Re: [Ace] ACE Implementation for Disadvantaged Environments

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 28 January 2019 15:19 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6095C127598 for <ace@ietfa.amsl.com>; Mon, 28 Jan 2019 07:19:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxWuiDX999Hs for <ace@ietfa.amsl.com>; Mon, 28 Jan 2019 07:19:04 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0619.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::619]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03F87129A87 for <ace@ietf.org>; Mon, 28 Jan 2019 07:19:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WGt7TOVJ5bdpsofL4n0SRPjEbN3XJnX/dVUF1YoK60w=; b=V53ThfBoINMwPvh7SPZfn/mVyPsAwAb5w8dHC+57DSJPAQbeLNeqLVFEQitE2lSXdM8CQYs0ZpwNKgY9UaU4CB0NfzwlBvLe8cH8XdilLTZg+2fTDoei8tyQwrpXSLSbGMEwo+duWSmnso/4vyt/j/QmTTqgZuYbLHW8Y+gouaQ=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1854.eurprd08.prod.outlook.com (10.168.68.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.21; Mon, 28 Jan 2019 15:18:59 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019%7]) with mapi id 15.20.1558.023; Mon, 28 Jan 2019 15:18:59 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Sebastian Echeverria <secheverria@sei.cmu.edu>
CC: Grace A Lewis <glewis@sei.cmu.edu>, "ace@ietf.org" <ace@ietf.org>, Dan Klinedinst <djklinedinst@cert.org>
Thread-Topic: ACE Implementation for Disadvantaged Environments
Thread-Index: AQHUs0cwxz8vJeWIVUGFns83Bt0/66XEercQgAA76QCAABjZAIAAAtXQ
Date: Mon, 28 Jan 2019 15:18:59 +0000
Message-ID: <VI1PR0801MB21120BD915B4E99352EC25F9FA960@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <11C08BF5-0060-459C-99DC-EABEA88DF44B@sei.cmu.edu> <VI1PR0801MB211293C28BD614D6CD8D7254FA960@VI1PR0801MB2112.eurprd08.prod.outlook.com> <0FCF1038-D6C8-4C25-9B4C-E493EB817592@sei.cmu.edu> <7387610A-D857-49FE-9964-77D54CDDA2F4@sei.cmu.edu>
In-Reply-To: <7387610A-D857-49FE-9964-77D54CDDA2F4@sei.cmu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.119.167]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1854; 6:OPkbquPStTmYpxCRrKGeHXdatytB8SlRW0H9EUXu1zDyiO5fJSq+G08uuDCoKjCpjfdbdl+dJc5W0abGS96MVSpVK+KVwv+iR0ljkIhc9z5uX3q+olxiVM1HA6ni4VrAAY3Kl+qc07gwOEbnhO3lQSZ7PDcKLeIsFPNtpHiNyRfFAjYZ1bkosTAscxAhJGUHzFWrxL2k+qQnxE+ET65F4EzbhSSXulKQMUK/aG4E+owOlFJWiNgXleJ4P99xfEzRzklJYREXFH65Q27r4mcRxwQvM6vWBigGqnpdPudN7GxBidQQjOnpq6yiUSVF1oBWPFITeStnZQf0vaExBGvlWuWutPE/iURDJuNKV89+IDmcYEHs21AGXqeU3pCd5K6AN8BDQOvZ9ZFqSwXnGotsG6zrk5WL/HlQOtOc5ye+8JOA6dPV62J2fsJ/wf9cgGJfFHNvOBCuow4iFHpybDeHHg==; 5:Gwsqr5Dq9345Hu54OOwpPLTJVQS5wCXNX13XqhpQvFyPJnP16mJ9UDdOKjeO+W1AGuOfnV+vQxGWPewzrMFf1SoGe1+MadVQ3oxInXv0ynifWzunLDT9gvevTuXeFazbYN72tcsCcYC/qqKPMIpTXMtODAr/SPImqdolsz3sB5kGp+hIqIkrBzoj16XcUSUXhoo6ZaEjfjCh1fQpUhRtHw==; 7:/0+d7UxyzmlD/9M5EdjNIUsUUVm/ZEQEbs5K9DSRN2Pgqn5oYkzLbGqfsl66QiGQVmEng9gpPuY4rwtOk7VNpKDzKmoatCSBdQr4GyUoWArLMqStjmGzPA/mOMYyx4uCg20f99N95KqwxufCTtoL4Q==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f06062ea-4e42-4940-cc1f-08d68533edbc
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1854;
x-ms-traffictypediagnostic: VI1PR0801MB1854:
x-microsoft-antispam-prvs: <VI1PR0801MB185491D8064645FB44B33D32FA960@VI1PR0801MB1854.eurprd08.prod.outlook.com>
x-forefront-prvs: 0931CB1479
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(39860400002)(136003)(396003)(51914003)(189003)(199004)(40434004)(6116002)(229853002)(66066001)(26005)(966005)(97736004)(3846002)(790700001)(6916009)(72206003)(53936002)(6506007)(53546011)(102836004)(2171002)(4326008)(14444005)(2906002)(5024004)(6246003)(6436002)(68736007)(606006)(25786009)(14454004)(55016002)(186003)(478600001)(256004)(9326002)(54896002)(6306002)(236005)(9686003)(8936002)(54906003)(106356001)(105586002)(74316002)(7736002)(86362001)(316002)(8676002)(93886005)(71200400001)(71190400001)(76176011)(7696005)(99286004)(11346002)(446003)(476003)(33656002)(81166006)(486006)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1854; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: cNLe9+OuDrQKcn/PmQMTpFnzjKS5fYbjS99SXQlO/3P3xiA0la4TYCoyHWloV5f/yi6GssEA+3cXoy3V8DgNK+OAenAoeOi3BczvCXK7RiotzJLvqMzwRN/AlYkUI80itwXha2VtUJIpcKoRsa1p+S3ewfavT1Lffd3JI27ai5nQ2TfvMs2VrykSeBB0vbkM+2/gFPi2/HbLodNRms5u7U5aFeaJF0i9zJHXeipbjSBAVPw28HvLP8qkdx6aqV9mzLnVKLa5DmUX4tK5yobOR/yh2SuZ00IVEn6EhOTHk3ZF1Fr4VsysKgVMX8EjHMXNSCHScjj0gZsXJFoIOKtt+9x0G/v6P6eC3Y6TBkzsEu8lYfybTfKw2PPaXpC78h8zFWsdmDHHIpXhyzIVDVbLnrP9v2uIR2cv3PzgNUtGPbI=
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21120BD915B4E99352EC25F9FA960VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f06062ea-4e42-4940-cc1f-08d68533edbc
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2019 15:18:59.6653 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1854
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/uGbAQmBSe5bxvM588DTxRwPyP7U>
Subject: Re: [Ace] ACE Implementation for Disadvantaged Environments
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2019 15:19:11 -0000

Hi Sebastian,

Thanks for the details. How easy do you think would it be to port the code to some other OS? (or in other words: how tightly have you coupled it to Contiki?)

Is the COSE/CWT parsing library separable from the rest?

For the 300 Kb flash: does this contain the firmware update mechanism?

Ciao
Hannes

From: Sebastian Echeverria <secheverria@sei.cmu.edu>
Sent: Montag, 28. Januar 2019 16:06
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Grace A Lewis <glewis@sei.cmu.edu>du>; ace@ietf.org; Dan Klinedinst <djklinedinst@cert.org>
Subject: Re: ACE Implementation for Disadvantaged Environments

Hello,

Here is some more information about it:


  *   We used Contiki as the base/OS for the code. More specifically, we forked from the 6lbr project (https://github.com/cetic/6lbr), as that version already had some code for handling DTLS connections and AES encryption in it.
  *   We are using the TI CC2538dk board as our constrained target platform.
  *   The implementation has support for the DTLS profile, using pre-shared keys, as this was enough for our use case.
  *   The implementation handles CWT tokens.
  *   We modified the Erbium CoAP server in 6lbr to be able to simultaneously listen for CoAP and CoAPs connections (using TinyDTLS underneath).
  *   The implementation uses the cn-cbor library for decoding CBOR data.
  *   The implementation supports receiving tokens at the authz-info endpoint, and then giving access to a couple of sample resources based on the claims from the received tokens.
  *   The implementation has some additional optional features related to our disadvantaged network environments, such as bootstrapping of the PSK credentials, and detecting revoked tokens through introspection.
  *   The current binary is around 300 kb, which is good enough for the 512 kb flash on the TI boards, though it may be a bit too large for a class II device. We can probably make it a bit smaller. In terms of RAM, it fits in the 32 KB available on the TI boards.

Best,

---
Sebastian Echeverria
Tactical Technologies Group (TTG)
Software Engineering Institute
Carnegie Mellon University



From: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Date: Monday, January 28, 2019 at 5:05 AM
To: Grace Lewis <glewis@sei.cmu.edu<mailto:glewis@sei.cmu.edu>>, "ace@ietf.org<mailto:ace@ietf.org>" <ace@ietf.org<mailto:ace@ietf.org>>
Subject: RE: ACE Implementation for Disadvantaged Environments

Congrats to the work. Could you say a little bit the (constrained) resource server implementation?

Ciao
Hannes

From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> On Behalf Of Grace A Lewis
Sent: Mittwoch, 23. Januar 2019 19:12
To: ace@ietf.org<mailto:ace@ietf.org>
Subject: [Ace] ACE Implementation for Disadvantaged Environments

Hello,

I just wanted to make the group aware of our ACE implementation (SEI-ACE), which includes an implementation for a resource-constrained server.

Details available in this news article: https://www.sei.cmu.edu/news-events/news/article.cfm?assetid=539184

Article includes the link to our Git repo.

Enjoy!

- Grace Lewis

______________________________________________
Grace A. Lewis, Ph.D.
Principal Researcher and TTG Initiative Lead
Carnegie Mellon Software Engineering Institute
Software Solutions Division (SSD)
Tactical Technologies Group (TTG)

4500 Fifth Ave. #5412
Pittsburgh, PA 15213
Phone: (412) 268-5851
http://www.sei.cmu.edu/staff/glewis

“A change in perspective is worth 80 IQ points” --- Alan Kay
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.