IETF Logo Mail Archive

Re: [Ace] Assignment of OSCORE Sender and Recipient IDS - was RE: Review of draft-ietf-ace-oscore-profile

John Mattsson <john.mattsson@ericsson.com> Wed, 09 September 2020 08:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9153A1133 for <ace@ietfa.amsl.com>; Wed, 9 Sep 2020 01:43:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.898
X-Spam-Level: **
X-Spam-Status: No, score=2.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1yAg6YmS3ZW for <ace@ietfa.amsl.com>; Wed, 9 Sep 2020 01:42:59 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70085.outbound.protection.outlook.com [40.107.7.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD0133A1132 for <ace@ietf.org>; Wed, 9 Sep 2020 01:42:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kAkA/kfPA+hA2uA3ibYA5lqWihj5b4vve6rjD5ksPA8NcJ1ruQI2+Kua660woTauUUTrYWDOH1KtT4oY3eCITVtm/Ggb18lNN9UPje9JW7K8y90wDqGyyOpkLwoJ6MeP3J+fOOSWE/4Ofzo/dKZMmRUodIC1So+QdqBSOhuCecFId7eyEGq8Rmp5W42wscKqLyAqFKwPej9afshwdbVu/s5jCC+31G+ojw+v6rjOyaiLbe57qEzQcd6fWVVT/hgEC1Q9bRXIazey93AlQWVwq7VG9FiANHBXhWnbF3T7VeCIe0vzfMy3tyF+fghW5blHsCqBfBA9glGL80jp/9dyXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IMcQ4IqIXsX3IvCZ7YF801jvP6lV46yEvvB45aV88m4=; b=mKUTW3zmUUhWkeeqSjzGZGEUBqYGYm3VacevrLFlAxHnsbsvcZzWz0kVQLiObjuAwIaY90rIfw7K+vnCdWa9GHCq2fV3PcWYtor8qSOYclAtedQMbKgz4IAUeYYmXISulDAOlKa7C80HSwL/XLJ3ar+gRXKNXv+ZLZL6cAkXKT7o6c7Y61HWEEIfztOHD152rIjmpEP5qZdkmPP7O4gZHQsm8I74S+7qlP1qo+ZmlMTKzuGvm0p2Nfcwf5obfIOdcLzvWyXrwijp5Ccj07CocEfBBDn6oEeAYcUXHVkk77RJSYRT9KSjg1sueoYRvLt2yLjenEg0ifHEDpZOZGmgWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IMcQ4IqIXsX3IvCZ7YF801jvP6lV46yEvvB45aV88m4=; b=PUTq6wZOHvaGSlX6P+SKaHi27HupkeCHG/6gku9cpIaMF5yIPjIdmC9553K/CcEHhwUtfVb+DY1NSTWc7Nnbt4FXoYbJSfkmnC8j4ebWUDGZMYwsgKvuTcFaqAt+/knaQqUUDtxjoPBOEUZWSASr8TIElXIlJUONtdf1zSPBiLo=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB5028.eurprd07.prod.outlook.com (2603:10a6:20b:5f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Wed, 9 Sep 2020 08:42:54 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::4027:7312:e764:73eb%2]) with mapi id 15.20.3370.015; Wed, 9 Sep 2020 08:42:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Assignment of OSCORE Sender and Recipient IDS - was RE: [Ace] Review of draft-ietf-ace-oscore-profile
Thread-Index: AdaFLNwpor4ozS75SEKzMFVlQJstfQAlk7MAABu2JQAAGP1eAA==
Date: Wed, 09 Sep 2020 08:42:54 +0000
Message-ID: <05534D5D-4C09-4190-AC14-790052591E0C@ericsson.com>
References: <029401d68553$6ffa4220$4feec660$@augustcellars.com> <595F96C4-4605-41ED-8173-CBBC77959F65@ericsson.com> <031001d68632$05772730$10657590$@augustcellars.com>
In-Reply-To: <031001d68632$05772730$10657590$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 27d9794f-1065-4175-e618-08d8549c5878
x-ms-traffictypediagnostic: AM6PR07MB5028:
x-microsoft-antispam-prvs: <AM6PR07MB5028AD60CE679E9A3283474F89260@AM6PR07MB5028.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EhHn+Dbq8r5v0cXC7m24iXWytyV+XHAhcrw5CRp7aw3r8wQ0cMjLPkkwTAkuR9YazrEj92tBc4BIKSWhdYvAwlGuxwqi7VU3bIewFRmjjuS1HQ3rjoNzRr1xto5TDpSiUWRg6yMhsCVHOdUSH0XxzlzHPsY3nOEU/6fAlsedd7gnac1GnYVbbSx4J4PcYUL5F4QhGW1cDOZsqjZ0sbuvTcvFnJvOL8lhzJxtDSDevNuCMOSP5/Xx5OtWxJlC2+azU/W7CyfiPmK6brQ2iUni2G15lmSppFndmESaPZik1yt7X2KSy+KTTNEtteGvNhaOT06RFoB62wXwc+62Tz2A5sfpxzK6EiK49awASRWbtxKgUNhu2zJeEvUbqnz++Dq77/p+wR8ShaSeJlQx8CVtnw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(396003)(39860400002)(136003)(346002)(6512007)(110136005)(2906002)(53546011)(6506007)(478600001)(83380400001)(966005)(66574015)(26005)(2616005)(8936002)(86362001)(186003)(44832011)(66946007)(316002)(66556008)(66476007)(66446008)(8676002)(64756008)(30864003)(5660300002)(6486002)(71200400001)(76116006)(91956017)(33656002)(36756003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Q/Mu59Ou1lX96UgbnbAijGPEglA7486O4U8r3RVW7GhstZbVy57v2ztOw0tAjg4j+Vq7mDogJd2OeK8Zta8kXOUhVHSV35YjIdzqaJdVkssWwZ/81Tq4mMDmSgtOV6LFrbWjKfwxtw2eS+P0Tw0CvjelVOjOak+JCb7sMpmo6bePbyvR4irX+Le+kpc4dVI1DJ46dxvkkKBL8B0jNxeUifMfoVQx81mYEU2mYFXFIa+7idlwO2EAPCk8e7oFX6sKetxZxU+CDtEuVd+OLWu8VnGO3L3Ucvdc5hP1Uo3AYCNzx+9EF7dI0GZzVFLz3MmyyLIXAFXpQvGqOZ1mH24rr9I+Pai2kiVwGMjzihI68R03dkhkkFETCTu57tZIz1P4dV++mXTUeQFblwrxQHpVpjMRsLTd/JYfITEW0n6mA4BLNOEtXCI/35tn4mv6cKI/7QEVc28JoTVbOyuunj+pF/+gdHegGGk7L+bFczt1N0enhapIAuuhQaV3PgvyLCR9c0xnMGp6zUubFgWWWEBE2TV2UoMikKCuhN9BD6ZdVB7hljhRqgYxYauEvduMOhSYzBvHm9GYuCM4nBaaNeu83lSo6ZoayRRoT7YIy/sjz8Yom/Nq2jMf1H16lOXHD55aDguMyUFqoyKOjeAmJeoDEA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3730F1F0EECBAA40AB5BC9464C7AF391@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 27d9794f-1065-4175-e618-08d8549c5878
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 08:42:54.8425 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qsqnRMjrorvrKPZU26M2810Rg0LKsucQhAlFg7mkO3iQk1/PIBYLaeHx5kW0BUYbHdKXbFhjrUueVEGW3/DGpAwMFaVy6GYg9pOOZdSO6Rk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5028
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/A60CFIvUohBwAXi_JuMKkQanZak>
Subject: Re: [Ace] Assignment of OSCORE Sender and Recipient IDS - was RE: Review of draft-ietf-ace-oscore-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 08:43:01 -0000

I agree very much with you Jim regarding the use on symmetric keys, and I think this is something IETF needs to work with in the future. I think a lot of IETF groups and drafts are using way too much symmetric keys for authentication and key exchange. There seems to be a belief that symmetric keys are needed for constrained IoT, which is not the case. Asymmetric authentication and key exchange can be achieved in similar message sizes to PSK authentication. E.g.

- method type 3 (static DH Key + static DH Key) in https://tools.ietf.org/html/draft-ietf-lake-edhoc-01

- static-static Diffie-Hellman shared secret in https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm-09

There are also very efficient ECC implementations taking up just a few kB.

Two-party authentication with symmetric keys comes with privacy problems, and symmetric groups keys does not provide authentication of the peer, just group membership. Symmetric key exchange does not provide PFS. Symmetric keys also comes with severe deployment problems.

While there are cases where asymmetric cryptography requires too much storage, memory, message sizes, or processing (latency), these are exceptions and should not be the default.

I see a limited need for symmetric authentication or key exchange in new systems, and I think the use should be clearly motivated. The main reason to use symmetric keys is in my view legacy interop.

John

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Date: Wednesday, 9 September 2020 at 00:48
To: John Mattsson <john.mattsson@ericsson.com>, "ace@ietf.org" <ace@ietf.org>
Subject: RE: Assignment of OSCORE Sender and Recipient IDS - was RE: [Ace] Review of draft-ietf-ace-oscore-profile

Hey John, comments in line commented with JLS2

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com> 
Sent: Tuesday, September 8, 2020 12:34 AM
To: Jim Schaad <ietf@augustcellars.com>; ace@ietf.org
Subject: Re: Assignment of OSCORE Sender and Recipient IDS - was RE: [Ace] Review of draft-ietf-ace-oscore-profile

Hi Jim,

I agree with most of what you say. Below are some additional comments on some of the bullets.

[JLS]  I'll start with what I said on the mailing list - this problem was discussed previously on the mailing list and in person and it was decided that it did not need to be fixed.

[JM] My understanding from Francesca and Göran is that neither migration path to e.g. EDHOC nor systems where the nodes change roles have been discussed before. Both have additional collision probems. How important the use cases are and how bad the collision problem would be can be discussed.

[JLS2] This may be a case of people not hearing things that they don't think are of immediate importance.  I spent a couple of years arguing about much of this.  I did not deal with the reversing situation because I am not sure that this really makes a great deal of sense for ACE in general.  The one exception would be things like revocation, but that is always going to be a single RS.


[JLS] 3) You seem to be ignoring the most practical solution to the problem, use the context identifier for name space separation.  If you have five different ASs, then simply assign a one byte context to each of them and you now have no problems with name collisions unless somebody is going to be knowingly difficult.  Similarly, you  assign each of the group key managers a one byte value which is used as the prefix to the contexts assigned by that key manager for all of the groups it manages.  I would have to look to see if one can specify a context for LAKE, but being able to do so would provide a separation for that space as well.

[JM] Yes, that is definitely a solution, but I don't think it matters if you use ID context or longer Sender IDs, it's the sum of the lengths that matter for the collision probability. I agree that you can definitely solve the collision problem by randomly assigning longer ID Context + Sender ID, potentially combined with a mechanism (as you mentioned during the interim) where the client rejects tokens that lead to collisions. This solves collision problems on with the cost of additional roundtrips and/or larger OSCORE message sizes. Both could be acceptable, but unfortunate as collision free and optimal (in terms of message size) are well-known and there seems to be no benefits of the AS dictating Sender and Recipient IDs. Both RFC 7252 and RFC 8613 is very careful to not waste a single byte.

[JLS2] Please re-read what I outlined.  I was suggesting the use of very short ID contexts which are assigned in a non-random method.  This means that the collision probability can be highly controlled and you are not using longer sender IDs that you would otherwise.  

[JLS2] One of the big advantages of the AS assigning client ids is that updated tokens will have the same client IDs so that you don't end up with having to change these because you do not recognize that it should be the same security conversation.  There are also advantages because neither party needs to make decisions about how long an ID should be good for.  The server can make those decisions for you.  

/John

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Date: Monday, 7 September 2020 at 22:14
To: John Mattsson <john.mattsson@ericsson.com>, "ace@ietf.org" <ace@ietf.org>
Subject: Assignment of OSCORE Sender and Recipient IDS - was RE: [Ace] Review of draft-ietf-ace-oscore-profile



-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of John Mattsson
Sent: Saturday, September 5, 2020 5:51 AM
To: ace@ietf.org
Subject: [Ace] Review of draft-ietf-ace-oscore-profile


Major comment
-------------------

- Asignment of OSCORE Sender and Recipient IDs

I think the specified mechanism where the AS dictates the OSCORE connection parameters is unfortunate. It introduces several current and future limitations. The current assignment mechanisms only works without problems in close systems where the RS does not have any other non-AS OSCORE connections, where the CoAP client and CoAP server roles are fixed and cannot be switched, and where only draft-ietf-ace-oscore-profile is used. In systems where the OSCORE nodes can switch between CoAP client and CoAP server (a feature explicitly supported by OSCORE) the current mechanism is likely to lead to RecipientID collisions. Also in future systems where the AS also supports a more modern key management with PFS using e.g. a future draft-ace-edhoc-oscore-profile, the mechanism would not work together in an efficient way. My understanding is that the authors would like the solution to work with both role switching and EDHOC.

How to negotiate these type of connection identifiers (in this case OSCORE Sender and Recipient IDs) have been studied and specified several times in e.g. draft-selander-lake-edhoc, draft-ietf-tls-dtls-connection-id. A solution where each party choses its OSCORE recipient ID for the connection always work without collisions. Such a negotiation could quite easily be added to the roundtrip with the nonces N1 and N2. My feeling is that it would be worthwhile to do such a change. This would also require a new identifier for the OSCORE_Security_Context Object, either a new objectID or a hash of the object could be used. I think this would be a good change as the current "hack" of using the ACE client sender Id and and ID context to identify the object might lead to other future limitations.

The suggested changes would lead quite equal message sizes and storage requirements, they might even lead to some small improvements.

[JLS]  I'll start with what I said on the mailing list - this problem was discussed previously on the mailing list and in person and it was decided that it did not need to be fixed.



1) The use of the same token on multiple RS has security problems on its own that cannot be overlooked.  It is possible that we need to say that this just should not be done.  If you are using symmetric keys all around, then RS1 an impersonate C to RS2 because it has all of the necessary keying material to post the token and setup a security context.  RS1 can go farther and potentially impersonate the AS to RS2 gaining additional privileges when it impersonates C if the AS is using symmetric keys to validate tokens to RS1 and RS2.  This indicates that generally one does not want to use the same token with multiple devices.

2) I mentioned that one could use trial decryption to distinguish between multiple RS senders.  This is normally only going to require one trial due to the fact that one can use the source IP address for sorting the different security contexts for trial.  As long as you do not have address collisions or changing addresses this makes things much easier to distinguish them.

3) You seem to be ignoring the most practical solution to the problem, use the context identifier for name space separation.  If you have five different ASs, then simply assign a one byte context to each of them and you now have no problems with name collisions unless somebody is going to be knowingly difficult.  Similarly, you  assign each of the group key managers a one byte value which is used as the prefix to the contexts assigned by that key manager for all of the groups it manages.  I would have to look to see if one can specify a context for LAKE, but being able to do so would provide a separation for that space as well.

4) I am not clear why Francesca thinks that doing the bis would make this a difficult thing to add.  You add two new items and then you get following  cases:
	a) The client does not use the new item:  The ids in the token are going to be used
	b) The client sends the item:  
		The server errors back because it does not support it and is strict - client goes to a)
		The server does not return a new item because it does not support it and is lax, the ids in the token are going to be used
		The server does return it's new item, the ids in the messages are going to be used.

5) I don't understand the case you are trying to make about reversing roles.  First see point 1 above as the RS is not going to know who it is talking to, it could be C or it could be RS2 acting as an on-path attacker.  

[/JLS]

Cheers,
John

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email