IETF Logo Mail Archive

Re: [Ace] AD review of draft-ietf-ace-dtls-authorize-09

Benjamin Kaduk <kaduk@mit.edu> Thu, 02 July 2020 03:12 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBE063A0982; Wed, 1 Jul 2020 20:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hc7pHXPvJ9Z; Wed, 1 Jul 2020 20:12:11 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 540E23A0979; Wed, 1 Jul 2020 20:12:11 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0623C2Om031009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 1 Jul 2020 23:12:04 -0400
Date: Wed, 01 Jul 2020 20:12:01 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Olaf Bergmann <bergmann@tzi.org>
Cc: Jim Schaad <ietf@augustcellars.com>, 'Carsten Bormann' <cabo@tzi.org>, ace@ietf.org, draft-ietf-ace-dtls-authorize.all@ietf.org
Message-ID: <20200702031201.GN58278@kduck.mit.edu>
References: <20200429011210.GC27494@kduck.mit.edu> <87mu6bn6zy.fsf@wangari> <20200527234227.GD58497@kduck.mit.edu> <87r1uczgyq.fsf@wangari> <20200629224537.GX58278@kduck.mit.edu> <87mu4konya.fsf@wangari> <DB603021-7A82-4A30-BE07-C2D913E1C32F@tzi.org> <20200630162434.GM58278@kduck.mit.edu> <03ad01d64f14$66b0a080$3411e180$@augustcellars.com> <87imf7tzew.fsf@wangari>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87imf7tzew.fsf@wangari>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/YLj71wkuRqM2VeHbvQGvkrpFlTA>
Subject: Re: [Ace] AD review of draft-ietf-ace-dtls-authorize-09
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 03:12:13 -0000

On Wed, Jul 01, 2020 at 10:25:27AM +0200, Olaf Bergmann wrote:
> Hi Jim,
> 
> Jim Schaad <ietf@augustcellars.com> writes:
> 
> > If you are not doing a re-encoding of the token, then I believe that
> > preferred serialization and deterministic serialization are going to
> > generate the same answer.  With the map being used then this is not
> > true, and it is also true that the change in map ordering will hit
> > this.
> 
> There seems to be agreement on this, and therefore I will change the
> text following Carsten's proposal (use bytes for the access_tocken and
> state that preferred serialization and deterministic serialization
> should be used for the CBOR serialization.
> 
> > This is a piece of the document that I have never implemented
> > because I just don't believe that this option is a reasonable thing to
> > require being done so I missed the fact that the original encoded
> > token is not being used.
> 
> You haven't missed anything—the intention always was to use the original
> encoded token as transferred on the wire. The issue was introduced in
> this last unpublished change that should have clarified the
> serialization of the data structure that is used as input for the HKDF.
> 
> > There is a possible DOS attack by a MITM changing the encoding on the
> > token since it is not protected when posted to the RS.
> 
> Yes, this is inherent to the upload mechanism and unrelated to key
> derivation. My intention is to access-protect the token endpoint in my
> implementation such that only authorized clients can upload an access
> token.
> 
> > If this is going to be changed, I would say use the binary string
> > encoding from the bstr of the inner most COSE wrapping layer as the
> > input to minimize this.
> 
> Now you have lost me. The innermost COSE wrapping layer would be the one
> in the contents of the cnf claim, given that we do not invent claims
> that also can include COSE structures?

I think the intention is the "innermost COSE structure protecting the
[entire] access token", to accomodate the fact that the access token might
be COSE_Mac(), COSE_Encrypt(COSE_Mac()), etc., and not necessarily a fixed
number of layers of COSE protection between the access token ciphertext and
the CWT claim set.

-Ben

v2.23.0 | Report a Bug | By Email