Re: [Ace] Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02

Roman Danyliw <> Tue, 26 June 2018 01:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 83661130F47 for <>; Mon, 25 Jun 2018 18:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DX2e9BLHY9FQ for <>; Mon, 25 Jun 2018 18:57:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CC8BD130E7A for <>; Mon, 25 Jun 2018 18:57:05 -0700 (PDT)
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id w5Q1uxoi014841; Mon, 25 Jun 2018 21:56:59 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 w5Q1uxoi014841
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=yc2bmwvrj62m; t=1529978219; bh=MMYrjM0fCGXP2ooQWkHC+nqAYC+x2ObqxGyGCMBctQ8=; h=From:To:Subject:Date:References:In-Reply-To:From; b=BwMh8XH9RrvNTgECofoWV2Bv0DNq0OEVRf9mx2xUi50WuMAN2cdWv4ZkCcszCGMNc 5RuFrAeAwBMzt8CbtExuWH+prxkvVLV1az6UNSNyCD/0i7wQtaBiI7/5wXPadOsRLK 5vwL7X7HA3vd/m/zRImpUvaMoeALVsaIVPatVQ90=
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id w5Q1uuG9037313; Mon, 25 Jun 2018 21:56:56 -0400
Received: from ([]) by ([]) with mapi id 14.03.0399.000; Mon, 25 Jun 2018 21:56:56 -0400
From: Roman Danyliw <>
To: Hannes Tschofenig <>, "" <>
Thread-Topic: Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
Thread-Index: AdQJ+lWc2W0LPLoES1iMKd72DvNSVQC9mhKQ
Date: Tue, 26 Jun 2018 01:56:55 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C3F3C1F@marathon>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Ace] Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Jun 2018 01:57:11 -0000

Hi Hannes!

> -----Original Message-----
> From: Hannes Tschofenig []
> Sent: Friday, June 22, 2018 9:36 AM
> To: Roman Danyliw <>;;
> Subject: Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-
> possession-02
> Hi Roman,
> Thanks for your review.
> As I was re-reading the reviews I spotted this comment:
> >  (14) (Editorial)  Page 8, Section 4, Per "Replay can also be avoided if a sub-
> key is derived from a shared secret that is specific to the instance of the PoP
> demonstration."  PoP is spelled out everywhere else in this draft but here.
> Yes, the acronym is defined, but for readability, I recommend against it using
> it and consistently spelling it out here too.
> I believe the current text is a bit confusing. Here is what it says:
> Proof of possession via encrypted symmetric secrets is subject to replay
> attacks.
> This attack can, for example, be avoided when a signed nonce or challenge is
> used since the recipient can use a distinct nonce or challenge for each
> interaction.
> Replay can also be avoided if a sub-key is derived from a shared secret that is
> specific to the instance of the proof-of-possession demonstration.
> This somehow gives the impression that replay attacks are only a concern for
> symmetric key techniques.
> Of course, this is not true. Furthermore, the text gives the impression that
> this attack is actually something that can be covered within the CWT-PoP
> token spec itself. This is also not the case.
> For this reason I am suggesting to change the paragraph to:
> "
> CBOR Web Tokens with proof-of-possession keys are used in context of an
> architecture, such as ACE-OAuth [REF], where protocols are used by a
> presenter to request these tokens and to subsequently use them with
> recipients. To avoid replay attacks when the proof-of-possession tokens are
> sent to presenters a security protocol, which uses nonces or timestamps, has
> to be utilized.
> Note that a discussion of the architecture or specific protocols CWT proof-of-
> possession tokens are used with are outside the scope of this specification. "

This new paragraph is easier to understand.  It addresses my feedback. 


> Ciao
> Hannes
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.