Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
Michael StJohns <mstjohns@comcast.net> Wed, 27 July 2016 16:06 UTC
Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F118312D88B for <ace@ietfa.amsl.com>; Wed, 27 Jul 2016 09:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.987
X-Spam-Level:
X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLye_Y0MhBwL for <ace@ietfa.amsl.com>; Wed, 27 Jul 2016 09:06:09 -0700 (PDT)
Received: from resqmta-po-04v.sys.comcast.net (resqmta-po-04v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 647C012DCEC for <ace@ietf.org>; Wed, 27 Jul 2016 09:06:08 -0700 (PDT)
Received: from resomta-po-20v.sys.comcast.net ([96.114.154.244]) by resqmta-po-04v.sys.comcast.net with SMTP id SRK8byPeWGkXBSRLTb0Wmd; Wed, 27 Jul 2016 16:06:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469635567; bh=RfZ1hXvjZKNGmrG+VOUZ8A+gz9CKLGAx9mgPZ8/VAGE=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=dt63Dq/eOsFhJObhf9k7ahMVEQD3puRjGzjPYQnPgtwwv/1PrzC0krfcMayLuhK0U W2tv+oARn2DCbp+6FnB8+PsDL0Th/v7diYVJXtBeuxOXQ2RG/mHyx5jETRWKpxqwQt 0ssqfQEU14ckvO6EEthzswrMgS9D9c9O77xrqfCRbKDsH40OJVCjQgqH4I7qPd0tFf LfzYK4usiYPjLxHT1fXbrdwrWyJ6quMdh+dNj/cIslz60jCWj9e55k/hD4Mhm+BP16 qm5oqYVSPRPsfr79hVOTSYlrFu2FPmEg273LKnKlJkxaXpqxwdV1M6CQfKi2zSWTVB /m0Vpem1/WCfg==
Received: from [IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d] ([IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d]) by comcast with SMTP id SRLRbf4iGRT4NSRLRbzgVS; Wed, 27 Jul 2016 16:06:06 +0000
To: robert.cragie@gridmerge.com
References: <578F4D59.8050005@gmx.net> <8ca27108-a8b9-7b07-e752-656247716708@comcast.net> <HE1PR0601MB22030003D2913DA6096CB3E4FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <a318cda7-ebf2-5a5c-d86a-9d67fb41a82f@comcast.net> <HE1PR0601MB2203D1C2C96278B23D71AD31FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <f293e325-bea2-5c27-c677-563f05c60da0@cs.tcd.ie> <bf8531981ecd4a0db3607f9ef5328d38@VI1PR9003MB0237.MGDPHG.emi.philips.com> <8bbc028d-0960-3f93-ccc2-e8746fd98ca6@gmail.com> <579d47e5f90a43e194135e8c46c82159@VI1PR9003MB0237.MGDPHG.emi.philips.com> <CAHbuEH4Z071rdTf=x0bUKd3tkt_r-0k5-vXsYYeoHQrgH1AnTg@mail.gmail.com> <CAHbuEH6CnhHPoJ+pSsYxuUur-AQscLeHsJmEBs4je_cGAeLGsA@mail.gmail.com> <de53e908-9b1f-fe74-46fa-a78a07b8ea76@comcast.net> <CAHbuEH4oQyYi2MT8wN6gHbyGg6wWUFfbV8oJ6MKRempVetY4yw@mail.gmail.com> <f582bf5a1daf4f25af17f62592c284ce@HE1PR9003MB0234.MGDPHG.emi.philips.com> <CADrU+dLu7NyjOw0hMUavA_BBu=HJoWuSX6brHjQhYz=ZBxLJkA@mail.gmail.com>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <691e0edb-ad66-932b-56f9-c6af763611e4@comcast.net>
Date: Wed, 27 Jul 2016 12:06:15 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CADrU+dLu7NyjOw0hMUavA_BBu=HJoWuSX6brHjQhYz=ZBxLJkA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfA1E2eg/FwGLRtKB9QjptGz/Fq1qqYK4JFZya2gXlKx4MPdQLKsvsZKzhawyCvhGvOUcngHTdx/3paCacC+NwqfSRjCen4BkJKxqiTpQbtQeqzq+88JK +B8Kq/EaVdvHEKZZ72P+FaZfvOn8SRpc/6PKkctte7TWod/xAgw0mY8hOLl+JymVr9BzliqeO/iVjHHaURJJ5lWmgkjcXpCBG5UuCLGHFz/vOMgk1oH7YTty runbFtJg+K1eGr/u/6E87YcqytJahlPIovCu8HxnM5INjB1FS9S3/tv4JUpvUOmLsrPbf2MMm3WGerq+Ry/IVQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_oYDpWSq5w_Jup2i5m77s9Fu40g>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Garcia Morchon O, Oscar" <oscar.garcia@philips.com>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 16:06:11 -0000
On 7/26/2016 7:55 PM, Robert Cragie wrote: > Mike, > > My concern with this thread is that you seem to have a very > black/white assumption regarding the use of a symmetric group key. > Defining a protocol which allows use of a symmetric group key does not > in itself imply that it will be misused. It's a bit like saying we > can't design an automobile because the driver may be inept and cause a > serious accident. Hi Robert - I tend to have a very black/white assumption with most of the laws of physics. > > However, I do agree with almost all the statements you have made > regarding the use of a symmetric group key apart from this one: > > MSJ >The receiver has no guaranteed way of knowing whether or not ANY > group member is compromised so the authentication is pretty much > meaningless. > > It is not meaningless, it still applies to the holder of the group > key. Sure, one of the group could be compromised and as you say > purport to be any member of the group (and there are still probably > mitigations against this) but an entity outside of the group will not > be able to purport to be in the group. I remain confused as to how you think that is. I'm not a member of the group, but I convinced a member of the group to give me his copy of the group key (e.g. I broke in and stole it and he was none the wiser). How do you differentiate between me and him? In a message, what cryptographic evidence proves that a message came from a member of the group? If you say group key, I say "stolen". I'm a member of the group but a bad actor - I'm masquerading as a controller instead of an actuator. How do you prove I'm not a controller? In a message, what cryptographic evidence proves that the message came from a controller? If you say group key, I say "hacked". Forget for a moment about the process of getting keys to the various devices (e.g. let's leave off the key management topic for a moment) and consider this case:: A device builder builds 1000 devices, of which 900 are lightbulbs and 100 are lightswitches and installs within all of them a single group key. That group key is used - as is being described here - as the key for the switches to control all of the light bulbs. Note that at this point we're effectively at the same place a mesh with a key management protocol that is distributing a group key would be. We just got there manually. An attacker manages to get his hands on one of the lightbulbs and extracts the group key. He places his own device in the system which has the lighting network interface on one side, a more general IP network interface on the other (complete with HTTP or Telnet or somesuch), and contains a copy of the group key and all the relevant protocols. Whenever the attacker wants, he may use that group key to send out a control message to any of the lightbulbs. The addition of a key management protocol to distribute symmetric group keys does not improve this much if at all -- UNLESS you have wickedly good compromise detection mechanisms that allow you to identify and eject bad actors quickly. But I can't actually think of a scenario where depending on good compromise detection without a human in the loop works well. Continuing - the addition of the key management protocol allows you to update the group key and hopefully send it to only good actors. But, even that provides little or no mitigation as an attacker can a) steal the identity keys for a device and passively tap the over the air negotiations. b) if that doesn't work, can steal the identity keys and replace a legitimate device with his own clone and use that to fake control messages, c) re-purpose an existing device to tell him the keys, etc. There are mitigations for most of these, but they require secure elements. Once you have secure elements, then the argument for not doing public key pretty much goes away. > So it is not meaningless. There are many cases where groups can be > small and therefore (as you explain) the impact of compromise decreases. It really is meaningless when N > 2. And becomes even more meaningless (true, hard to go down from zero...) as N increases. > > This leads to the points Abhinav and Kathleen have made. Security > policies can be put in place to limit the scope and distribution of > group keys. If the potential number in a group for a particular use > case (taking into account all the properties of that use case which > may provide additional mitigation) exceeds a certain amount then we > can recommend that symmetric group keys are not used. You and I agree here. My number is 3. (It's actually 2, but Kerberos like systems are actually somewhat useful so its 3 with caveats). I haven't heard an argument that makes sense for anything larger. > > You mentioned secure element in an earlier e-mail; these facilities > are becoming more widely available and cheaper and are starting to > appear in low-cost microcontrollers today. As indeed are crypto > elements, which would then suggest the use of signing+verifying would > be more appropriate as you suggest. > > In a nutshell, I agree with your assessment regarding symmetric group > keys but there are always tradeoffs and I don't see how we can ban > something simply because it might be problematic if misused. Hmm... the IETF seems poised to ban clear-text transmissions of any kind because they might be problematic if misused... Never mind. In any case, Cyber-Physical is a different beast. We've started to see an upswing of attacks on poorly secured physical systems (power, military drones, etc). I'm not sanguine about introducing a known bad solution that CANNOT be made secure without other assumptions (e.g. the secure element stuff). I've sketched out a few symmetric key multicast protocols that might work with secure elements, but they all require an interesting thing to provide any guarantees - that the secure element be able to prove (during the key exchange/update protocol) that it is a secure element by the definition of the protocol. Think of it this way - it doesn't help to build a protocol that depends on secure elements for guarantees, if you can trivially defeat those guarantees by introducing a device that implements the protocols, but doesn't actually keep the keys in a secure element. So, I fall back on public key systems as being a lot less complex, a lot more flexible and a lot easier to understand than the nuances of symmetric key multicast. Later, Mike > > Robert >
- Re: [Ace] Adoption of Low Latency Group Communica… Rene Struik
- Re: [Ace] Adoption of Low Latency Group Communica… Kumar, Sandeep
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Kumar, Sandeep
- Re: [Ace] Adoption of Low Latency Group Communica… Stephen Farrell
- Re: [Ace] Adoption of Low Latency Group Communica… Eliot Lear
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Derek Atkins
- Re: [Ace] Adoption of Low Latency Group Communica… Jim Schaad
- Re: [Ace] Adoption of Low Latency Group Communica… Ludwig Seitz
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Eliot Lear
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Michael Richardson
- Re: [Ace] Adoption of Low Latency Group Communica… Michael Richardson
- Re: [Ace] Adoption of Low Latency Group Communica… Hannes Tschofenig
- Re: [Ace] Adoption of Low Latency Group Communica… Thomas Hardjono
- Re: [Ace] Adoption of Low Latency Group Communica… Kumar, Sandeep
- Re: [Ace] Adoption of Low Latency Group Communica… Rahman, Akbar
- Re: [Ace] Adoption of Low Latency Group Communica… Smith, Ned
- [Ace] Adoption of Low Latency Group Communication… Hannes Tschofenig
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Robert Cragie
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Eliot Lear
- Re: [Ace] Adoption of Low Latency Group Communica… Grunwald, Markus
- Re: [Ace] Adoption of Low Latency Group Communica… Robert Cragie
- Re: [Ace] Adoption of Low Latency Group Communica… Garcia Morchon O, Oscar
- Re: [Ace] Adoption of Low Latency Group Communica… Kathleen Moriarty
- Re: [Ace] Adoption of Low Latency Group Communica… Eliot Lear
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Kathleen Moriarty
- Re: [Ace] Adoption of Low Latency Group Communica… Eliot Lear
- Re: [Ace] Adoption of Low Latency Group Communica… Kathleen Moriarty
- Re: [Ace] Adoption of Low Latency Group Communica… Kathleen Moriarty
- Re: [Ace] Adoption of Low Latency Group Communica… Somaraju Abhinav
- Re: [Ace] Adoption of Low Latency Group Communica… Michael StJohns
- Re: [Ace] Adoption of Low Latency Group Communica… Carsten Bormann
- Re: [Ace] Adoption of Low Latency Group Communica… Ludwig Seitz