IETF Logo Mail Archive

Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Michael StJohns <mstjohns@comcast.net> Wed, 27 July 2016 16:06 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F118312D88B for <ace@ietfa.amsl.com>; Wed, 27 Jul 2016 09:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.987
X-Spam-Level:
X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLye_Y0MhBwL for <ace@ietfa.amsl.com>; Wed, 27 Jul 2016 09:06:09 -0700 (PDT)
Received: from resqmta-po-04v.sys.comcast.net (resqmta-po-04v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647C012DCEC for <ace@ietf.org>; Wed, 27 Jul 2016 09:06:08 -0700 (PDT)
Received: from resomta-po-20v.sys.comcast.net ([96.114.154.244]) by resqmta-po-04v.sys.comcast.net with SMTP id SRK8byPeWGkXBSRLTb0Wmd; Wed, 27 Jul 2016 16:06:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469635567; bh=RfZ1hXvjZKNGmrG+VOUZ8A+gz9CKLGAx9mgPZ8/VAGE=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=dt63Dq/eOsFhJObhf9k7ahMVEQD3puRjGzjPYQnPgtwwv/1PrzC0krfcMayLuhK0U W2tv+oARn2DCbp+6FnB8+PsDL0Th/v7diYVJXtBeuxOXQ2RG/mHyx5jETRWKpxqwQt 0ssqfQEU14ckvO6EEthzswrMgS9D9c9O77xrqfCRbKDsH40OJVCjQgqH4I7qPd0tFf LfzYK4usiYPjLxHT1fXbrdwrWyJ6quMdh+dNj/cIslz60jCWj9e55k/hD4Mhm+BP16 qm5oqYVSPRPsfr79hVOTSYlrFu2FPmEg273LKnKlJkxaXpqxwdV1M6CQfKi2zSWTVB /m0Vpem1/WCfg==
Received: from [IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d] ([IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d]) by comcast with SMTP id SRLRbf4iGRT4NSRLRbzgVS; Wed, 27 Jul 2016 16:06:06 +0000
To: robert.cragie@gridmerge.com
References: <578F4D59.8050005@gmx.net> <8ca27108-a8b9-7b07-e752-656247716708@comcast.net> <HE1PR0601MB22030003D2913DA6096CB3E4FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <a318cda7-ebf2-5a5c-d86a-9d67fb41a82f@comcast.net> <HE1PR0601MB2203D1C2C96278B23D71AD31FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <f293e325-bea2-5c27-c677-563f05c60da0@cs.tcd.ie> <bf8531981ecd4a0db3607f9ef5328d38@VI1PR9003MB0237.MGDPHG.emi.philips.com> <8bbc028d-0960-3f93-ccc2-e8746fd98ca6@gmail.com> <579d47e5f90a43e194135e8c46c82159@VI1PR9003MB0237.MGDPHG.emi.philips.com> <CAHbuEH4Z071rdTf=x0bUKd3tkt_r-0k5-vXsYYeoHQrgH1AnTg@mail.gmail.com> <CAHbuEH6CnhHPoJ+pSsYxuUur-AQscLeHsJmEBs4je_cGAeLGsA@mail.gmail.com> <de53e908-9b1f-fe74-46fa-a78a07b8ea76@comcast.net> <CAHbuEH4oQyYi2MT8wN6gHbyGg6wWUFfbV8oJ6MKRempVetY4yw@mail.gmail.com> <f582bf5a1daf4f25af17f62592c284ce@HE1PR9003MB0234.MGDPHG.emi.philips.com> <CADrU+dLu7NyjOw0hMUavA_BBu=HJoWuSX6brHjQhYz=ZBxLJkA@mail.gmail.com>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <691e0edb-ad66-932b-56f9-c6af763611e4@comcast.net>
Date: Wed, 27 Jul 2016 12:06:15 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CADrU+dLu7NyjOw0hMUavA_BBu=HJoWuSX6brHjQhYz=ZBxLJkA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfA1E2eg/FwGLRtKB9QjptGz/Fq1qqYK4JFZya2gXlKx4MPdQLKsvsZKzhawyCvhGvOUcngHTdx/3paCacC+NwqfSRjCen4BkJKxqiTpQbtQeqzq+88JK +B8Kq/EaVdvHEKZZ72P+FaZfvOn8SRpc/6PKkctte7TWod/xAgw0mY8hOLl+JymVr9BzliqeO/iVjHHaURJJ5lWmgkjcXpCBG5UuCLGHFz/vOMgk1oH7YTty runbFtJg+K1eGr/u/6E87YcqytJahlPIovCu8HxnM5INjB1FS9S3/tv4JUpvUOmLsrPbf2MMm3WGerq+Ry/IVQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_oYDpWSq5w_Jup2i5m77s9Fu40g>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Garcia Morchon O, Oscar" <oscar.garcia@philips.com>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 16:06:11 -0000

On 7/26/2016 7:55 PM, Robert Cragie wrote:
> Mike,
>
> My concern with this thread is that you seem to have a very 
> black/white assumption regarding the use of a symmetric group key. 
> Defining a protocol which allows use of a symmetric group key does not 
> in itself imply that it will be misused. It's a bit like saying we 
> can't design an automobile because the driver may be inept and cause a 
> serious accident.

Hi Robert -

I tend to have a very black/white assumption with most of the laws of 
physics.

>
> However, I do agree with almost all the statements you have made 
> regarding the use of a symmetric group key apart from this one:
>
> MSJ >The receiver has no guaranteed way of knowing whether or not ANY 
> group member is compromised so the authentication is pretty much 
> meaningless.
>
> It is not meaningless, it still applies to the holder of the group 
> key. Sure, one of the group could be compromised and as you say 
> purport to be any member of the group (and there are still probably 
> mitigations against this) but an entity outside of the group will not 
> be able to purport to be in the group.

I remain confused as to how you think that is.

I'm not a member of the group, but I convinced a member of the group to 
give me his copy of the group key (e.g. I broke in and stole it and he 
was none the wiser).  How do you differentiate between me and him?  In a 
message, what cryptographic evidence proves that a message came from a 
member of the group?  If you say group key, I say "stolen".

I'm a member of the group but a bad actor - I'm masquerading as a 
controller instead of an actuator.  How do you prove I'm not a 
controller?  In a message, what cryptographic evidence proves that the 
message came from a controller?  If you say group key, I say "hacked".

Forget for a moment about the process of getting keys to the various 
devices (e.g. let's leave off the key management topic for a moment) and 
consider this case::

A device builder builds 1000 devices, of which 900 are lightbulbs and 
100 are lightswitches and installs within all of them a single group 
key.  That group key is used - as is being described here - as the key 
for the switches to control all of the light bulbs.

Note that at this point we're effectively at the same place a mesh with 
a key management protocol that is distributing a group key would be.  We 
just got there manually.

An attacker manages to get his hands on one of the lightbulbs and 
extracts the group key.  He places his own device in the system which 
has the lighting network  interface on one side, a more general IP 
network interface on the other (complete with HTTP or Telnet or 
somesuch), and contains a copy of the group key and all the relevant 
protocols. Whenever the attacker wants,  he may use that group key to 
send out a control message to any of the lightbulbs.

The addition of a key management protocol to distribute symmetric group 
keys does not improve this much if at all -- UNLESS you have wickedly 
good compromise detection mechanisms that allow you to identify and 
eject bad actors quickly.  But I can't actually think of a scenario 
where depending on good compromise detection without a human in the loop 
works well.

Continuing - the addition of the key management protocol allows you to 
update the group key and hopefully send it to only good actors. But, 
even that provides little or no mitigation as an attacker can a) steal 
the identity keys for a device and passively tap the over the air 
negotiations. b) if that doesn't work, can steal the identity keys and 
replace a legitimate device with his own clone and use that to fake 
control messages, c) re-purpose an existing device to tell him the keys, 
etc.   There are mitigations for most of these, but they require secure 
elements.  Once you have secure elements, then the argument for not 
doing public key pretty much goes away.

> So it is not meaningless. There are many cases where groups can be 
> small and therefore (as you explain) the impact of compromise decreases.

It really is meaningless when N > 2.  And becomes even more meaningless 
(true, hard to go down from zero...) as N increases.




>
> This leads to the points Abhinav and Kathleen have made. Security 
> policies can be put in place to limit the scope and distribution of 
> group keys. If the potential number in a group for a particular use 
> case (taking into account all the properties of that use case which 
> may provide additional mitigation) exceeds a certain amount then we 
> can recommend that symmetric group keys are not used.

You and I agree here.  My number is 3.  (It's actually 2, but Kerberos 
like systems are actually somewhat useful so its 3 with caveats).   I 
haven't heard an argument that makes sense for anything larger.



>
> You mentioned secure element in an earlier e-mail; these facilities 
> are becoming more widely available and cheaper and are starting to 
> appear in low-cost microcontrollers today. As indeed are crypto 
> elements, which would then suggest the use of signing+verifying would 
> be more appropriate as you suggest.
>
> In a nutshell, I agree with your assessment regarding symmetric group 
> keys but there are always tradeoffs and I don't see how we can ban 
> something simply because it might be problematic if misused.

Hmm... the IETF seems poised to ban clear-text transmissions of any kind 
because they might be problematic if misused...

Never mind.  In any case, Cyber-Physical is a different beast. We've 
started to see an upswing of attacks on poorly secured physical systems 
(power, military drones, etc).  I'm not sanguine about introducing a 
known bad solution that CANNOT be made secure without other assumptions 
(e.g. the secure element stuff).


I've sketched out a few symmetric key multicast protocols that might 
work with secure elements, but they all require an interesting thing to 
provide any guarantees - that the secure element be able to prove 
(during the key exchange/update protocol) that it is a secure element by 
the definition of the protocol.  Think of it this way - it doesn't help 
to build a protocol that depends on secure elements for guarantees, if 
you can trivially defeat those guarantees by introducing a device that 
implements the protocols, but doesn't actually keep the keys in a secure 
element.

So, I fall back on public key systems as being a lot less complex, a lot 
more flexible and a lot easier to understand than the nuances of 
symmetric key multicast.

Later, Mike




>
> Robert
>

v2.23.0 | Report a Bug | By Email