Re: [Ace] Summary of ACE Group Communication Security Discussion

Michael StJohns <> Wed, 23 November 2016 18:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AFA58129A57 for <>; Wed, 23 Nov 2016 10:22:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.196
X-Spam-Status: No, score=-3.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jJ0HsWAwZv1Q for <>; Wed, 23 Nov 2016 10:21:58 -0800 (PST)
Received: from ( [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3222B1296B9 for <>; Wed, 23 Nov 2016 10:21:58 -0800 (PST)
Received: from ([]) by with SMTP id 9cAFchziSEp5X9cBBcJzOX; Wed, 23 Nov 2016 18:21:57 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=q20140121; t=1479925317; bh=5Gf0pP5U/xJzj+VBD+Wsc0zPO6ot4jjyh4IwH1dTZEY=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=CxpAotngrPsq4WudcC2S/JlAP3nSFv19UcYqzc0uy8FcckUGdibM0pTpmMRUbqSU/ Odt6wUQnfTYs1Rg012MxScPjK8YTMIl4qloodyDtXAdhyLJWmW1+MlHGo/NTfW9VZK qKu4i5WG094WTdkRO/LxyXHZizbE1ETHXJ8XJq0KPqoe9nEBrNrJAVl6Mn2V3Zkauu Xyi8Swu3rIO5fNQoqpVEI7AfOG0LNwWvTuT1FeIAIJNjbRGCIqwXtitmxv65cqH8iL y+iSFR4uYbxqKeXH1NCNwY2VpZs3/96CUJjIUOCQ6OXdhvZ2E5g/fb0V8eXH+HPEex B7SFSeYFGQiOA==
Received: from [] ([]) by with SMTP id 9cBAcuAKKSUI09cBBcPF2x; Wed, 23 Nov 2016 18:21:57 +0000
To:, Rene Struik <>
References: <> <> <> <> <> <> <> <> <> <>
From: Michael StJohns <>
Message-ID: <>
Date: Wed, 23 Nov 2016 13:21:58 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------673F2D2AC01C8D701E1DEA08"
X-CMAE-Envelope: MS4wfHkxAW/6+xTOQOO5VwlA004x2I6ZeWA3YkirfTj710yIZMu2OEMixRUWYAo7jr7xSmplC0/w8VbWmiy3M/ijlsUv3MIX8KjnkA5vfATUyINwl5e9MLTz 8HzyCGCm8OH8WFD+odqEbRhrUIyeZiHRsuyw7Aupk+mE6+XIIDz5ZBuFkIZeS7mJ2qpfRcFqLe4pNNBFaV7PmVA+7WvOlR3PWiMc0qQ7J9CUK6coJf1dEJMZ /Cp9geNmeW9oBeCkEfZgJA==
Archived-At: <>
Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Nov 2016 18:22:01 -0000

On 11/17/2016 7:00 PM, wrote:
> Is anyone willing to work on a draft to be ready in advance of the 
> Chicago meeting so we have a concrete proposal for asymmetric keys?

I'm just catching up on old mail after getting over a cold.

Mostly, this could be as simple as a two to four paragraph draft:

1) Use CORE section 5 for message formats. (e.g. public key signed 
messages) using one of several defined specific set of algorithms (e.g. 
sha256withecdsa and p256 or something smaller) chosen by the application.
2) The authentication bare public key is a configuration item for the 
end devices and placement is beyond the scope of this draft.
3) Tracking of a message ID from (1) to prevent command replay attacks.
4) Minimum numbers of controllers (e.g. public keys and actuation events 
or message ids) that an end system has to track.

(2) could be folded into a draft about configuring end devices.

A more complex model would be:
1) Place a root certificate on all end systems via configuration (also 
out of scope)
2) Describe the certification path algorithm (e.g. profile RFC5280)
3) Describe how the cert path certificates are carried in CORE section 5 
4) plus 3 & 4 above.
5) plus how to operate in the presence of clock time.

Unlike symmetric key systems, there really doesn't need to be a key 
management/agreement/transport protocol per se.  It's all about a) what 
constitutes a valid message, and b) what do you do with the valid 
message once you get it.

An application specific draft would include message formats for things 
included in a CORE section 5 message (e.g. the specific values for 
turning on and off lightbulbs or setting their hues or intensity), but 
that's not really an ACE thing per se.


> Thanks,
> Kathleen
> Please excuse typos, sent from handheld device
> On Nov 17, 2016, at 11:26 PM, Rene Struik < 
> <>> wrote:
>> Dear colleagues:
>> Just a reminder re perceived technical hurdles for using signatures:
>> a) time latency of signing:
>> One can pre-compute ephemeral signing keys, so as to reduce online 
>> key computation to a few finite field multiplies.
>> Please see my email to the list of July 26, 2016: 
>> b): further speed-ups/tricks, etc:
>> One can try and be smarter by clever implementations.
>> Please see my email to the list of July 21, 2016: 
>> This seems to take the time latency argument away. The only other 
>> technical hurdles I can see are
>> (i) signature size {is 64B too much?};
>> (ii) cost of public key crypto implementations {quite some small, 
>> nifty designs out there (NaCl etc.}.
>> As to (i) - one should view signature sizes in perspective: as an 
>> example, key sizes in the key pre-distribution scheme HIMMO (as 
>> promoted by Philips) has key sizes of 6.25 kB and up, according to 
>> Table 3 of the paper that massages parameters to thwart new attacks 
>> on their scheme, see
>> So, security arguments that favor asymmetric solutions aside, there 
>> also do not seem to be too many other objections that would hold in 
>> the world anno 2016 {except for "sunk investment" arguments", but 
>> that is a corporate mindset issue}.
>> On 11/17/2016 12:50 AM, Michael StJohns wrote:
>>> On 11/16/2016 9:08 AM, Kepeng Li wrote:
>>>> Hello all,
>>>> We had a long discussion about group communication security topic 
>>>> since the previous F2F meeting.
>>>> Hannes and I have tried to make a summary about the discussion as 
>>>> follows:
>>>> ·       The solution needs to define both, symmetric and an 
>>>> asymmetric group key solution.
>>> There is no case (absent hardware mitigation) in which a symmetric 
>>> group key solution can be made secure/safe and no one has made an 
>>> offer of proof that they can make it secure.    I've asked 
>>> repeatedly - no one has come forward with more than "oh we can lock 
>>> the symmetric key stuff in a corner and make sure it isn't used for 
>>> anything important".
>>> Given the recent attacks on the internet by IOT botnets, there is a 
>>> further consideration that should be undertaken - whether the 
>>> symmetric group key solution applied to 10s of 1000s of IOT devices 
>>> is an active threat to the rest of the internet (e.g. enabling DDOS, 
>>> cyber physical issues, etc)?
>>> The multiparty (group) symmetric key solution is only wanted for a 
>>> single corner of the solution space - low latency, no cost systems.  
>>> E.g. lightbulbs.  Given there is a worked example of the insecurity 
>>> of multiparty symmetric key systems (e.g. the attack on the 
>>> symmetric signing key of the HUE lights), I'm unclear why anyone at 
>>> all would think that pursuing a known bad solution in the IETF is a 
>>> good idea.
>>>> ·       The security consideration section needs to explain under 
>>>> what circumstances what solution is appropriate.
>>> Security consideration sections generally only address the threat 
>>> *to* the system from security choices.  In this case, symmetric key 
>>> group comms reduces down to the same security analysis you would use 
>>> with shared default passwords across 1000s of devices.   An IOT 
>>> security consideration section in the future probably needs to 
>>> address the threat *FROM* the IOT solution to the broader internet.
>>> Mike
>>>> If this is not accurate, please let us know.
>>>> Kind Regards
>>>> Kepeng & Hannes
>>>> BTW: it is a pity that I can't attend this meeting due to personal 
>>>> reasons, and hope you all have a nice meeting in Seoul!
>>>> _______________________________________________
>>>> Ace mailing list
>>> _______________________________________________
>>> Ace mailing list
>> -- 
>>  | Skype: rstruik
>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>> _______________________________________________
>> Ace mailing list
>> <>