Re: [6tisch] Review draft-ietf-6tisch-minimal-security
Mališa Vučinić <malisa.vucinic@inria.fr> Fri, 07 September 2018 13:44 UTC
Return-Path: <malisa.vucinic@inria.fr>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5615128CF3 for <6tisch@ietfa.amsl.com>; Fri, 7 Sep 2018 06:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.92
X-Spam-Level:
X-Spam-Status: No, score=-5.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mp1NlLmLShFs for <6tisch@ietfa.amsl.com>; Fri, 7 Sep 2018 06:44:52 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25003130E00 for <6tisch@ietf.org>; Fri, 7 Sep 2018 06:44:50 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.53,342,1531778400"; d="scan'208,217";a="278119689"
Received: from mail-qt0-f173.google.com ([209.85.216.173]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 07 Sep 2018 15:44:48 +0200
Received: by mail-qt0-f173.google.com with SMTP id o15-v6so16221300qtk.6 for <6tisch@ietf.org>; Fri, 07 Sep 2018 06:44:48 -0700 (PDT)
X-Gm-Message-State: APzg51D0YiNLr8cGJwwbmmgK/vgyPrR6RqcrbuqZjaW2Ya/OyF35lSLv bkJZKILQnBFZq51H1GK6xUB+4KtqVRFupkV5F4I=
X-Google-Smtp-Source: ANB0VdZX3do3NPmbe9YNSc3Y2ZrZHEF5G7IPe/l0wKFNq5eTuFUpsc1tIH1vNv5l0rJnT99DpEgNNmPIDpfj+pBFMIo=
X-Received: by 2002:a0c:c3c6:: with SMTP id p6-v6mr5665104qvi.146.1536327887906; Fri, 07 Sep 2018 06:44:47 -0700 (PDT)
MIME-Version: 1.0
References: <028401d40fdc$52659dc0$f730d940$@augustcellars.com> <CANDGjyfAFpS=LZh8O8+v4YnjaMVek=jQaFjiwPyPXi7nVubKpQ@mail.gmail.com> <03ed01d41850$a4761780$ed624680$@augustcellars.com> <CANDGjye6zvVwwS6QhFv6pUxEcX9T+tCEKuNiCGDShoDPm3-1kg@mail.gmail.com> <02f901d41e90$ab5b2c70$02118550$@augustcellars.com> <CANDGjyeDUqfAKo4QSLgm42O4AGNxoDBSVD5Biju7N=Wdx_jmMQ@mail.gmail.com> <00c701d42b68$7de638e0$79b2aaa0$@augustcellars.com>
In-Reply-To: <00c701d42b68$7de638e0$79b2aaa0$@augustcellars.com>
From: Mališa Vučinić <malisa.vucinic@inria.fr>
Date: Fri, 07 Sep 2018 15:44:32 +0200
X-Gmail-Original-Message-ID: <CANDGjyf-JzD3rAD1TeFOeyASsDTbDnfg7Le7FpXUgAPP6w-7Og@mail.gmail.com>
Message-ID: <CANDGjyf-JzD3rAD1TeFOeyASsDTbDnfg7Le7FpXUgAPP6w-7Og@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: 6tisch@ietf.org
Content-Type: multipart/alternative; boundary="000000000000047517057548369c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/pAPJjcLcAlSx7ZjDc869XdcdPTQ>
Subject: Re: [6tisch] Review draft-ietf-6tisch-minimal-security
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2018 13:44:58 -0000
Hi Jim, Apologies for responding to your email only now due to my vacation in August. I don't have any objection to your proposed solution and this indeed solves the issue without introducing an additional message in the protocol. I am slightly leaning towards the PIV being sent in the Bad Request error payload instead of within the Request-Tag option, simply to minimize the implementation effort. I will incorporate this in the next revision of the draft before Bangkok and validate with you. Thank you for doing a review, outlining an issue and proposing a solution! Mališa On Fri, Aug 3, 2018 at 10:28 PM Jim Schaad <ietf@augustcellars.com> wrote: > As I remember we had a discussion about this during the creation of OSCORE > but the results did not make it into the final draft. > > > > There is never a problem for the second JOIN as the device will have both > the keys and the saved PIV to use so it will never do a reuse of the same > PIV assuming correct implementation. > > > > The first message from the JRC needs to be checked by the pledge to see if > there is a duplicate PIV used. If it finds a duplicate PIV used, and the > PIV is “grossly” below the PIV it is expecting. Then the pledge sends back > and an encrypted response to the JRC with the following properties: > > > > 1. The pledge uses its next PIV value (i.e. it will look like an > observe message to the JRC) and places it’s PIV into the message as the > partial IV. Doing so should not create any problems that I can think of. > As a new PIV is used there is no security leakage. > 2. The pledge sends a request-tag option as part of the response. The > value of the request-tag option contains a value greater or equal to the > next PIV from the JRC that it will allow. This value is an encrypted > option and thus not visible. > 3. The JRC can then resend the message to the pledge using the new PIV > (and optionally the request-tag option) to the pledge which should now > accept it. > > > > There are a number of different ways that the value could be send from the > pledge to the server. I suggested the request-tag option above, but you > could for example send “PIV=#” as the payload of a Bad Request error code > to the JRC. The only thing would be to define a single way to send this > information. > > > > The first message from the JRC would be subject to leakage of data as it > could be XORed with the first message from the original JRC and thus some > details extracted. I don’t know how much of this information ends up as > being public after a while anyway and thus leaking it would not be a huge > problem. Depending on value of the data, the JRC could generate new data > for the message to the pledge. > > > > Jim > > > > > > *From:* Mališa Vučinić <malisa.vucinic@inria.fr> > *Sent:* Wednesday, July 18, 2018 12:08 PM > > > *To:* Jim Schaad <ietf@augustcellars.com> > *Cc:* 6tisch@ietf.org > *Subject:* Re: Review draft-ietf-6tisch-minimal-security > > > > Thanks Jim for working on this! When you have time, please drop us a line > with the proposed solution. > > > > Mališa > > > > On Wed, Jul 18, 2018 at 2:13 PM Jim Schaad <ietf@augustcellars.com> wrote: > > I think that I have a solution that could be implemented at the cost of > one additional round trip the first time the JRC wants to update the > endpoint. > > > > Jim > > > > > > *From:* Mališa Vučinić <malisa.vucinic@inria.fr> > *Sent:* Tuesday, July 17, 2018 1:22 PM > > > *To:* Jim Schaad <ietf@augustcellars.com> > *Cc:* 6tisch@ietf.org > > *Subject:* Re: Review draft-ietf-6tisch-minimal-security > > > > Hi Jim, > > > > It seems we have two use cases where this is relevant: > > > > 1) Change of ownership without reprovisioning the pledge (and using > symmetric keys) > > 2) Failure of JRC > > > > Case (1): reuse of PIV can be avoided by mandating the exchange of OSCORE > mutable parameters. > > > > Case (2): the context is lost and with it any hope to continue with the > next PIV. I think that when JRC1 goes "boom", the network continues to > operate, without even noticing as 6LBR is still operational. Then, we need > to force all the nodes to rejoin and include PIV in the request, possibly > by sending a command from the JRC2 to 6LBR of the network. But to send this > command to 6LBR over OSCORE, JRC2 needs to use a PIV, which it doesn't > know. At the moment, I don't see how we could trigger this network-wide > rejoin securely, without relying on another communication channel... > > > > I will raise this during the 6TiSCH meeting tomorrow to request WG input > on the best way to proceed. If you have a proposal, please let me know! > > > > Regarding the persistency issue: I suppose you refer to section > https://tools.ietf.org/html/draft-ietf-core-object-security-13#section-7.5 , > i.e. Section 7.5.1 of OSCORE-13, that states: > > > > To prevent reuse of Sender Sequence Numbers, an endpoint may perform the > following procedure during normal operations: o Before using a Sender > Sequence Number that is evenly divisible by K, where K is a positive > integer, store the Sender Sequence Number in persistent memory. After boot, > the endpoint initiates the Sender Sequence Number to the value stored in > persistent memory + K. Storing to persistent memory can be costly. The > value K gives a trade-off between the number of storage operations and > efficient use of Sender Sequence Numbers. > > > > Currently, Section 8.1.1. of *draft-ietf-6tisch-minimal-security* states: > > > > Implementations MUST ensure that mutable OSCORE context parameters (Sender > Sequence Number, Replay Window) are stored in persistent memory. A > technique that prevents reuse of sequence numbers, detailed in Section > 6.5.1 of [I-D.ietf-core-object-security], MUST be implemented. Each update > of the OSCORE Replay Window MUST be written to persistent memory. > > > > In the text above, there is a typo: > > s/Section 6.5.1/Section 7.5.1 > > > > Let me know if I am missing something else to add regarding this. > > > > Mališa > > > > On Tue, Jul 10, 2018 at 3:20 PM Jim Schaad <ietf@augustcellars.com> wrote: > > > > > > *From:* Mališa Vučinić <malisa.vucinic@inria.fr> > *Sent:* Friday, June 29, 2018 12:34 PM > *To:* Jim Schaad <ietf@augustcellars.com> > *Cc:* 6tisch@ietf.org; draft-ietf-6tisch-minimal-security@ietf.org > *Subject:* Re: Review draft-ietf-6tisch-minimal-security > > > > Hi Jim, > > > > Thanks a million for going through the document. Regarding the problem you > outline where the pledge first joins to JRC1 and then later to JRC2, this > would correspond to the change of ownership of the pledge, without going > through the trouble of re-provisioning the pledge with a new PSK/security > context. While this use case is not ideal to solve with PSKs as JRC2 would > then need to fully trust JRC1, do you think it would be sufficient to > require in such a case that apart from the PSK, the JRC1 would need to > communicate to JRC2 the full state of the security context, including > JRC1’s sequence number (ie all mutable parameters)? JRC2 would then simply > continue with the next seqno, avoiding reuse. > > > > [JLS] Yes that does avoid the issue. My worry is that JRC1 might go boom > and that information is no longer available. Given that JRC2 would then be > the same company, there is no problem with needing to re-provision from a > trust point. But there may be from a security prospective of re-using IVs. > > > > Regarding your minor issue, could you check if the text in Section 8.1.1 > covers what you had in mind? > > > > > https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-06#section-8.1 > > > > [JLS] No not really, it would be better covered by pointing to > https://tools.ietf.org/html/draft-ietf-core-object-security-13#section-5.1 > esp 5.1.1 where they give an algorithm for preventing the problem. > > > > Mališa > > > > > > On Fri, 29 Jun 2018 at 21:08, Jim Schaad <ietf@augustcellars.com> wrote: > > I think I have found a security problem with the document as it currently > stands. I also have a minor request. > > Minor Request: > I think it might be advisable to explicitly state that the derived context, > or at least the last partial IV used is stored in non-volatile storage > after > use. (Could just do an update to value + n when you approach that limit.) > > Major Problem: > > I believe that there is a problem in that there is a designed re-use of > partial IV values. > > 1. A pledge completes a join operation with JRC1. There are no problems > here as the partial IV is correctly changed. This uses a number of partial > IVs from pledge space. > > 2. JRC1 performs a number of parameter updates. This uses a number of > partial IV values from the JRC1 side. > > 3. JRC1 disappears for some reason leaving no traces behind. > > 4. The pledge is then told to do a second join and it attaches to JRC2. > Since the pledge keeps the partial IV value there are no problems. > > 5. JRC2 performs a parameter update. Since JRC2 does not know how many > messages were sent from JRC1, it does not know what to set the partial IV > to > and thus would reuse IV values. > > I believe that this could be addressed as follows: > > 1. The pledge keeps track of the last partial IV from a JRC > 2. When a pledge does a join, it sends that value to the JRC so that the > JRC knows where to start generating messages. > > Jim > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch >
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Jim Schaad
- [6tisch] Review draft-ietf-6tisch-minimal-security Jim Schaad
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Mališa Vučinić
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Mališa Vučinić
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Jim Schaad
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Mališa Vučinić
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Jim Schaad
- Re: [6tisch] Review draft-ietf-6tisch-minimal-sec… Mališa Vučinić