Re: [Ace] Security of the Communication Between C and RS

Sebastian Echeverria <secheverria@sei.cmu.edu> Thu, 20 December 2018 14:27 UTC

Return-Path: <secheverria@sei.cmu.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B62812894E for <ace@ietfa.amsl.com>; Thu, 20 Dec 2018 06:27:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sei.cmu.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3HSOxM0IwBfj for <ace@ietfa.amsl.com>; Thu, 20 Dec 2018 06:27:13 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C06126CB6 for <ace@ietf.org>; Thu, 20 Dec 2018 06:27:12 -0800 (PST)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id wBKEQYqC012859; Thu, 20 Dec 2018 09:26:34 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu wBKEQYqC012859
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sei.cmu.edu; s=t52kn2igOmwp; t=1545315996; bh=mpfFZOA2P3Vc0AIK4KZkU5CLGsYezAwa0nj5gU8M4YI=; h=From:To:Subject:Date:References:In-Reply-To:From; b=kEia/lSo1frV6seExKzaIZXGVkzQCl86oQ3qZK9m4QBlcmc/GSHwmhH04eTo/aAUM cnTsj3kHZbI0rERtNxLBnf/gtGW6mfJDgQJ++KoZgovLijtbXfzjbJWQzT8ZLoUWuf mmR0oIBXcja4URCcIRkhzCpkrZNydt971ifd2z9A=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id wBKEQPbM048238; Thu, 20 Dec 2018 09:26:25 -0500
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0415.000; Thu, 20 Dec 2018 09:26:25 -0500
From: Sebastian Echeverria <secheverria@sei.cmu.edu>
To: Ludwig Seitz <ludwig.seitz@ri.se>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Stefanie Gerdes <gerdes@tzi.de>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Security of the Communication Between C and RS
Thread-Index: AQHUl54xbWo2xcpeMkGAUWY2S07HVKWHrXNQ
Date: Thu, 20 Dec 2018 14:26:24 +0000
Message-ID: <45D237D6DC600143A1C52C1C82BEBD1AABE14CAE@marathon>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <81ba3ab4-a9ce-a6fd-fbe6-c36a6fbbd9a5@tzi.de> <VI1PR0801MB2112E04F9FD7412350995417FAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b994af16-9bb8-4386-e7d2-321e453417fc@ri.se> <VI1PR0801MB21124D7C11F3A1F49DCA9A2CFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <VI1PR0801MB21126DDCCA251EEB8DB21DAAFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <dff54c41-9598-8f77-83ec-f4494703d923@tzi.de> <VI1PR0801MB21125D384A3DE6BD90AEDB74FABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b79ea204-0d7d-3968-6ea5-cd33d5502380@tzi.de> <VI1PR0801MB2112F215E8DF2E8AC34F217FFABE0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <e42032d6-ad15-26d2-cdbb-aaa34900d1ad@tzi.de> <9f35177f-30d4-817e-dfc3-9a54903ab023@ri.se> <VI1PR0801MB2112BA2A400D660DC32B7293FABE0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <f441528a-aba4-8556-0493-2e12a38e4133@ri.se>
In-Reply-To: <f441528a-aba4-8556-0493-2e12a38e4133@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LruHf490tZpOe7BLshJsyXeQLwY>
Subject: Re: [Ace] Security of the Communication Between C and RS
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 14:27:16 -0000

Hello,

>> If it is detected the AS would revoke the token. Then the client _could_ use client introspection to get that information. Note that this is what the CMU people are looking at.

Yes, handling compromised RSs is in fact something that we have been looking into. Our main concern is that in our scenarios, the environment is expected to be very hostile and connection is limited and intermittent (disadvantaged or DIL networks). Since we wanted to add some support for revoking tokens, without having to modify the framework to handle token revocation explicitly, what we ended up doing was using client introspection, along with some caveats and some considerations, to be able to add this functionality, besides also having ways to handle expired tokens. The main advantage of this is, again, that we aren't really modifying or even extending the ACE framework, but just taking advantage of functionality that is already there to implement this functionality, which makes sense in our use case.

In fact, we were looking into writing a BCP-like document suggesting ways to do this based on what we did. We were envisioning this as maybe the starting point of a document containing practices on how to better handle client communications with OAuth/ACE when we are dealing with disadvantaged networks and hostile environments. If there is interest in the group, we could share that document here, and maybe discuss what other practices could be added to it.

Thanks,

---
Sebastian Echeverria
Tactical Technologies Group (TTG)
Software Engineering Institute
Carnegie Mellon University



-----Original Message-----
From: Ludwig Seitz [mailto:ludwig.seitz@ri.se] 
Sent: Wednesday, December 19, 2018 8:24 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Stefanie Gerdes <gerdes@tzi.de>de>; Jim Schaad <ietf@augustcellars.com>om>; ace@ietf.org
Subject: Re: [Ace] Security of the Communication Between C and RS

On 19/12/2018 14:04, Hannes Tschofenig wrote:
> Thanks, Ludwig. The list of steps below help me to understand the concern.
> 
> ----
> 
> 
> 1.) C obtains token and pop-key from AS
> 2.) C transmits token to RS and sets up secure communication (e.g.
> DTLS-PSK) using the pop-key
> 3.) C sends secure requests to the RS
> 4.) token expires, an attacker manages to get hold of the pop-key
> 5.) C continues to send requests containing sensitive information to the RS , attacker can now read the messages and spoof positive responses from the RS. C never notices that the token is invalid and that it is actually talking to the attacker.
> 

> ----
> 
> In step (4) you tie the expiry of the token to the attacker getting 
> hold of the key. What happens if the attacker gets hold of the pop key 
> before the token expires?

If it is detected the AS would revoke the token. Then the client _could_ use client introspection to get that information. Note that this is what the CMU people are looking at.

> Additionally, if you use DTLS/TLS just having the PoP key still 
> requires the attacker to run a new DTLS/TLS handshake with the RS.

If the pop-key was used as a basis for doing a DTLS-PSK handshake, the attacker should be able to hijack the connection and impersonate either party.


> It would also be useful to know where the attacker got the PoP key 
> from and how you can even detect the compromise.

That is a different story entirely. You could imagine the case of an RS improperly deleting an expired token and the associated pop-key, and then being subject to a physical attack that recovers that information.

> 
> Additionally, there is the question why the RS wouldn't stop 
> communicating if the token expired since it has that information.

The RS would indeed stop, but since the token is opaque to the client, it has no way of knowing that the token has expired, and our clever attacker is using the pop-key to impersonate the RS and maintain the illusion that the connection is still alive an running.

> Normally, the idea is that the RS has a protected resource and the 
> client wants to access it. That's why the RS is asking the client to 
> send a token that gives it access.
>

Yes but say e.g. that the RS is a message broker and the client is a publisher, writing sensitive data to the RS.


I think Steffi's point definitely warrants text in the security 
considerations, outlining how a client could detect that a token has 
expired.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51