Re: [Ace] Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02

Roman Danyliw <rdd@cert.org> Tue, 26 June 2018 01:57 UTC

Return-Path: <rdd@cert.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83661130F47 for <ace@ietfa.amsl.com>; Mon, 25 Jun 2018 18:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DX2e9BLHY9FQ for <ace@ietfa.amsl.com>; Mon, 25 Jun 2018 18:57:06 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC8BD130E7A for <ace@ietf.org>; Mon, 25 Jun 2018 18:57:05 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5Q1uxoi014841; Mon, 25 Jun 2018 21:56:59 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w5Q1uxoi014841
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1529978219; bh=MMYrjM0fCGXP2ooQWkHC+nqAYC+x2ObqxGyGCMBctQ8=; h=From:To:Subject:Date:References:In-Reply-To:From; b=BwMh8XH9RrvNTgECofoWV2Bv0DNq0OEVRf9mx2xUi50WuMAN2cdWv4ZkCcszCGMNc 5RuFrAeAwBMzt8CbtExuWH+prxkvVLV1az6UNSNyCD/0i7wQtaBiI7/5wXPadOsRLK 5vwL7X7HA3vd/m/zRImpUvaMoeALVsaIVPatVQ90=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w5Q1uuG9037313; Mon, 25 Jun 2018 21:56:56 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0399.000; Mon, 25 Jun 2018 21:56:56 -0400
From: Roman Danyliw <rdd@cert.org>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
Thread-Index: AdQJ+lWc2W0LPLoES1iMKd72DvNSVQC9mhKQ
Date: Tue, 26 Jun 2018 01:56:55 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C3F3C1F@marathon>
References: <VI1PR0801MB2112707E5C33DB0F86231D98FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112707E5C33DB0F86231D98FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-0x1C1o4arKf7O4D9HQrz2nq17c>
Subject: Re: [Ace] Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2018 01:57:11 -0000

Hi Hannes!

> -----Original Message-----
> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
> Sent: Friday, June 22, 2018 9:36 AM
> To: Roman Danyliw <rdd@cert.org>;; ace@ietf.org
> Subject: Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-
> possession-02
> 
> Hi Roman,
> 
> Thanks for your review.
> 
> As I was re-reading the reviews I spotted this comment:
> 
> >  (14) (Editorial)  Page 8, Section 4, Per "Replay can also be avoided if a sub-
> key is derived from a shared secret that is specific to the instance of the PoP
> demonstration."  PoP is spelled out everywhere else in this draft but here.
> Yes, the acronym is defined, but for readability, I recommend against it using
> it and consistently spelling it out here too.
> 
> I believe the current text is a bit confusing. Here is what it says:
> 
> Proof of possession via encrypted symmetric secrets is subject to replay
> attacks.
> This attack can, for example, be avoided when a signed nonce or challenge is
> used since the recipient can use a distinct nonce or challenge for each
> interaction.
> Replay can also be avoided if a sub-key is derived from a shared secret that is
> specific to the instance of the proof-of-possession demonstration.
> 
> This somehow gives the impression that replay attacks are only a concern for
> symmetric key techniques.
> Of course, this is not true. Furthermore, the text gives the impression that
> this attack is actually something that can be covered within the CWT-PoP
> token spec itself. This is also not the case.
> 
> For this reason I am suggesting to change the paragraph to:
> "
> CBOR Web Tokens with proof-of-possession keys are used in context of an
> architecture, such as ACE-OAuth [REF], where protocols are used by a
> presenter to request these tokens and to subsequently use them with
> recipients. To avoid replay attacks when the proof-of-possession tokens are
> sent to presenters a security protocol, which uses nonces or timestamps, has
> to be utilized.
> Note that a discussion of the architecture or specific protocols CWT proof-of-
> possession tokens are used with are outside the scope of this specification. "

This new paragraph is easier to understand.  It addresses my feedback. 

Thanks,
Roman

> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.