Re: [Ace] Group Communication Security Disagreements

Michael StJohns <mstjohns@comcast.net> Thu, 21 July 2016 13:48 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFBB12D5CB for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 06:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.987
X-Spam-Level:
X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nye5diyl0ujq for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 06:48:27 -0700 (PDT)
Received: from resqmta-ch2-11v.sys.comcast.net (resqmta-po-11v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FEBB12D51D for <ace@ietf.org>; Thu, 21 Jul 2016 06:48:25 -0700 (PDT)
Received: from resomta-po-03v.sys.comcast.net ([96.114.154.227]) by resqmta-po-11v.sys.comcast.net with SMTP id QEKsbYeuKEp5XQEKubHLQk; Thu, 21 Jul 2016 13:48:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469108904; bh=UoQguL3x1sPUY6cTQM8P6cF7jcqeVUX9V31EolZtU7k=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=WwGFokLk9IuhYOFw5O9akuw0GBZK3/Zb0nc5h10eiRQ0nS66u9YWslelrb4iu6Ay0 n7w0bUWXrfxNUZKNd61W+xGHOAcTcuOsX7XcBNzk8OaZLd/cR2FTTHLo75TBDoXWQR o3MrbzavBcZtzNk3Rp1R1vIDP4unzPFCp4R6Bar5nmTTIUOrxjWdkkEsJ2MXnEaPZf JXpEzBhpmNx6bOWpR/dkLlwWlxKPYglLgndcPz6oNQ8vhwIcoCL2CsUH+p0uUhpxKi jScEm2qmk5zeBORU3cpGiihYCWZooF3vSzA34znBwnaa0iQfFDOdPWZCRdJXR/FCxA kLp+WgSdebfIA==
Received: from [IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81] ([IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81]) by comcast with SMTP id QEKgbgErmhUZtQEKmbIPON; Thu, 21 Jul 2016 13:48:21 +0000
To: ace@ietf.org
References: <57909032.10809@gmx.net>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <6d259c5b-28e3-c748-4590-0c9f942fe343@comcast.net>
Date: Thu, 21 Jul 2016 09:48:13 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <57909032.10809@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfClSdWSIb2PzVaBwXDyHvIb1E+fqyOnxGs983sV9Bvc5eCEkD2VhSrTuaYTF7FNfLmDtSC3hlQu971xjPuDOVlDzLwjnhZtjtJd5Pzr0un3uSp8DwMKZ 16cskM2+Upj9lZPC400wxUP6j79io7voVLer1F9/MLsD0d7ogxpx2EXfVzXlvMphwC7kvbNAWOTGeA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/QG8biUdLe7OePZ8kQY__FzaU9Lg>
Subject: Re: [Ace] Group Communication Security Disagreements
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 13:48:28 -0000

On 7/21/2016 5:04 AM, Hannes Tschofenig wrote:
> Some other folks, including myself, believe that we would not just
> use the group key to determine the authorization decision but would
> instead rely on the authorization mechanism to prevent larger harm.
> This means that a compromised luminare would indeed turn on and off
> other luminaires in the group but they would not be able to successfully
> send commands to a door lock since those would (a) not use group
> communication and (b) if they use group communication then that would
> require an interaction with the authorization server to first obtain a
> different group key for such an interaction. Most likely there is no
> need for a luminare to obtain a group key for communicating with a door
> lock.


Hi Hannes -

If the protocol were constrained to a small number of group members - 
say 16 for example - then solving this problem is as simple as sending a 
control message with multiple message integrity tags - one per target 
device.  In the lighting problem, you could probably make this work with 
about a 3 byte overhead per device for a total of 48 MIC bytes (4 bits 
for EP identifier, 20 bits for the MIC) and still have reasonable 
security.   And all without having to have a group key.

If you go larger than this, then the group key becomes more attractive, 
but also less secure.   The probability of compromise of the group - if 
its an interesting target - approaches unity assuming physical access to 
any device in the group.

Without unique source identification (and for that matter role 
identification either inband or implicit) any compromised device results 
in your attacker being able to act as a controller for the group.  
Again, not a large problem (but a problem nonetheless) for a small group 
of lights inside an office behind locked doors. But a very large problem 
for a system that's possibly controlling 100 or 1000 lights in a group.

As I said at the microphone, if I thought you could just do this as the 
"ACE protocol for group control of lights" and keep people from using it 
for other things I'd be a lot less concerned (but still there's the 
whole threat of turning off all the lights in a building all at once).  
But the reality is this protocol will be used for control of things 
beyond lights and it would be irresponsible to standardize a protocol 
with a real possibility for direct real-world negative impacts on safety 
and health.

The way to solve this for a general involves public key cryptography - 
that's just how the security and physics and math work out.


Mike

ps - the idea of secure group multicast for controlling things is indeed 
a  wonderful idea - but think for a moment.   If it's such a great idea, 
why isn't it already in use somewhere?

MSEC did quite a lot of work on providing confidentiality for 
multicasted messages, but the work it did on integrity/authentication 
produced only a document that allowed you to authenticate the sender 
after the event was supposed to occur. (E.g. TESLA) That's probably not 
useful for controlling things in real time.

Given the amount of work that was done there, and in various academic 
settings and with a large number of people and with money and with 
impetus to make this work on symmetric key systems, why will ACE be more 
successful?  What has changed in our understanding of the problem and 
the solutions set?