in this case AES-CCM, which limits this attack to confidentiality.
    
    There are different ways to resolve this. Here are two alternatives:
    
    Appendix B.2 in OSCORE specifies a challenge-response based protocol for updating the security context based on an exchange of nonces. This protocol can be directly applied here where the replaced JRC in the role of CoAP server would trigger the protocol by
     responding to the reinitialization request with a new security context as is detailed in appendix B.2. The pledge then repeats the CoJP request with another security context and the JRC responds with the CoJP response using the agreed security context. In
     this way the old security context is replaced by a new, thereby removing the risks associated with accepting replayed messages and reusing nonces.
    
    
    The procedure in the previous paragraph does however not support the lightweight implementation option in Appendix B of this draft, since the master secret is needed for deriving the new security context. If this is very important to support, considering that
     CoJP is a special application of OSCORE it may be possible to specify a bespoke synchronization protocol. One setting for this is based on a reserved JRC sequence number for responses to reinitialization requests, the Echo option, and transport of the pledge
     record of last used JRC sequence number. This would require a careful analysis in particular of the use of JRC sequence numbers.
    
    
    A related concern is on the use of persistent memory: 
    
    "In case of a reboot on either side, the retrieval of mutable security context parameters is feasible from the persistent memory such that there is no risk of AEAD nonce reuse due to a reinitialized Sender Sequence number, or of a replay attack due to the reinitialized
     replay window."
    
    Section B.1.1 of OSCORE details some issues with writing to non-volatile memory that are applicable in particular to the JRC, and this text should be updated accordingly. Depending on the JRC implementation, this may be another reason why the pledges/joined
     nodes need to support the protocol in Appendix B.2 in the case of JRC losing context.
    
    Minor concerns:
    
    "Implementations MUST ensure that multiple CoAP requests to different JRCs are properly incrementing the sequence numbers "
    
    I don't know why this is restricted to different JRCs: Implementations MUST ensure that multiple CoAP requests properly incrementing the sequence numbers.
    
    
    OLD
    "Since the pledge's OSCORE ID "
    
    NEW
    "Since the pledge's OSCORE Sender ID "
    
    
    " A simple implementation technique is to instantiate the OSCORE security
      context with a given PSK only once and use it for all subsequent
      requests. "
    
    Reference 7.5 and/or appendix B.1. Note that these are rewritten so references here may have changed (see below).
    
    
    OLD
    "The (6LBR) pledge and the JRC use the OSCORE security
      context parameters (e.g. sender and recipient identifiers) as they
      were used at the moment of context derivation, regardless of whether
      they currently act as a CoAP client or a CoAP server. "
    
    I think this text is intended as a clarification of OSCORE functionality, but it doesn't make clear that that is what it is. Here is an attempt, perhaps you can do better:
    
    NEW
    Note that when the (6LBR) pledge and JRC changes roles between CoAP client and CoAP server, the same OSCORE security context as initially derived in each endpoint remains in use and the derived parameters are unchanged, for example Sender ID when sending and
     Recipient ID when receiving, see section 3.1 of [I-D.ietf-core-object-security].
    
    
    "A technique that prevents reuse of sequence numbers,
      detailed in Section 7.5.1 of [I-D.ietf-core-object-security], MUST be
      implemented.  Each update of the OSCORE Replay Window MUST be written
      to persistent memory."
    
    Section 7.5.1 is now B.1.1, and the procedure is slightly different, there are two parameters to set, K and F. Do you want to recommend any settings here?
    
    
    Göran
    
    
    
    On 2019-03-07, 15:45, "6tisch on behalf of Pascal Thubert (pthubert)" <6tisch-bounces@ietf.org on behalf of
    pthubert@cisco.com> wrote:
    
       Dear all:
    
       At the last IETF, we concluded the WGLC on draft-ietf-6tisch-minimal-security and concluded it was mostly ready. It received 7 reviews during the last WGLC, all of which had been integrated, and received reviewers approval.
       Two final changes were still needed.  Malisa was to discuss those on the ML, integrate them into a new version of the draft if consensus was found. There was in particular a dependency / alignlent to be made on OSCORE.
    
       More in 
       https://www.mail-archive.com/6tisch@ietf.org/msg02875.html <https://www.mail-archive.com/6tisch@ietf.org/msg02875.html>.
     It appears that the issues are now resolved. Mališa, can you please summarize the status with OSCORE?
    
       As promised, the Chairs now open a 1-week WGLC on 
    https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-09 <https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-09>  focusing on those changes, though any bug you can find is good to mention too.
       The WGLC ends on Friday March 15th. Please have a good last look at the spec and let us know.
    
       Looking forward to meeting you all in Prague,
    
       The chairs
    
    
    
    
    
    _______________________________________________
    6tisch mailing list
    6tisch@ietf.org
    https://www.ietf.org/mailman/listinfo/6tisch

v2.23.0 | Report a Bug | By Email