Re: [6tisch] WGLC on the “Minimal Security Framework for 6TiSCH” document
Mališa Vučinić <malisa.vucinic@inria.fr> Fri, 06 July 2018 11:50 UTC
Return-Path: <malisa.vucinic@inria.fr>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E60B412D949 for <6tisch@ietfa.amsl.com>; Fri, 6 Jul 2018 04:50:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.919
X-Spam-Level:
X-Spam-Status: No, score=-5.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTbviYlYBQ3H for <6tisch@ietfa.amsl.com>; Fri, 6 Jul 2018 04:50:42 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 550D4126DBF for <6tisch@ietf.org>; Fri, 6 Jul 2018 04:50:41 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.51,316,1526335200"; d="scan'208,217";a="336415206"
Received: from mail-oi0-f46.google.com ([209.85.218.46]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 06 Jul 2018 13:50:26 +0200
Received: by mail-oi0-f46.google.com with SMTP id c6-v6so22967113oiy.0 for <6tisch@ietf.org>; Fri, 06 Jul 2018 04:50:26 -0700 (PDT)
X-Gm-Message-State: APt69E1SJ18IUqb5xKX4vv+s2yjsAXlAOeGssf1FJGNEnw+Ea0t9EkKv pXA+Q3kNvp+O+grJc9AKVZzzGIzV4ZUTr2rAdgA=
X-Google-Smtp-Source: AAOMgpf9iv6GGC2M4/TJ3nhzjyiP6O85srtOaAIKCeUzagKnPf7SrXciw8h4fpwqxBvythUs4xxNaChdPFJwPOB70kc=
X-Received: by 2002:aca:4455:: with SMTP id r82-v6mr5585286oia.260.1530877825039; Fri, 06 Jul 2018 04:50:25 -0700 (PDT)
MIME-Version: 1.0
References: <D7595B05.AAAD5%goran.selander@ericsson.com>
In-Reply-To: <D7595B05.AAAD5%goran.selander@ericsson.com>
From: Mališa Vučinić <malisa.vucinic@inria.fr>
Date: Fri, 06 Jul 2018 13:50:13 +0200
X-Gmail-Original-Message-ID: <CANDGjydnzDA_Sv4JpmcKix_y_Zd3MRC5T4jD4TZNwyzKvUKvbQ@mail.gmail.com>
Message-ID: <CANDGjydnzDA_Sv4JpmcKix_y_Zd3MRC5T4jD4TZNwyzKvUKvbQ@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: "6tisch@ietf.org" <6tisch@ietf.org>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, Thomas Watteyne <thomas.watteyne@inria.fr>, Suresh Krishnan <suresh.krishnan@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f4c54c05705344e8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/fWK4i3bs3r4VmFCkSoGzgtlWSuo>
Subject: Re: [6tisch] WGLC on the “Minimal Security Framework for 6TiSCH” document
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 11:50:47 -0000
Hello Göran, Thanks for the review. See my responses inline. Mališa On Wed, Jun 27, 2018 at 3:46 PM Göran Selander <goran.selander@ericsson.com> wrote: > Dear WG, Pascal, Thomas, > > I have reviewed draft-ietf-6tisch-minimal-security-06 and have the > following feedback: > > > > Section 3 > > > "pledge identifier" > > > The assumptions and application of OSCORE made in this draft requires that > the pledge identifier is globally unique. Although the first sentence > states that the pledge identifier uniquely identifies the pledge, there > is no normative text in this section and it may not be understood that > uniqueness is a requirement. > (For this discussion, pledge identifier == ID Context): In oscore-13, Section 3.3 states: "To ensure unique Sender Keys, the quartet (Master Secret, Master Salt, ID Context, Sender ID) MUST be unique, i.e. the pair (ID Context, Sender ID) SHALL be unique in the set of all security contexts using the same Master Secret and Master Salt." While we have fixed the Sender ID to 0x00, I believe this OSCORE requirement is still valid in our case. I am missing the need for requiring global uniqueness if the ID Context is unique in the "set of all security contexts using the same Master Secret and Master Salt". What am I missing? That said, EUI-64 is globally unique and when used as the pledge identifier / ID Context, results in unique (Master Secret, Master Salt, ID Context, Sender ID) no matter if the Master Secret is reused. My point is that this global uniqueness of EUI-64 comes as a nice-to-have when provisioning the devices, but that a random string that meets the requirement cited above is still good enough (and increases privacy by not sending the vendor-specific EUI-64). If my understanding on the above is correct, I can clarify the text. The last sentence says that the identifier may be "e.g. a random string", > without any further details. Please include all relevant requirements on > the pledge identifier in this section so readers can get the complete > picture, make a reference to a security consideration providing the > explanation (see below), and apply the requirements to the example with > random strings. > Yes, makes sense to clarify this in security considerations referring to the OSCORE uniqueness requirements. > > > Section 4 > > > "It is RECOMMENDED to generate the PSK with a cryptographically secure > pseudorandom number generator." > > > There are a number things to consider when generating random numbers. > Consider replace this specific recommendation about one such component with > a reference to some existing specification containing recommendations, for > example NIST SP800-90A Rev 1 (2015): > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf > I think that this recommendation should indeed be rephrased. I would like to avoid referencing any particular method of generating the PSK, I think that it would be enough to stress that the PSK that ends up being provisioned to the pledge should meet certain statistical properties (e.g. unpredictability, entropy). What do you think? > > > Section 8.1 > > > There is no mention of replay protection mechanism. Is the default replay > window type and size assumed? (Other default values of OSCORE security > context are explicitly stated in the draft.) > Yes, default replay protection of OSCORE is assumed with the nota bene on persistency that is already there in Section 8.1.1. I will make this more apparent. > > "Failure to comply will break the confidentiality property of the > Authenticated Encryption with Associated Data (AEAD) algorithm due to the > nonce reuse." > > > Nonce reuse also causes loss of authenticity and integrity, > i.e.essentially breaks the security guarantees. > Yes, of course, will state this explicitly. > The importance of not reusing the nonce with the same key may be repeated > in the security considerations. > I am not sure if discussing nonce uniqueness with a given key really belongs to this document. To me, that really belongs to OSCORE. That said, I think it would be really good to add, as you suggest, a discussion in security considerations on the uniqueness of OSCORE parameters, referring to the OSCORE document. > > > "This OSCORE security context is used for initial joining of the (6LBR) > pledge, where the (6LBR) pledge acts as a CoAP client, as well as for any > later parameter updates, where the JRC acts as a CoAP client and the joined > node as a CoAP server, as discussed in Section 9.2 > <https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-06#section-9.2> > . A (6LBR) pledge is expected to have exactly one OSCORE security > context with the JRC." > > > This is correct, not specific to this application of OSCORE, but may be > good for explaining how it works. In the spirit of explaining OSCORE and > not specific to this application, you could emphasize that the same Sender > Context is always used when sending, independently of if the node is CoAP > client or CoAP server, so that role switching between client and server > must not change the Sender / Recipient Context in a given endpoint. This > may be added here, in the security considerations section, or in both. > Good point, I think this text fits well within the current section on the OSCORE context. > > > Section 9 > > > Figure 2: remove "Message Framing" from the figure, since that refers to > reliable transport and the figure indicates UDP is the underlying layer. > Oops, you are right, apologies, that was left from copy-paste :D > > Section 10 > > > Use the term "Class U" in the description of OSCORE processing of the > Stateless-Proxy CoAP Option. Since it is class U it is recommended to > describe implications of an adversary eavesdropping or manipulating the > value of the option, e.g. in the security considerations. > I see your point about the implications and will extend the section, but for now, I would rather keep the text on Stateless-Proxy self-contained. > Maybe this has already been discussed: Would it be possible/desirable to > use the Token instead of this new option? The allowed size of Tokens would > need to be enlarged but besides that, are there any other limitations? The > Tokens would be unique by construction and the overhead would be reduced. > We discussed this on a couple of occasions. CoAP Token does everything we need from Stateless-Proxy except that in *some cases* it is not long enough. I would gladly remove any notion of Stateless-Proxy from the draft as soon as I can point to a document where CoAP token length is increased. This probably belongs to another thread, but let me bring it up here: The value that we carry in Stateless-Proxy/Token encodes the value that we carry as the OSCORE kid context, with some other info. I am looking for a way to *not* transport OSCORE kid context, but to *use* OSCORE id context during key derivation and to retrieve the correct OSCORE context from the Stateless-Proxy/Token value. This would save us 8 bytes. Looking at oscore-13, this seems to be feasible as in Section 5, there is a MAY on the transport of kid context, except that when it's carried it should be set to id_context. Do you see any problem with the solution that I outlined? This was brought up in another review regarding message overhead ( https://bitbucket.org/6tisch/draft-ietf-6tisch-minimal-security/issues/19/concerns-about-the-cojp-message-size-the ) Section 11 > > > Explain how the requirement of unique pledge identifier follows from the > assumptions and application of OSCORE in this draft. > Thank you, this text does need to be updated a bit with the changes to the generic pledge identifier that we introduced. > > OLD: > > "using the pledge identifier as Master Salt" > > > NEW: > > "using the pledge identifier as OSCORE ID Context" > Good catch! > > > > NITS: > > > General: > > > The term "role" is used in three different ways: whether node is pledge, > JP or JRC; whether pledge is 6LBR or not; and whether (6LBR) pledge is CoAP > client or CoAP server. Not necessarily an issue, but maybe worth > reconsidering. > Hmmm... good point. Not sure how to resolve this though.. > > Section 8.1 > > > OLD: "the Master Salt MUST be empty." > > NEW: "the Master Salt MUST be the empty byte string." > OK > > OLD: > > the ID of the pledge MUST be set to the byte string 0x00. This > > identifier is used as the OSCORE Sender ID in the security context > > derivation, as the pledge initially plays the role of a CoAP client. > > > NEW: > > the ID of the pledge MUST be set to the byte string 0x00. This > > identifier is used as the OSCORE Sender ID of the pledge in the security > context derivation, as the pledge initially plays the role of a CoAP client. > > > OK > > OLD: > > the ID of the JRC MUST be set to the byte string 0x4a5243 ("JRC" in > ASCII). This identifier is used as the OSCORE Recipient ID in the security > context derivation, as the JRC initially plays the role of a CoAP server. > > > NEW: > > the ID of the JRC MUST be set to the byte string 0x4a5243 ("JRC" in > ASCII). This identifier is used as the OSCORE Recipient ID of the pledge in > the security context derivation, as the JRC initially plays the role of a > CoAP server. > OK > > > Section 8.1.1 > > > OLD: > > detailed in Section 6.5.1 of [I-D.ietf-core-object-security > <https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-06#ref-I-D.ietf-core-object-security> > ] > > > NEW: > > detailed in Section 7.5.1 of [I-D.ietf-core-object-security > <https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-06#ref-I-D.ietf-core-object-security> > ] > OK > > > Section 9.1.1 > > > "The OSCORE security context used is the one derived in Section 8.1 > <https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-06#section-8.1>. > The OSCORE kid context is set to the ID context, which in turn is set to > the pledge identifier. The OSCORE kid context allows the JRC to retrieve > the security context for a given pledge." > > > Aestethical remark: The middle sentence is redundant. The purpose of the > COSE parameter 'kid context' is used to transport the ID Context, and > Section 8.1 specifies that "the ID Context MUST be set to the pledge > identifier”. (You may want to keep it for clarification though.) > OK, see above the text on not transporting kid context to save bytes. > > > Overall I found the draft very well written and was overall easy to follow > even not knowing much of the details of 6tisch. > Thanks! Göran >
- Re: [6tisch] WGLC on the “Minimal Security Framew… Pascal Thubert (pthubert)
- Re: [6tisch] WGLC on the “Minimal Security Framew… Göran Selander
- [6tisch] WGLC on the “Minimal Security Framework … Pascal Thubert (pthubert)
- Re: [6tisch] WGLC on the “Minimal Security Framew… Mališa Vučinić