Re: [Ace] EST over CoAP

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Tue, 15 May 2018 20:07 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AD412E882 for <ace@ietfa.amsl.com>; Tue, 15 May 2018 13:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dHK9C53nR9h for <ace@ietfa.amsl.com>; Tue, 15 May 2018 13:07:47 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C997612D956 for <ace@ietf.org>; Tue, 15 May 2018 13:07:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35334; q=dns/txt; s=iport; t=1526414866; x=1527624466; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=66ZNyp0V9rUjBuBJTU+boRlI7ogwJm65pP4prPQgaKk=; b=M653Vj4SbkFW3u1EMayzqkxHv/k8ewcJ5w7fDB3RU1lzp+buW5TDGU9P 9wRSvdVxkPkhER2x4xE4fXUGj0tEt5hyTtb7vfcZlEXiEDeQRbifhDqeY S2TkDmt3ZrZ/Q+dtdH4ltgmZKFmDPDJKXr+ZuFlVqQG3SeRf45vUZ/ntH Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AfDQC9Pfta/5JdJa1TCRkBAQEBAQEBAQEBAQEHAQEBAQGCTUsrYXwoCpg0LoF5gQ+TMhSBZAslhEcCgxghNhYBAgEBAQEBAQJsHAyFKAEBAQICLUMCFwIBCBEEAQEhAQYHMhQJCAEBBAEJCQiDHT9cZA+uD4hJgiIFhnIQJn2BVD8laoIMf4I2OSIBAQECgSEJAQgKAQlMhR4ChyAIiWKHLwkChWWFOYMqgT4ag0yCX4R2iVeGZwIREwGBJAEjAi9hcXAVO4JDgzEBAgqCPoRZO4U+bwELB4x/gR+BGAEB
X-IronPort-AV: E=Sophos;i="5.49,404,1520899200"; d="scan'208,217";a="114427859"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 May 2018 20:07:45 +0000
Received: from XCH-RCD-009.cisco.com (xch-rcd-009.cisco.com [173.37.102.19]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id w4FK7jl2013205 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 15 May 2018 20:07:45 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-009.cisco.com (173.37.102.19) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 15 May 2018 15:07:44 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1320.000; Tue, 15 May 2018 15:07:44 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: EST over CoAP
Thread-Index: AdPrYipD0kyce1IOREqwxYCd2nFDSgAKCPZwAACDJXAAAGyyQAAlwdwAAAwByGA=
Date: Tue, 15 May 2018 20:07:44 +0000
Message-ID: <e6e07b2a458e4417a18027d592db0b2b@XCH-ALN-010.cisco.com>
References: <VI1PR0801MB21122D93F906F952E5E85C87FA9C0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <a4d27053f1d2431abee07d2597e14972@XCH-ALN-010.cisco.com> <VI1PR0801MB21125B520BA3DE027A49AFA6FA9C0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b1f75e92b9f34235b5922847e9595ad1@XCH-ALN-010.cisco.com> <VI1PR0801MB2112BB24EA1AD68B1EEA0DB5FA930@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112BB24EA1AD68B1EEA0DB5FA930@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.108.4]
Content-Type: multipart/alternative; boundary="_000_e6e07b2a458e4417a18027d592db0b2bXCHALN010ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7aoa9aflUANfJsv2_vF8JtNTanM>
Subject: Re: [Ace] EST over CoAP
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 20:07:51 -0000

Agreed. I see your point. I had read your whitepaper sometime back I think. Indeed ACE-Oath, or LWM2M KDC, or OCF DOXS could provide address the credential management issue. But I don't think we can tell endpoints that they are on their own unless they get the right hardware or they comply with the ACE-OAuth model, or DOXS.

EST server-side key gen is free in a sense does not require new entities. We are not introducing a new concept. If your EST-coaps server supports it, you could use it. But you do not need to even implement the server-side EST URI unless you want to. And of course server-side key gen does not address the whole credential issue which includes token, certs, raw public keys. It just gets an identity/priv keypair to the device.

Your feedback brings up good points, which I think we ought to elaborate on in the relevant sections and in the Security Considerations.



From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
Sent: Tuesday, May 15, 2018 4:27 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>; ace@ietf.org
Subject: RE: EST over CoAP

Hi Panos,

I would say forget class 1 devices when you want to use public key crypto.

https://factorable.net/paper.html (and https://jhalderm.com/pub/papers/https-imc13.pdf  since it revisits the earlier analysis) was a problem with understanding where the entropy comes from. If you take a regular desktop Linux and remove keyboard, mouse, disk drive, complex process scheduling etc. then the ordinary entropy sources are suddenly gone. That was the problem identified in that paper.

I am worried about keys across devices. For this reason we have standardized protocols to allow you to provision devices with new keys. Here is a whitepaper published not too long ago that discusses the issue, see https://www.omaspecworks.org/wp-content/uploads/2018/03/IPSO-IoT-Credential-Management_Final.pdf

I believe you would agree with me that there is a lot of value in the public key crypto since you don't have to expose the private key. If your design suddenly still requires this then you are losing some of the good properties of public key crypto systems.

Ciao
Hannes

From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com]
Sent: 14 May 2018 21:24
To: Hannes Tschofenig; ace@ietf.org<mailto:ace@ietf.org>
Subject: RE: EST over CoAP

Your recommendation about having the right hardware is valid and what everyone should do as much as possible. What about Class 1 OEMs that cannot add the hardware you are recommending? Or even the ones that will not comply with the recommendations for their own reasons? We can't forget about those.

Is the vulnerability that you were referring to that the RA or CA have to generate the key? Trust of these entities needs to be established or this model falls apart anyway. It is up to the admin to decide if it trusts the Registrar will not store and reveal the private keys or generate insecure keys on the device itself. I am more concerned about this vulnerability https://www.kb.cert.org/vuls/id/566724 where some thousands of devices have the same identity and now they can all impersonate each other in my network as shown in https://jhalderm.com/pub/papers/https-imc13.pdf and https://factorable.net/paper.html

We agree on the other ephemeral keys used in secure communications. Good hardware would solve these issues. Without secure hardware some of these communications could be decrypted assuming the right resources. Even though, decrypting some data per connection is a concern, I don't think that the risk is as high as a compromised identity. Also, the former concern does not mean we should not have an option to eliminate the latter.

About the Proxy section 6, I would like to see comments about in in the next iteration, as we have updated to try to address some of these comments.

From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Monday, May 14, 2018 10:14 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com<mailto:pkampana@cisco.com>>; ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] EST over CoAP

Hi Panos,

Thanks for sharing this info.

Regarding the randomness requirement and the energy consumption. We have been a bit advocate for adding hardware-based random numbers to devices since randomness is a basic requirement for most security protocols.
You do not only need to have access to random numbers during key generation but also later when you use nonces, a DH exchange, create session keys, and IVs, and potentially even for signature generation. If you use a protocol that is not based on nonces then you may use one that relies on timestamps, which may not make the story necessarily easier.

Random number key generation is also not necessarily costly either (neither in terms of energy cost nor in terms of hardware costs).

Hence, I think you should consider the server-side key generation very carefully since you are essentially destroying the benefits of public key crypto and introduce a big vulnerability.

In a nutshell, I think you are better of recommending OEMs to select the right hardware for the given task.

Ciao
Hannes

PS: For the proxy work (in context of DTLS/TLS) you might want to reach out to your co-worker Owen Friel.

From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com]
Sent: 14 May 2018 15:58
To: Hannes Tschofenig; ace@ietf.org<mailto:ace@ietf.org>
Subject: RE: EST over CoAP

Hi Hannes,

To address your question about server-side key gen, below is the explanation we have put in the draft already and will be in the next iteration
~~~~~~~~~~~~~
   Constrained devices sometimes do not have the necessary hardware to
   generate statistically random numbers for private keys and DTLS
   ephemeral keys.  Past experience has shown that cheap endpoints
   sometimes generate numbers which could allow someone to decrypt the
   communication or guess the private key and impersonate as the device.
   Studies have shown that the same keys are generated by the same model
   devices deployed on-line.

   Additionally, random number key generation is costly, thus energy
   draining.  Even though the random numbers that constitute the
   identity/cert do not get generated often, an endpoint may not want to
   spend time and energy generating keypairs, and just ask for one from
   the server.

   In these scenarios, server-side key generation can be used.  The
   client asks for the server or proxy to generate the private key and
   the certificate which is transferred back to the client in the
   server-side key generation response.
~~~~~~~~~~~~~

This is a need that we have heard from customers at Cisco.

About the proxy-Registrar question, we already have made the change in the working copy of the draft as well. We no longer call this functionality proxying, but instead use the concept of the registrar that terminates the connection and establishes the next one.

We didn't add any new features in the doc after removing the BRSKI stuff.

If you want an early preview to comment on, we can share the repository with you.

Panos

From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Monday, May 14, 2018 5:05 AM
To: ace@ietf.org<mailto:ace@ietf.org>
Subject: [Ace] EST over CoAP

Hi all,

At IETF#101 Peter presented a list of open issues with the EST over CoAP draft, see
https://datatracker.ietf.org/meeting/101/materials/slides-101-ace-est-over-secure-coap-00


-        Operational parameter values

-        Server side key generation using simple multipart encoding

-        Explain trust relations for http/coap proxying

I have challenged the usefulness of the server-side key generation during the meeting but in general I am curious where we are with the document. It would be great to get it finalized. It appears that we are adding new features and therefore will not be able to complete the work in any reasonable timeframe.

So, do we have a plan for how to complete the document?

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.