IETF Logo Mail Archive

Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 11 March 2014 19:31 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA7EE1A07C3 for <ace@ietfa.amsl.com>; Tue, 11 Mar 2014 12:31:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F98jt2KfSw2d for <ace@ietfa.amsl.com>; Tue, 11 Mar 2014 12:31:55 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9AE1A04AB for <ace@ietf.org>; Tue, 11 Mar 2014 12:31:55 -0700 (PDT)
Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MhMg2-1Wa3bl3Sb4-00MftD; Tue, 11 Mar 2014 20:31:48 +0100
Message-ID: <531F6177.5040704@gmx.net>
Date: Tue, 11 Mar 2014 20:18:15 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "Dr. Corinna Schmitt" <schmitt@ifi.uzh.ch>, ace@ietf.org
References: <53086642.5050609@gmx.net> <53134E58.20608@ifi.uzh.ch>
In-Reply-To: <53134E58.20608@ifi.uzh.ch>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="ahRgTev595FLwL9vJTGseqMswveqkGxCR"
X-Provags-ID: V03:K0:SMowy18k8CLJh+4smRqh8Mcxcyep6rDaN76sSQL2NqYFTSb94np /BFxlbXhjimZuRRqP+KU90vjBbaJZQbN0EJ0OWEIUNrNZTiQclijWr4GYa2sfrBRt8bZIaK adbJI1IcVUHrld31WjQwimHWdTZGtAohOMhzUjDd5f5VhbS4XRbyuD+34+9+5cEr3VwBqu3 Xzw7URfp6YLhvlo7es+Mg==
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/I1TSjGQnjh5o3mtRFaMiFVvQHM8
Cc: Burkhard Stiller <stiller@ifi.uzh.ch>
Subject: Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 19:31:59 -0000

Hi Corinna,

thanks for the response.

My suggestion would be to produce a write-up that is of generic use
(independent from your specific implementation and your EU funded project).

However, given the charter discussions and the BOF I have my doubts
whether the work would meet many of the requirements outlined in
https://tools.ietf.org/html/draft-seitz-ace-usecases-00.

Ciao
Hannes

On 03/02/2014 04:29 PM, Dr. Corinna Schmitt wrote:
> Dear Hannes,
>> Hi Corinna, Hi Burkhard,
>>
>> thanks for your document. I have read through it and I ran into a few
>> questions. Your response would help me to better understand the proposed
>> idea.
> Thanks for reading the draft and make comments to it to improve it. Some
> comments can be answered right away.
>> 1) Why do you assume IEEE 802.15.4? Currently it seems that the 15.4
>> radio will mostly be used in specialized industry segments only. Is
>> there anything in the document that would make the idea less suitable
>> for other radio technologies, for example BTLE?
> Potentially the proposed solution can work on every stack you like. So
> you can do an implementation independently of IEEE 802.15.4.
> We put IEEE 802.15.4 there, because our used stack (BLIP) uses it.
>> 2) The assumed network stack does not show 6lowpan. Was this intentional?
> Same as above. You can use the stack you want. So also 6lowpan can be
> used. It depends n you what you require and what you want to support.
>> 3) You show RPL in the stack and I was wondering whether you assume it
>> being mandatory to implement for your assumed architecture? It does not
>> seem to show up elsewhere in the document. It appears to be irrelevant
>> for your design.
> RPL was just mentioned due to our other publications. Currently our plan
> is to change to RPL (CoAP) in the future.
>> 4) Subscriber identity: You write --
>> "
>>    The identity of a default subscriber is usually preconfigured on a
>>    publisher before it is deployed.
>> "
>>
>> Could you explain more what you assume is pre-configured and where it is
>> preconfigured?
> Here pre-configures means that our devices are equipped with the
> certification during compiling and programming them before deployment.
> This is due to the application scenario we support at the moment. Before
> deploying the device you have to run to steps: First creation of
> certificate, and second compiling code and play it on the device.
>> I would also suggest to avoid the term subscriber since it has two other
>> meanings that might confuse:
>>  a) The term subscriber is often used in context of telecommunication as
>> the user who has a contract with a telecommunication operator.
>>  b) The second use is in context of protocols that use asynchronous
>> communication (like XMPP).
>>
>> I believe your notion of subscriber does not relate to those two
>> existing uses. I guess you are more using the term subscriber to refer
>> to a device that wants some data from a sensor. Is this correct?
> Thanks for the hint. Yes you are right. The subscriber should be a
> device that wants data from the sensor.
> Usually this is one outside of the WSN. Do you have a suggestion for new
> name?
>> 5) Roles in your architecture.
>>
>> It seems that you assume that the IoT devices are publishers and that
>> there are subscribers who talk to these publishers. In some other cases
>> I have seen architectures where the IoT devices (sensors) upload the
>> data to some servers without having to act as servers themselves. In
>> your architecture it feels like the sensor nodes implement the
>> server-side functionality
> That was not our intention.
> Our network has push characteristics up to the server. Data publishing
> runs over server, because it has more resources and, therefore, can
> handle requests better. It is the gate to the world.
> Pull is only performed if you require data (measurements) at a time that
> is not pre-defined.
>> In Section 4.2.2 you write that you recommend an OpenSSL implementation
>> on the server side but the server-side would be the IoT device. While it
>> would be inappropriate to recommend a specific implementation in an IETF
>> draft/RFC it also raises the questions about the expectations on the
>> server-side.
> Thanks for the hint.
> We use OpenSSL on the server but not within the WSN. OpenSSL is used
> especially for managing rights, requests, and certificates.
>> 6. Certificate content
>>
>> In Section 4.2.2 you describe the content of a certificate and you
>> indicate that the commonName is set to "localhost". It seems to be
>> useless to include this in the certificate since a CA would not be able
>> to verify this identity information nor would any party verifying it be
>> able to use it in a meaningful way.
> Localhost in our case is a special IP address (here: sink). You are
> right, we should rename it and make clear that it is an IP address. So
> you can set is like you want.
>> It also seems to be in violation of what you write in Section 5.2 where
>> you state that "every publisher in the network MUST have an unique
>> identity.".
>>
>> You also indicated more complete information for inclusion in the
>> certificate but it is not clear to me what purpose it serves. Could you
>> explain?
> Will do it asap.
>> 7. Privacy
>>
>> In Section 5 you indicate some privacy related aspects and you hint to "
>> access regulations based on legal and regulative implications". Could
>> you briefly explain what those requirements are?
> This part we put in due to the deployment and project relations we are
> running at the moment.
> Here it means that not every device can be able to access the data, for
> example, due to legal issues in the region (EU, CH, US rights).
> This has to be stored central in the network and it has to be checked
> before giving access and creating the corresponding access ticket.
> Here we refer to the following publications:
> 
> Radhika Garg, Corinna Schmitt, Burkhard Stiller: /Investigating
> Regulative Implications for User-generated Content and a Design
> Proposal/; Degruyter, PIK-Praxis der Informationsverarbeitung und
> Kommunikation, Vol. 36, No. 4, December 2013, ISSN 0930-5157, pp 1–11.
> doi:10.1515/pik-2013-0042 <http://dx.doi.org/10.1515/pik-2013-0042> URL:
> http://www.degruyter.com/view/j/piko.ahead-of-print/pik-2013-0042/pik-2013-0042.xml
> 
> Radhika Garg, Christos Tsiaras, Burkhard Stiller, Corinna Schmitt,
> Daniel Dönni: /Deliverable D7.1 - Basics, Requirements, Scenarios, and
> Architecture: In FLAMINGO/; Radhika Garg (Edt.), Zürich, Switzerland,
> October 2013
>> 8. Use Cases.
>>
>> I suggest to omit the use cases from the document since the description
>> is too brief to be useful. A small remark: From my work in the emergency
>> services environment I had gotten the impression that there are no plans
>> to take sensor input directly when initiating alerts. In fact, sensor
>> alerts do rarely even get directly to the emergency services authorities
>> but are rather pre-processed by an intermediate organization (by
>> humans). Maybe you have spoken with other people, who have different
>> plans. Where did you got your information from?
> This section is based on discussion with our project partners within
> SmartenIT (www.smartenit.eu) and Flamingo ( http://www.fp7-flamingo.eu).
> <http://www.fp7-flamingo.eu>
> 
>> 9. Architecture
>>
>> Figure 3 shows the architecture but it is a bit confusing since it is
>> not clear what the boxes and the lines mean. The publisher is a box
>> separate from the sensors and from the earlier description I thought
>> that the sensors are actually the publishers. Furthermore, the gateway
>> was not discussed as a role up to that point in the document. The
>> gateway shows up in Section 5.3 and its role confuses me. You write:
>>
>> "  A sensor node has published its data, which is transmitted in
>>    direction to the global sink (cf. Figure 3 where global sink is
>>    located in the gateway component).
>> "
>>
>> Does the sensor publish the data at the gateway? From the earlier
>> sections I thought that the subscriber talks to the publisher instead.
>> Is the gateway the subscriber? Why doesn't the sensor uploads the data
>> to some server instead (which is frequently done in today's IoT
>> deployments).
> Lots of comments.
> I will address and clarify them asap.
> Furthermore, I will add a legend to the Figure and perhaps modify it
> based on you aforementioned comments.
>> Why do you call the entire document "two-way authentication" when the
>> the two way authentication is just one small part of the overall
>> authentication procedure. In fact the two-way authentication is used
>> between the subscriber and the access control server (as shown in Figure
>> 4), and between the publisher and the gateway. Furthermore, there has to
>> be some authentication between the subscriber and the publisher as well
>> (at least I hope so).
>>
>> What is the purpose of the access ticket? It shows up in Section 5.3 and
>> I wonder why there is a need for an access ticket when the two parties
>> (subscriber and publisher) already have a certificate. Why cannot you
>> use the certificate for authentication with the publisher right away?
>>
>> Where do you see the access control server being deployed? Is this an
>> entity in the local network or something you would have on the Internet?
>>
>> Why does the publisher have to authenticate to the gateway? From Figure
>> 4 it is not clear whether the gateway is just an optional component or
>> an integral part of the architecture.
>>
>> The document does not explain what the access token is and how it is
>> exchanged between the subscriber and the publisher.
>>
>> Btw, the term CA standards for Certification Authority rather than
>> Certificate Authority.
> 
> Will be addressed soon.
>> 10. Hardware requirements.
>>
>> Hardware requirements typically are not appropriate for IETF documents.
>> While you make the argument that an RSA-based public key cryptosystem is
>> good enough from a performance point of view the currently mandatory
>> ciphersuites used in CoAP are based on ECC (for those that rely on
>> asymmetric crypto). While having hardware support for key storage is a
>> great idea I was wondering how much your architecture actually relies on
>> it. My impression that it would work fine just without a TPM chip. But
>> you might have more hardware experience than I have. Could you point me
>> to some hardware that you have in mind using?
>>
> We put this section for completeness and to show that an implementation
> exists.
> Concerning sensor nodes and TPM we are using OPAL from CSIRO. Trusting
> Computing becomes relevant nowadays when thinking about securing data.
> Drawback is that if the TPM chip is broken or you change something
> during booting everything is lost. Advantage is that the storage root
> key is stored safely and only derivates are used for your applications.
> 
> Hope to answer most important questions or comments now. Others will be
> addressed soon.
> You can also talk to me during IETF in London.
> 
> Regards,
> Corinna
> 
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>

v2.23.0 | Report a Bug | By Email