IETF Logo Mail Archive

Re: [Ace] Group Communication Security Disagreements

Michael StJohns <mstjohns@comcast.net> Fri, 16 September 2016 16:39 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9C3A12B172 for <ace@ietfa.amsl.com>; Fri, 16 Sep 2016 09:39:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2bDp5dueh67 for <ace@ietfa.amsl.com>; Fri, 16 Sep 2016 09:39:37 -0700 (PDT)
Received: from resqmta-ch2-08v.sys.comcast.net (resqmta-ch2-08v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37FBA12B0C6 for <ace@ietf.org>; Fri, 16 Sep 2016 09:39:37 -0700 (PDT)
Received: from resomta-ch2-09v.sys.comcast.net ([69.252.207.105]) by resqmta-ch2-08v.sys.comcast.net with SMTP id kwAobAYLM84vjkwAqbtTok; Fri, 16 Sep 2016 16:39:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1474043976; bh=N4nym77spwLUeIVNfTG6p+1Yj1l1OjglANH1hedIQvA=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=dRyKnIbO6oGMPUi/wCFTkX3rXYD4jyVmy89O5zm7f3jZQCxItUrBXwSamc9JYs4t6 p5f8H20rkirX23IVV7XIFOsr0aod1qxbBamB+xZ4Q3/p4jdpuvyMV7T/fvxywO12sf Q9kgKVc7vgsAgNHD/dRXIh2FevOVOtORxYW52Ixu4EW+Zl4m5Xesuhc5BCwFWFQ9Ux B7gB/tCWiT91Req+Eq++exp2bpBwmh2it/WF9CBHgxQQ+xFc0wW+lIujNCgpJqabm5 TVIdUro48VyiS8L6Vp5RMB19N1sgwc3DB4ZcuptPwC4xsiI7zoFEPuyE/UwL8U7cjf Ew0MZjyvZfYKQ==
Received: from [IPv6:2601:148:c000:1951:c183:6e85:ca72:fed] ([IPv6:2601:148:c000:1951:c183:6e85:ca72:fed]) by resomta-ch2-09v.sys.comcast.net with SMTP id kwApbVlABN3QMkwAqb3wlG; Fri, 16 Sep 2016 16:39:36 +0000
To: Eliot Lear <lear@cisco.com>, ace@ietf.org
References: <57909032.10809@gmx.net> <6d259c5b-28e3-c748-4590-0c9f942fe343@comcast.net> <378a0359-6b31-a30c-af28-8ea567b06b00@cisco.com> <57963480.2000809@gmx.net> <0d4c6d56-ebb5-2f43-d555-29c336396033@ericsson.com> <15169.1469642303@obiwan.sandelman.ca> <CAHbuEH4u=AF1LSoDq+YfLwt+VX1OOrj54331GuZmyjLswHvNnw@mail.gmail.com> <3271.1469656595@obiwan.sandelman.ca> <32aa7104-70df-80c7-8d6e-537b66716de9@comcast.net> <13663.1469714549@obiwan.sandelman.ca> <9a4153f1-6a96-0ae6-020b-0f0f966aecdf@cisco.com> <95997f84-2715-3287-39d3-45d6ff5f3ea0@comcast.net> <463a5cce-9dd1-5d68-bd97-0f08d0719960@sics.se> <HE1PR0601MB2203647255579D1B1D7C6E9EFCF10@HE1PR0601MB2203.eurprd06.prod.outlook.com> <d86dbf18-9caa-a621-aca7-ffc85317f443@cisco.com> <97bfa890-da35-8db6-9a11-207f40883e42@comcast.net> <47ad4e37-4747-0150-07da-6994b4dfb0a8@cisco.com>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <2ae9f313-274c-0c9e-097b-8369d02b091b@comcast.net>
Date: Fri, 16 Sep 2016 12:39:35 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <47ad4e37-4747-0150-07da-6994b4dfb0a8@cisco.com>
Content-Type: multipart/alternative; boundary="------------2B88EACC0A2AA69BAE86B85B"
X-CMAE-Envelope: MS4wfK9sx2kgrdg7qWu0komkxyybATBlXWjNMmZWpudADb7Z58qOE5q6pnnTZLEiQvqbxcrIdoowcgGkgtT8w4XQRth4jfQSyChbSjaNbSaTily7TBMhgE0i k64UIsUo0Hgo5D0C2MwjUdlxmXKq4WJPAmqp+wQplxyGsv0ypdo6IAF8ll6MnNyGb25feO6obOB7dfxxENcO0bhzZoA1n7xGNEU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3b6baSMqnIWl-ZKVMH8EIVDtOwE>
Subject: Re: [Ace] Group Communication Security Disagreements
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2016 16:39:41 -0000

On 9/16/2016 6:03 AM, Eliot Lear wrote:
>
> Hi Mike,
>
>
> On 9/15/16 5:36 PM, Michael StJohns wrote:
>> Hi Elliot et al -
>>
>> Sorry, I think you're still missing the point:
>>
>>   * Source Authentication (A) cannot be accomplished securely by
>>     Symmetric Key Multicast  (^B):   (A -> ^B)
>>   * Cyber Physical control functions (C)  require source
>>     authentication  (A):  (C -> A)
>>   * Turning on and off lights (D) is a Cyber Physical Control
>>     Function (C):  (D -> C)
>>   * Therefore Turning on and off lights (D) requires source
>>     authentication (B):  (D -> C -> A) (D -> A)
>>   * Therefore Turning on and off lights (D) cannot be accomplished
>>     securely by Symmetric Key Multicast (^B):  (D -> C) ( C -> A) (D
>>     -> C -> A) ( D->A) (A -> ^B) (D -> ^B).
>>
>> Apologies if I got the formal logic wrong - its been a while.
>>
> All of this seems about right to me, but with two big caveats:
>
>  1. We are, I think, talking about group-based communications and not
>     necessarily group-based authorization for device control.  There
>     is a difference, albeit subtle.  One could reasonably envision
>     borrowing from lower layers to satisfy device authorization
>     requirements.
>
Sorry - we've really been talking about using symmetric key multicast 
for control functions.  (cf all the discussions on lighting control and 
the ever reducing maximum latency requirement).   Authorization is 
really about whether or not a given entity accepts and acts on a given 
authenticated message.  Trying to parse this as group comms (which I 
took you to mean "secure group comms") vs group authorization is really 
a red herring here as you can't have meaningful authorization without 
meaningful authentication and so far, we haven't gotten that far.



>  1. The question here is whether this is the right level to address
>     the problem.  And I'll ask my clarifying question again: is there
>     a more logical place to anchor identity, like above or below this
>     layer?
>

This is mostly an irrelevant question at this point.  Once we agree that 
symmetric key multiparty (N>2 or 3 in the case of a kerberos system) 
authentication is off the table, then talking about which level to put 
this reduces down to either per application  or per device and the 
associated protocols for each of those.  It's entirely possible a 
message might be authenticated by credentials at multiple protocol 
layers depending on who owns what in the mesh.

Later, Mike

> Eliot

v2.37.1 | Report a Bug | By Email | System Status