Re: [Ace] Security of the Communication Between C and RS

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 20 December 2018 07:40 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB891310BF for <ace@ietfa.amsl.com>; Wed, 19 Dec 2018 23:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTG2x_6Pib3H for <ace@ietfa.amsl.com>; Wed, 19 Dec 2018 23:40:15 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on0600.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 626A51310B1 for <ace@ietf.org>; Wed, 19 Dec 2018 23:40:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EG14pxTaX1x9owyEB6eGHOoGmeUbZxb3mvpg2a3acnc=; b=HVxXcCK+pjyfXZ1JbAxS8COwOYbs+39ymH/Xac2h+ALLbv/62HMh0dUXOaTi2PYxfRNI/wI693QFVr/6tziyNhuXV9ismekQVuHFDBcwq6vcTY68X9qdzBXx/ARQCTBJm2G7vICNYJt5AEJU4C/t4O5mdknGIByRmHPOBr36KjA=
Received: from DB6P18901CA0023.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::33) by AM5P189MB0322.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:20::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Thu, 20 Dec 2018 07:40:12 +0000
Received: from VE1EUR02FT026.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::209) by DB6P18901CA0023.outlook.office365.com (2603:10a6:4:16::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1446.19 via Frontend Transport; Thu, 20 Dec 2018 07:40:12 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT026.mail.protection.outlook.com (10.152.12.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1446.11 via Frontend Transport; Thu, 20 Dec 2018 07:40:12 +0000
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Thu, 20 Dec 2018 08:40:11 +0100
To: Jim Schaad <ietf@augustcellars.com>, 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, 'Stefanie Gerdes' <gerdes@tzi.de>, ace@ietf.org
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <81ba3ab4-a9ce-a6fd-fbe6-c36a6fbbd9a5@tzi.de> <VI1PR0801MB2112E04F9FD7412350995417FAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b994af16-9bb8-4386-e7d2-321e453417fc@ri.se> <VI1PR0801MB21124D7C11F3A1F49DCA9A2CFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <VI1PR0801MB21126DDCCA251EEB8DB21DAAFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <dff54c41-9598-8f77-83ec-f4494703d923@tzi.de> <VI1PR0801MB21125D384A3DE6BD90AEDB74FABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b79ea204-0d7d-3968-6ea5-cd33d5502380@tzi.de> <VI1PR0801MB2112F215E8DF2E8AC34F217FFABE0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <e42032d6-ad15-26d2-cdbb-aaa34900d1ad@tzi.de> <9f35177f-30d4-817e-dfc3-9a54903ab023@ri.se> <VI1PR0801MB2112BA2A400D660DC32B7293FABE0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <f441528a-aba4- 8556-0493-2e12a38e4133@ri.se> <035a01d497d8$941fa920$bc5efb60$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <ad81074d-54b8-23df-4a55-74163b290aa3@ri.se>
Date: Thu, 20 Dec 2018 08:40:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <035a01d497d8$941fa920$bc5efb60$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(376002)(396003)(346002)(2980300002)(189003)(199004)(8676002)(476003)(81156014)(486006)(110136005)(81166006)(44832011)(126002)(65806001)(356004)(65956001)(76176011)(31686004)(106002)(16576012)(11346002)(2616005)(446003)(316002)(8936002)(77096007)(26005)(58126008)(14444005)(16526019)(186003)(106466001)(23676004)(2486003)(305945005)(7736002)(31696002)(40036005)(64126003)(22746007)(104016004)(22756006)(86362001)(65826007)(93886005)(68736007)(230700001)(5660300001)(67846002)(6116002)(36756003)(69596002)(6246003)(3846002)(2906002)(117156002)(47776003)(97736004)(50466002)(336012)(15650500001)(33896004)(386003)(53546011)(74482002)(229853002)(53936002)(508600001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P189MB0322; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; VE1EUR02FT026; 1:OlWjdgMBu4bym2HxtE2Dj/zsE1yrL6ZHKPQ9d90T6XpvXnzuXKNXjRp90Mkv0XZFLwYRqepqkkMs6noPw1ir8OjY/ZG7hsippn+Rwqs5fPLx51COdWG3pJ9O+9C888li
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: de9dce32-fbb3-4a84-2142-08d6664e6004
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4608076)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM5P189MB0322;
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0322; 3:1D78V1/8qVDMFwCUfVYYEijiQHhWdAVdcdQcMNsNQ5wC9DyBTh9UxNw3JIdNEgH2mHcZoiw6l1ZsGmaNt9hGFsvkQzSqEjre4dilMbq3eWDBoeba0om5IexqWa4LVRVQF7CAL0/2Lh8cY1oCk1b+FDSq+2/Pd02H29xCbuzwwzOrJr+hLVrTphrZXOM7+k4nqKK+v6bVUmh5Ti6/hZLs4nLiUMt5fRqTtWvMzJU5QGMRKkCKJHk3ViFAjd7TkVImYF8uFOAOlMdVRd9U9IFsxWe14Y45C2vvfUEc1LjI88oYprURjMxc6tDnwUInCyHhwVhxhMOv2jy6XwboLt/rN1abDM1mpLiz8Ci2vz5SWA8=; 25:oJB2A0PwSvqRyj2l5q9ByLLIE8VVoCYyefmhQWcS6+tV2OPa96DArPDg0VFvkeVhSIVMbWn9ktSBs9LMNBhSA7W2SkZ5a81mhHisUnKhCTgp21RRFKq/8M7TY03J1SWy3Mn1QglicikGZqWovX6LHUxbNXuep12qJU5Sc5JX8kP0ihjcC8ruTxK6mzy/xcHFu1xX8pYOYeZyEeXPmefo/CH5TdYG9w8NSwgwA6dyxMEMzczoNR81ONaH8tu8lVmLTyeRH30rgWDU8fxMbXBfa+zS8lB+25SCdL28YW5F2DkW8YN1y/96j447At8U3GJ1tJIwKVOt0bkVn9GYsnHVMw==
X-MS-TrafficTypeDiagnostic: AM5P189MB0322:
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0322; 31:grG+7JQ/dI5cCoU4wobPybW+8QfZ8Icpodl8Uu5wAKRDg8KbzLgVETuu+D+47Wwyvw/UxbANG5KSmn/kVMGXvZgV4n7Y8vwNQqyi4/NGgEZgxLmyiJ/LeTcptNVm7tF4RlbI91nkPMeeWIIe47KNheAWUR6+eCeAlv8Moajb7ANK/MryZUb1lcv720523tMJeNng8EVt5AdVrN8XrzTk+jGqsU2/RaZtXNF/8E2Sijg=; 20:L3qf3My/En29JgXO+TqlJrdQ6Kgz+eiXa9DBtvGw0GMAm5VFlQ4ezDqFkLgFTXN3372PAkEtHY4s4XO/TXeQDRfme9gh3OKNdF9nHpVvmGof6DgYPpWW3r/Hw8IX1NhOpwGiWjFPLKMnuydKXZSLAipmO+ParUYUjzY5/Ju4BEcta0RCjZzONiX4WAUsTEWeMrktELwdF/CCVDaLhJSBpikobYjHDofMj7axJv8rdpjQenDhcWQwJteZ90mtdMxj; 4:8DSEKa/o6RRUfjFBHQtu7regYhdKWGew7DN2siFy0S+59KP4LW1LzeXRjSU+sHVbn3SF80t7AJogdUqUNOFJ6xww7KTrNZR5Y+/10Fd7YTCR6/x7DBVTvyMAnOv3xoTps7h+CflxrAOz4J297vrQk8G6/xFUuqJOSo6l/fbyBcoO800Sp6sdaJWzOC0PRdcs4v1mSZgdvr46nFTK0WQ1AHMv4cr7sfdphaaBsoNMo9c3mJbVM3lnbbhLBhmeQcOHuMLj3wJMGQ+oMKLpQjVkwg==
X-Microsoft-Antispam-PRVS: <AM5P189MB03226F080199B1436F073E3282BF0@AM5P189MB0322.EURP189.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(93006095)(93004095)(3231475)(944501520)(52105112)(3002001)(10201501046)(149066)(150057)(6041310)(20161123560045)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:AM5P189MB0322; BCL:0; PCL:0; RULEID:; SRVR:AM5P189MB0322;
X-Forefront-PRVS: 0892FA9A88
X-Microsoft-Exchange-Diagnostics: 1;AM5P189MB0322;23:nIpycVi4QriZh3H9qUHRdV442F35e1hsecry4n7+k3L396rj0NZVgChw8uluqTMTXBzipnf1fGlvSKZXXsxA1jI81scq7P5EUPm9n+udAXhYcJiCqhZZtJFes2m2cPgoD2aLn0sWFJIfUnWf22NeCd07G70x5mSxSh3Ztr+VKOJuKlDLEHx+OGmGeba1AojAAQAeseG0xHtWOzrXqVREwT4mbVBAjdy+yivGZVL7WtdKwBaRywS+c/GQQDuoum2Cua25+jyYGY4BXIANN9mGJMWdGyJLycMqhx/ri082/wlyzKab6BkS0zvOoZytFuGZtYUF6ObzMHAnF+hf3d9oCKl5nfEJi18QiC7jNqA94MpXa7+xcvvIzByzgsfXPSFtqLxkVtzK5HF1mcewxsdb50a9XmzGTsqeJxgteyNmHAB5iqzK7WFRpHodcOy4RxsGy7Yx7L8hTmA7Yn+Jo1yXcf/MOqH+3E+hoEmEnfs8vkHKLOvt1Hj8TjgBojHh6/yNeOZim8rjkuG4/Q6qmDMH7sQqcxA79zVtluPx3rQW5Wyix0fqZc9WAxYAY/Bzkiv+do8RHq7tFZb+93Wiy9eXKvTpCTP51jL9Adg8eXzZmNDACbnM7OhYJL7Of5XuC0X/vvxjqS9kqgqVfXdAJVkdj3AU7UPKEONM9m65flgrq8btpJ+e3FCXi5G7Lv+HHjiU6wfYknfWFwUDW7h4rhO/p4eOxpCSknldzgxaIniVKHY8aoZZM9g3PhPRByeevSA4P7dvoy5S8lqv/57uHtWE7UFaeHnwmF4YWXaHVfSUGAZJhLH/6ogHpqeU/Ts3vfZ1QYsr8nylAMNtOQXtKDRnp3Kkcb35DTFrSZIq7PDFxH/ep2Va6Hmf9JLXaz37WOip98AM8NadplY8JsKJW2ouCh//90SnMBEK+vdOdFXrCgBbbiNce287ZmDd91IyY+PwnJzpl+i1aP3sbhd+W4Z46HQszuOoF7m8e+Rem0MW661F7GM18+CJXsz9G0UmNulp5opzqeUpMSCxtGTru565XBvVjdkxllyXmzknTxdN/F+v++kTYzherul36Glhmm+GxfQqVrTefMkyvdK+Nufp0+RYPyat1XvCOLS4RIP5khAVvMTDkTw7B8vEq/Igii2WI5ZfsfBy6WORx3kNQ+OZR/ptTnX10wdsrNcobyfTiNMxhDJa+5umusy5d5IyBubzv7MpQipaMjQuCsoRaWFryMRjnJFt+ISqebAiPzuEGXm2jHM00JMEDEl0vxQJMpI4ERPHx5OtLGHfZZ6YDIm1sksccZ82xDZwJ3MvRzPUfy79jMw5fy3I02jOIXZ4zsFmRWbQ7t023z8vqRBDx/wcO4LXX02u4G+uUIrCXgL6NkRvRLWl4OqHornwrSCGau5V0fWSBEYP+jbvI8ZX/tzZP7gMKuaXmIRNeLe6GE741yDGrT9gSP/MtR/vJGRAnWlHFLJPid9QFDJDPaPkL5OXdgwzMZfZWIIWu8Gd0e4ahloQGPUZ8631GDuQ4pO+omDrZI4yjQaaXRGIcx2SdOfY1w==
X-Microsoft-Antispam-Message-Info: abYu3IrCvKH0BNKDsu1bugJPAHcACx5hiMouG+YdY7yfPfln4JhMnYcVJBIwfx3byRk43p0zej5sn31rf3hof+nZ5XhubLIgDINtwoPU0GB2K+ZClrApesZjXL5ccqC5BrBwCNETW1ACW3iT5kqcKJJtO8x/wUlZjrq65GaHy3EqcCjcQzImQ1FOzKQeia2g9Ya86aVcvht6XsJArCzxEiwDJZscsbMFHBQWKEC8jxc5r5aB2hIQLsJfX1mVCzLQ6Qd+8sZWaf6lmk0BJw1GPkO/IXOTf8InIUvescmmuV75VkJvYP96OQRdhCT2RI5C
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0322; 6:9oAbIdhnI6Tqwk/TUIpYZgk1soVXiV6tXUaZpkYVPYZLknpu8A7F95PppSedR0Qbe7VH8I0EgctzZrN2kcsKYBNxtGJmobNN1ANq02t2nF5KpZzL403NPfBa6F5BtZhSB6D+Zr5sRATkqizRIiLWcKV7CPrP5jGSW6oACs47Rj4GohMV/5FPTS8NmxrcfaUaQWpBiTxpSjcIcD4dnSodrCK1yECq0YUpkoHmbnRfq3+d5y7sMQqRm13BrYGcy0P7eG3r3qP1R/JNsLtWwZq8wwxiAzgJdW6Ik29hwiCxmg8Yj7HEwf15dfvG5Fx2qDr5Sg9wLVLxLY2CxfAnFNncZPvGUvJWD7euhlke4avuVEb9Woh8nRxU/KoGVvZCw9fqEnLbuy5+RGODctD8LPlQs1hY5c5l5CrPbOb8ZmXV72ZoVau+13+xEuWJ5fmw1QAlOEPwPqBM8gaPPpGWKG4sDw==; 5:+uXP0dBuzA6ATH1qyadSSUx0Z0gF9yk31RRZDCyPmQ8nl2tGgWmdAjm/+Agv+B4wxYmodBIcMru570Q9I0PyB24pu031RVldScU/7ueoJIZSvp+3xeFwdXcZ4hqrgLgKCKIA8Rr6dVZFZbD7JTLBBiaXUo6InZjLXYNSoDpKFao=; 7:ppH7DZdZRC6xJPLdXuckjqelu2nRJydcWGz32kxKBDTOWT/WTJb7XKCJxZMeLlJQyFnEHqsLTJyKhvznAuRehgmSGgt5BOyU7qxSTkaGSNje/qmSdWtYuB0Q1+CVjqU6z9oyMAw/5W6wtOSxVTYU4w==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2018 07:40:12.2463 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: de9dce32-fbb3-4a84-2142-08d6664e6004
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P189MB0322
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/CDe1_7EBjq6wJmvr6BXsjCQ6GxY>
Subject: Re: [Ace] Security of the Communication Between C and RS
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 07:40:19 -0000

On 19/12/2018 21:22, Jim Schaad wrote:
> 

>>> In step (4) you tie the expiry of the token to the attacker
>>> getting hold of the key. What happens if the attacker gets hold
>>> of the pop key before the token expires?
>> 
>> If it is detected the AS would revoke the token. Then the client
>> _could_ use client introspection to get that information. Note that
>> this is what the CMU people are looking at.
> 
> I am having a real problem with the idea that we are going to start
> adding the idea of revocation to the entire system.   I would much
> rather make sure that both sides are given an idea of when things are
> going to expire and just make things expire relatively quickly.
> 

It's quite unlike the revocation in PKI, it's just that an AS can mark a 
token as invalid, and this information would then be available to those 
who can do introspection.

>> 
>>> Additionally, if you use DTLS/TLS just having the PoP key still 
>>> requires the attacker to run a new DTLS/TLS handshake with the
>>> RS.
>> 
>> If the pop-key was used as a basis for doing a DTLS-PSK handshake,
>> the attacker should be able to hijack the connection and
>> impersonate either party.
> 
> This depends on the version of PSK that you are doing.  If you use
> PSK+ECDH then the attacker cannot hijack the connection.
>

Right of course. I suspect however that not all constrained devices 
would implement the PSK+ECDH handshake, or are the other PSK handshakes 
deprecated?


>> 
>>> It would also be useful to know where the attacker got the PoP
>>> key from and how you can even detect the compromise.
>> 
>> That is a different story entirely. You could imagine the case of
>> an RS improperly deleting an expired token and the associated
>> pop-key, and then being subject to a physical attack that recovers
>> that information.
> 
> It would be more reasonable to say that if you are doing a physical
> attack, then it would be easy to get an RPK and then you are the RS
> until such a time as the AS is told that the key is no longer
> trusted.  In this case you will just continue getting tokens as a
> client which are still valid and none of this is helpful in any
> event.

Ok my example was perhaps not ideal, since it has an even bigger breach 
as precondition. So under what conditions would an attacker get access 
to a pop-key of an expired token? Steffi any ideas?

/Ludwig



-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51