IETF Logo Mail Archive

Re: [Ace] Summary of ACE Group Communication Security Discussion

Michael StJohns <mstjohns@comcast.net> Fri, 25 November 2016 17:49 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27C5112967C for <ace@ietfa.amsl.com>; Fri, 25 Nov 2016 09:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.186
X-Spam-Level:
X-Spam-Status: No, score=-3.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4XAnpFIXkY9 for <ace@ietfa.amsl.com>; Fri, 25 Nov 2016 09:49:16 -0800 (PST)
Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A51C5129461 for <ace@ietf.org>; Fri, 25 Nov 2016 09:49:16 -0800 (PST)
Received: from resomta-ch2-15v.sys.comcast.net ([69.252.207.111]) by resqmta-ch2-06v.sys.comcast.net with SMTP id AKcbcpKTM5TWoAKcecu13y; Fri, 25 Nov 2016 17:49:16 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1480096156; bh=yzte/cNsC2LMgpbFKhEXiglZ9rBCJTEQNKXL4O6mG9s=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=NH7eZBtNc5f9Xu7MxcmAb3LgQc2xt/8J5+K+5+RXYJoTBO1id/NP+V34lf6fp5Anf EEo7luAZtTrf4T/r10JbEOkIaoRrUsdSw1dks8sfZG3VNE2vNx16X6N679F0SC8qgw qbEBC4x+WD1yz+qKVziJ0svqe80NymHVCPx7h68fM5u7nIRD0QtW0Lt/BAmYYMMO2T fo4Cc5kDhajWwGjaHcGUxkOOZcREwB+cZeEvV/J8z9Fkk1pwFee2o+vQq43/3/ofmr uEYzk216F63Sgzf2Ew9x69iq0AnMmhnAunirqOfM9myLu0pBMG41Ydbo5dp+WaDTT8 XQRkEKfS18pwA==
Received: from [192.168.1.115] ([68.83.216.245]) by resomta-ch2-15v.sys.comcast.net with SMTP id AKagcimvwr9q8AKahcSeao; Fri, 25 Nov 2016 17:47:15 +0000
To: "Rahman, Akbar" <Akbar.Rahman@InterDigital.com>
References: <D40F1535.451DD%kepeng.lkp@alibaba-inc.com> <1cc7f243-e7f7-6ec5-7140-88c74853dc34@gmx.net> <04FDEBEF-68CF-4DC6-B760-4DFB1B87D22C@gmail.com> <b69552fc-97c1-bc8f-6282-c3d42bf081c0@comcast.net> <6108.1478988687@dooku.sandelman.ca> <187ea38f-3271-ee91-7053-3e5ecedeafea@comcast.net> <7f461eca-b294-4a4f-b8e1-ec2fe70effaf.kepeng.lkp@alibaba-inc.com> <3ccde008-1e19-718d-37bb-ed7653c60ec9@comcast.net> <c4ec1408-8453-e056-05d6-1aa4d0aeb105@gmail.com> <0C27644B-6033-4781-86D5-2FD66872CEFC@gmail.com> <13b43f16-4867-6580-8275-a2bd0ecbae05@comcast.net> <36F5869FE31AB24485E5E3222C288E1F6DCA095E@NABESITE.InterDigital.com>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <20e471c2-3b48-ae05-9643-fb19afd580d4@comcast.net>
Date: Fri, 25 Nov 2016 12:47:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <36F5869FE31AB24485E5E3222C288E1F6DCA095E@NABESITE.InterDigital.com>
Content-Type: multipart/alternative; boundary="------------8EFEEF47E92DE991622D6CE8"
X-CMAE-Envelope: MS4wfFh9x9WFjXWJW1eUdJxiq4OSpBM5szZ2Iieu6H3aN77xPMHNDAXVM3wIhFUzQ3ZH4Qq+bg9ifKlTWGZcXq0/7DqqPqvglhXCpo3XoNLN/PQm8GiY1zqw nfyXqn6wA/22urmockngukTZgAzB7elbyfqginqY0jN2Ns8igDGUZ4D4Ogz4bMLucbxAJn8f01r4hL4GkF61HcVLPZch3GG0ita2ptK0wZnNB5TjbHAVXfzV 7OAcX0K2BQZpL6kIFJfdVU7Jel/leBDdgiiYCdVaWvTbpgogaeb8qFWsNx9cGAvd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/DzEM7a6Rd1Jd0m752gzGav_j53k>
Cc: "kathleen.moriarty.ietf@gmail.com" <kathleen.moriarty.ietf@gmail.com>, Rene Struik <rstruik.ext@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Summary of ACE Group Communication Security Discussion
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2016 17:49:19 -0000

Hi Akbar -

This comes under the heading of a rat hole question for this discussion 
- sorry.

Basically, the use of public key systems vs whether to use public key 
systems with certificates are separate questions.  In a typical 
relatively closed group control system using public keys, you would 
generate key pairs on the controllers (switches) and provide the bare 
public keys to the actuators to validate control messages.  Since the 
public keys have no life outside of the local domain/group, there's 
really no reason to deal with CAs, certificates et al.

Some designs *may* want to include digital certificates for chaining and 
management of credentials, but again typically, these are closed systems 
that do not/will not/should not depend on public PKI for their security 
guarantees.   And in fact, the form of the digital certificate in these 
types of systems may bear little resemblance to an X.509 certificate 
(e.g. a signed public key blob with a fixed length, fixed fields, fixed 
offset format).

In general, you use public PKI stuff when you want your credentials to 
have somewhat of a global reach.

So - public PKI certificate question + IOT ==>  rat hole for this 
discussion.

Mike


On 11/25/2016 10:52 AM, Rahman, Akbar wrote:
>
> Hi Mike,
>
> Thanks for pointing out all the issues with a symmetric key approach 
> to group communication.  However, can you also give any thoughts on 
> the specific vulnerability to the CA and certificates in the 
> asymmetric key approach for IoT?  After all, there has been some 
> well-known attacks on PKI infrastructure in the last few years such as:
>
> https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates
>
> Do you think it will be better or worse if IoT infrastructure start 
> using certificates on a massive scale?  Or is it outside the scope of 
> IETF standards and more of a deployment and operational issue?
>
> /Akbar
>
>
>
>
> <http://idcc.me/2e6xDgc>
>
> This e-mail is intended only for the use of the individual or entity 
> to which it is addressed, and may contain information that is 
> privileged, confidential and/or otherwise protected from disclosure to 
> anyone other than its intended recipient. Unintended transmission 
> shall not constitute waiver of any privilege or confidentiality 
> obligation. If you received this communication in error, please do not 
> review, copy or distribute it, notify me immediately by email, and 
> delete the original message and any attachments. Unless expressly 
> stated in this e-mail, nothing in this message or any attachment 
> should be construed as a digital or electronic signature.
>
>
> *From:*Ace [mailto:ace-bounces@ietf.org] *On Behalf Of *Michael StJohns
> *Sent:* Wednesday, November 23, 2016 1:22 PM
> *To:* kathleen.moriarty.ietf@gmail.com; Rene Struik 
> <rstruik.ext@gmail.com>
> *Cc:* ace@ietf.org
> *Subject:* Re: [Ace] Summary of ACE Group Communication Security 
> Discussion
>
> On 11/17/2016 7:00 PM, kathleen.moriarty.ietf@gmail.com 
> <mailto:kathleen.moriarty.ietf@gmail.com> wrote:
>
>     Is anyone willing to work on a draft to be ready in advance of the
>     Chicago meeting so we have a concrete proposal for asymmetric keys?
>
>
> I'm just catching up on old mail after getting over a cold.
>
> Mostly, this could be as simple as a two to four paragraph draft:
>
> 1) Use CORE section 5 for message formats. (e.g. public key signed 
> messages) using one of several defined specific set of algorithms 
> (e.g. sha256withecdsa and p256 or something smaller) chosen by the 
> application.
> 2) The authentication bare public key is a configuration item for the 
> end devices and placement is beyond the scope of this draft.
> 3) Tracking of a message ID from (1) to prevent command replay attacks.
> 4) Minimum numbers of controllers (e.g. public keys and actuation 
> events or message ids) that an end system has to track.
>
> (2) could be folded into a draft about configuring end devices.
>
> A more complex model would be:
> 1) Place a root certificate on all end systems via configuration (also 
> out of scope)
> 2) Describe the certification path algorithm (e.g. profile RFC5280)
> 3) Describe how the cert path certificates are carried in CORE section 
> 5 messages.
> 4) plus 3 & 4 above.
> 5) plus how to operate in the presence of clock time.
>
>
>
> Unlike symmetric key systems, there really doesn't need to be a key 
> management/agreement/transport protocol per se.  It's all about a) 
> what constitutes a valid message, and b) what do you do with the valid 
> message once you get it.
>
> An application specific draft would include message formats for things 
> included in a CORE section 5 message (e.g. the specific values for 
> turning on and off lightbulbs or setting their hues or intensity), but 
> that's not really an ACE thing per se.
>
> Mike
>
>
>
>     Thanks,
>
>     Kathleen
>
>     Please excuse typos, sent from handheld device
>
>
>     On Nov 17, 2016, at 11:26 PM, Rene Struik <rstruik.ext@gmail.com
>     <mailto:rstruik.ext@gmail.com>> wrote:
>
>         Dear colleagues:
>
>         Just a reminder re perceived technical hurdles for using
>         signatures:
>         a) time latency of signing:
>         One can pre-compute ephemeral signing keys, so as to reduce
>         online key computation to a few finite field multiplies.
>         Please see my email to the list of July 26, 2016:
>         https://mailarchive.ietf.org/arch/msg/ace/iEb0XnAIMAB_V3I8LjMFQRj1Fe0
>         b): further speed-ups/tricks, etc:
>         One can try and be smarter by clever implementations.
>         Please see my email to the list of July 21, 2016:
>         https://mailarchive.ietf.org/arch/msg/ace/iI58mT_DDzKImL1LP_bUQ7TzooI
>
>         This seems to take the time latency argument away. The only
>         other technical hurdles I can see are
>         (i) signature size {is 64B too much?};
>         (ii) cost of public key crypto implementations {quite some
>         small, nifty designs out there (NaCl etc.}.
>
>         As to (i) - one should view signature sizes in perspective: as
>         an example, key sizes in the key pre-distribution scheme HIMMO
>         (as promoted by Philips) has key sizes of 6.25 kB and up,
>         according to Table 3 of the paper that massages parameters to
>         thwart new attacks on their scheme, see
>         http://eprint.iacr.org/2016/152.
>
>         So, security arguments that favor asymmetric solutions aside,
>         there also do not seem to be too many other objections that
>         would hold in the world anno 2016 {except for "sunk
>         investment" arguments", but that is a corporate mindset issue}.
>
>         On 11/17/2016 12:50 AM, Michael StJohns wrote:
>
>             On 11/16/2016 9:08 AM, Kepeng Li wrote:
>
>                 Hello all,
>
>                 We had a long discussion about group communication
>                 security topic since the previous F2F meeting.
>
>                 Hannes and I have tried to make a summary about the
>                 discussion as follows:
>
>                 ·       The solution needs to define both, symmetric
>                 and an asymmetric group key solution.
>
>
>             There is no case (absent hardware mitigation) in which a
>             symmetric group key solution can be made secure/safe and
>             no one has made an offer of proof that they can make it
>             secure.    I've asked repeatedly - no one has come forward
>             with more than "oh we can lock the symmetric key stuff in
>             a corner and make sure it isn't used for anything important".
>
>
>             Given the recent attacks on the internet by IOT botnets,
>             there is a further consideration that should be undertaken
>             - whether the symmetric group key solution applied to 10s
>             of 1000s of IOT devices is an active threat to the rest of
>             the internet (e.g. enabling DDOS, cyber physical issues, etc)?
>
>             The multiparty (group) symmetric key solution is only
>             wanted for a single corner of the solution space - low
>             latency, no cost systems.  E.g. lightbulbs.  Given there
>             is a worked example of the insecurity of multiparty
>             symmetric key systems (e.g. the attack on the symmetric
>             signing key of the HUE lights), I'm unclear why anyone at
>             all would think that pursuing a known bad solution in the
>             IETF is a good idea.
>
>
>                 ·       The security consideration section needs to
>                 explain under what circumstances what solution is
>                 appropriate.
>
>
>             Security consideration sections generally only address the
>             threat *to* the system from security choices.  In this
>             case, symmetric key group comms reduces down to the same
>             security analysis you would use with shared default
>             passwords across 1000s of devices.   An IOT security
>             consideration section in the future probably needs to
>             address the threat *FROM* the IOT solution to the broader
>             internet.
>
>             Mike
>
>
>
>                 If this is not accurate, please let us know.
>
>                 Kind Regards
>                 Kepeng & Hannes
>
>                 BTW: it is a pity that I can't attend this meeting due
>                 to personal reasons, and hope you all have a nice
>                 meeting in Seoul!
>
>
>
>
>                 _______________________________________________
>
>                 Ace mailing list
>
>                 Ace@ietf.org <mailto:Ace@ietf.org>
>
>                 https://www.ietf.org/mailman/listinfo/ace
>
>
>
>
>             _______________________________________________
>
>             Ace mailing list
>
>             Ace@ietf.org <mailto:Ace@ietf.org>
>
>             https://www.ietf.org/mailman/listinfo/ace
>
>         -- 
>
>         email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>  | Skype: rstruik
>
>         cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>         _______________________________________________
>         Ace mailing list
>         Ace@ietf.org <mailto:Ace@ietf.org>
>         https://www.ietf.org/mailman/listinfo/ace
>

v2.23.0 | Report a Bug | By Email