Re: [Ace] Summary of ACE Group Communication Security Discussion

Shahid Raza <shahid@sics.se> Fri, 18 November 2016 08:22 UTC

Return-Path: <shahid@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6727129575 for <ace@ietfa.amsl.com>; Fri, 18 Nov 2016 00:22:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dUihpnq7jSi for <ace@ietfa.amsl.com>; Fri, 18 Nov 2016 00:22:01 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E3241293EE for <ace@ietf.org>; Fri, 18 Nov 2016 00:22:00 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id c184so3472747wmd.0 for <ace@ietf.org>; Fri, 18 Nov 2016 00:22:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics.se; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=gk/38qoald9J1WtMCJXUyP5yxVpn9KqsBeePa1In4mU=; b=MRtYP4RWzEMcjBQTQBCIkT3WHRvcI28mGjmpF72TDvbmU3D0FwVYLiG/s00a5EtocP wCJZKLW9+hHYA48rvgunJ6If3D87ZAdEz+iD1ovPyKWkDJDT1f+rE3PQyEWow39AQLZb WuIgKblhkC7sFuklywltgjyywHU5stGz/Bvj5mIxvPnzcvGdswwEiCNRTT2JLwCgdi8q QG7Zm3nu+1Mei4dQugAgR3zdv9lzDxShbqyD+31vpkO+B15lMK/G2p//F5v4Phywd/ra NuLtl8mIPCYj0Lj/pJDoMW/P1VDirnAAp+tGRSc1ZMQ3dCH3Ml4hJcZvzuRSGbeln2A6 9bRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=gk/38qoald9J1WtMCJXUyP5yxVpn9KqsBeePa1In4mU=; b=ZhHCkRNbwyZQLEGkZuL7yej5pUXlMGV8ET1hOHig4m3wcc3aWDP6xi+ca5sZOoNYkT sXPAEhd51EGx5DSJuSrP06SYXqxkfJW2hcARxyDYDyDSW3rVJAbTD3EZGgsaCidv01Kl N0BvxzvT62yObv4FYz0GIfsGAn3Bc4i3v3lQsJmjA/oDhu5C2Fxs9jraPv+imOMJduND +wB5ErXBv0BZBx04rsppjWZAvxm4t2QZoU1yiq/kTiQoe9ZFN63LinR2qBMNAfo4Mx4c 03jjfbt2Po9O/10VPbbGl467umwxqLUMQcKUG1CIkGRv1WW14xtijMTM6qeTOS/IpLI1 sxAQ==
X-Gm-Message-State: AKaTC00ZodqSRGh3lFgjUcAOyxlsSXWG4BXkGmSQAcHsH5/jzIK2F03bXYEsJ4WMHTGYZDMv
X-Received: by 10.46.9.129 with SMTP id 123mr3628500ljj.20.1479457318726; Fri, 18 Nov 2016 00:21:58 -0800 (PST)
Received: from [10.0.1.4] (92-244-13-72.customers.ownit.se. [92.244.13.72]) by smtp.gmail.com with ESMTPSA id 33sm1883510lfy.44.2016.11.18.00.21.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Nov 2016 00:21:57 -0800 (PST)
From: Shahid Raza <shahid@sics.se>
Message-Id: <18382B04-05CB-455A-A1F3-EDFE194821E6@sics.se>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1A1B7053-31A9-45E3-A438-520E3C567682"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Date: Fri, 18 Nov 2016 09:21:58 +0100
In-Reply-To: <7b1b0dd3488645c693e346b71cede1ea@VI1PR9003MB0237.MGDPHG.emi.philips.com>
To: "Kumar, Sandeep" <sandeep.kumar@philips.com>
References: <D40F1535.451DD%kepeng.lkp@alibaba-inc.com> <1cc7f243-e7f7-6ec5-7140-88c74853dc34@gmx.net> <04FDEBEF-68CF-4DC6-B760-4DFB1B87D22C@gmail.com> <b69552fc-97c1-bc8f-6282-c3d42bf081c0@comcast.net> <6108.1478988687@dooku.sandelman.ca> <187ea38f-3271-ee91-7053-3e5ecedeafea@comcast.net> <7f461eca-b294-4a4f-b8e1-ec2fe70effaf.kepeng.lkp@alibaba-inc.com> <3ccde008-1e19-718d-37bb-ed7653c60ec9@comcast.net> <c4ec1408-8453-e056-05d6-1aa4d0aeb105@gmail.com> <0C27644B-6033-4781-86D5-2FD66872CEFC@gmail.com> <dead56f965b94081bd187585d1272398@XCH-RCD-017.cisco.com> <CAHbuEH5tiYP6wYhC60jQKaDuA0V0j5nQUiKcTGhfYPp3+kzQsw@mail.gmail.com> <D4546698.6D02F%goran.selander@ericsson.com> <7b1b0dd3488645c693e346b71cede1ea@VI1PR9003MB0237.MGDPHG.emi.philips.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/2fdTFhfgbr9vhfw_RgJsd0bSC-U>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Rene Struik <rstruik.ext@gmail.com>, "Tirumaleswar Reddy \(tireddy\)" <tireddy@cisco.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Michael StJohns <mstjohns@comcast.net>, "ace@ietf.org" <ace@ietf.org>, =?utf-8?Q?G=C3=B6ran_Selander?= <goran.selander@ericsson.com>
Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2016 08:22:04 -0000

The question regarding distribution of asymmetric keys was raised in the ACE working group before under the tread https://www.ietf.org/mail-archive/web/ace/current/msg01825.html <https://www.ietf.org/mail-archive/web/ace/current/msg01825.html> , where we mentioned that SICS and neXus are working on enrollment using IoT protocols. We have already implementing this on the CA side and also on Contiki side and tested with Class II IoT devices. 

/Shahid

> On 18 Nov 2016, at 09:13, Kumar, Sandeep <sandeep.kumar@philips.com> wrote:
> 
> Hi Göran, Kathleen and all
>  
> Extending on the comment “but it seems natural to extend the KDC with this functionality”, the new version of the draft-somaraju-ace-multicast [1] submitted a week back includes now the asymmetric version as the recommended version for most application except the low latency applications (to be achieved in low resource device).
> @Kathleen: what you have asked is already in the new draft and the aspects regarding OSCOAP in [2] which can be easily merged into [1]. Are you asking for something else?
>  
> Sandeep
>  
>  
> From: Ace [mailto:ace-bounces@ietf.org <mailto:ace-bounces@ietf.org>] On Behalf Of Göran Selander
> Sent: Friday, November 18, 2016 9:00 AM
> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>>; ace@ietf.org <mailto:ace@ietf.org>
> Cc: Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr+ietf@sandelman.ca>>; Michael StJohns <mstjohns@comcast.net <mailto:mstjohns@comcast.net>>; Rene Struik <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>>; Tirumaleswar Reddy (tireddy) <tireddy@cisco.com <mailto:tireddy@cisco.com>>
> Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
>  
> Kathleen and all,
>  
> I believe all necessary drafts for a solution based on asymmetric keys are already in place.
>  
> With "a solution based on asymmetric keys” I understand a solution where each member of the group can sign messages with its private key for source authentication but where confidentiality is protected with a symmetric key shared between the members of the group.
>  
> [1] describes how to distribute and use symmetric keys, using a KDC for distributing the symmetric keys, and references OSCOAP for securing the group communication. [2] shows how to secure group communication for CoAP based on asymmetric keys as described above. As far as I understand, the only thing missing is a mechanism for distributing the public keys of the members, but it seems natural to extend the KDC with this functionality.
>  
> [1] https://tools.ietf.org/html/draft-somaraju-ace-multicast-01 <https://tools.ietf.org/html/draft-somaraju-ace-multicast-01>
> [2] https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-00 <https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-00>
>  
>  
>  
> However, I don’t agree with all conclusions of the asymmetric key proponents.
>  
> It is not news that asymmetric key techniques are feasible for use in many embedded device applications, but it is good that the knowledge is being spread. But execution times and message sizes may still be prohibitive for some applications. To address Rene’s question "is 64B too much?": Adding the countersignature to COSE messages such as those used in multicast OSCOAP would increase the size from the order of 20 bytes to the order of 85-90 bytes which in turn may add significant latency depending on link layer technology used, independently of processor capacity.
>  
> Without neglecting the issues raised, I do think that there is a role for symmetric key based group communication for the class of actuators in scope of [1]. I agree it is an issue if compromising one device and extracting one key let's you turn off 1000 lamps (not saying it has to, but just as an example). But that doesn't automatically turn the lightbulbs into bots.  The security considerations in this case should e.g. include things like restricting capabilities associated with the possession of a shared key. 
> 
> 
> Independent of this discussion, symmetric key solutions for these use cases will continue to be deployed. I fear we may create greater damage by not analysing and providing guidance to these use cases when applied in a symmetric key setting, at the same time as specifying an asymmetric key solution.
>  
>  
> Göran
>  
>  
>  
> From: Ace <ace-bounces@ietf.org <mailto:ace-bounces@ietf.org>> on behalf of Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>>
> Date: Friday 18 November 2016 at 04:59
> To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com <mailto:tireddy@cisco.com>>
> Cc: Michael StJohns <mstjohns@comcast.net <mailto:mstjohns@comcast.net>>, Rene Struik <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>>, "ace@ietf.org <mailto:ace@ietf.org>" <ace@ietf.org <mailto:ace@ietf.org>>
> Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
>  
>  
>  
> On Thu, Nov 17, 2016 at 10:56 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com <mailto:tireddy@cisco.com>> wrote:
> Kathleen,
>  
> I will put up a proposal before the Chicago meeting.
>  
> Thank you. 
>  
> -Tiru
>  
> From: Ace [mailto:ace-bounces@ietf.org <mailto:ace-bounces@ietf.org>] On Behalf Of kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>
> Sent: Friday, November 18, 2016 5:30 AM
> To: Rene Struik <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>>
> Cc: Michael StJohns <mstjohns@comcast.net <mailto:mstjohns@comcast.net>>; ace@ietf.org <mailto:ace@ietf.org>
> Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
>  
> Is anyone willing to work on a draft to be ready in advance of the Chicago meeting so we have a concrete proposal for asymmetric keys?
>  
> Thanks,
> Kathleen 
> 
> Please excuse typos, sent from handheld device 
> 
> On Nov 17, 2016, at 11:26 PM, Rene Struik <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>> wrote:
> 
> Dear colleagues:
> 
> Just a reminder re perceived technical hurdles for using signatures:
> a) time latency of signing:
> One can pre-compute ephemeral signing keys, so as to reduce online key computation to a few finite field multiplies. 
> Please see my email to the list of July 26, 2016: https://mailarchive.ietf.org/arch/msg/ace/iEb0XnAIMAB_V3I8LjMFQRj1Fe0 <https://mailarchive.ietf.org/arch/msg/ace/iEb0XnAIMAB_V3I8LjMFQRj1Fe0>
> b): further speed-ups/tricks, etc:
> One can try and be smarter by clever implementations.
> Please see my email to the list of July 21, 2016: https://mailarchive.ietf.org/arch/msg/ace/iI58mT_DDzKImL1LP_bUQ7TzooI <https://mailarchive.ietf.org/arch/msg/ace/iI58mT_DDzKImL1LP_bUQ7TzooI>
> 
> This seems to take the time latency argument away. The only other technical hurdles I can see are 
> (i) signature size {is 64B too much?}; 
> (ii) cost of public key crypto implementations {quite some small, nifty designs out there (NaCl etc.}.
> 
> As to (i) - one should view signature sizes in perspective: as an example, key sizes in the key pre-distribution scheme HIMMO (as promoted by Philips) has key sizes of 6.25 kB and up, according to Table 3 of the paper that massages parameters to thwart new attacks on their scheme, see http://eprint.iacr.org/2016/152 <http://eprint.iacr.org/2016/152>.
> 
> So, security arguments that favor asymmetric solutions aside, there also do not seem to be too many other objections that would hold in the world anno 2016 {except for "sunk investment" arguments", but that is a corporate mindset issue}.
> 
> On 11/17/2016 12:50 AM, Michael StJohns wrote:
> On 11/16/2016 9:08 AM, Kepeng Li wrote:
> Hello all, 
> 
> We had a long discussion about group communication security topic since the previous F2F meeting.
> 
> Hannes and I have tried to make a summary about the discussion as follows:
> 
> ·       The solution needs to define both, symmetric and an asymmetric group key solution.
> 
> 
> There is no case (absent hardware mitigation) in which a symmetric group key solution can be made secure/safe and no one has made an offer of proof that they can make it secure.    I've asked repeatedly - no one has come forward with more than "oh we can lock the symmetric key stuff in a corner and make sure it isn't used for anything important".
> 
> 
> Given the recent attacks on the internet by IOT botnets, there is a further consideration that should be undertaken - whether the symmetric group key solution applied to 10s of 1000s of IOT devices is an active threat to the rest of the internet (e.g. enabling DDOS, cyber physical issues, etc)?
> 
> The multiparty (group) symmetric key solution is only wanted for a single corner of the solution space - low latency, no cost systems.  E.g. lightbulbs.  Given there is a worked example of the insecurity of multiparty symmetric key systems (e.g. the attack on the symmetric signing key of the HUE lights), I'm unclear why anyone at all would think that pursuing a known bad solution in the IETF is a good idea.
> 
> 
> ·       The security consideration section needs to explain under what circumstances what solution is appropriate.
> 
> 
> Security consideration sections generally only address the threat *to* the system from security choices.  In this case, symmetric key group comms reduces down to the same security analysis you would use with shared default passwords across 1000s of devices.   An IOT security consideration section in the future probably needs to address the threat *FROM* the IOT solution to the broader internet.
> 
> Mike
> 
> 
> 
> If this is not accurate, please let us know.
> 
> Kind Regards
> Kepeng & Hannes
> 
> BTW: it is a pity that I can't attend this meeting due to personal reasons, and hope you all have a nice meeting in Seoul!
> 
> 
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org <mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
>  
> 
> 
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org <mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
>  
>  
> 
> -- 
> email: rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> _______________________________________________
> Ace mailing list
> Ace@ietf.org <mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>
> 
> 
>  
> --
>  
> Best regards,
> Kathleen
> 
> The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
> _______________________________________________
> Ace mailing list
> Ace@ietf.org <mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace <https://www.ietf.org/mailman/listinfo/ace>