IETF Logo Mail Archive

Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Somaraju Abhinav <abhinav.somaraju@tridonic.com> Mon, 25 July 2016 12:21 UTC

Return-Path: <abhinav.somaraju@tridonic.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57EAF12D808 for <ace@ietfa.amsl.com>; Mon, 25 Jul 2016 05:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zgrp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDBwcAVSMKEn for <ace@ietfa.amsl.com>; Mon, 25 Jul 2016 05:21:27 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20137.outbound.protection.outlook.com [40.107.2.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C2712D804 for <ace@ietf.org>; Mon, 25 Jul 2016 05:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zgrp.onmicrosoft.com; s=selector1-tridonic-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xS6L4J73iIpnMdGwD1Kxp1kOUp4t2KYaukSrbNdRPn0=; b=mg844OMTzEMtNWsNUjSlnmM52xHEb0jFMKpeXyP3mKPBEevxlUEBJYx+ztniCfcYQb08mjZaW3rYc8WfRNOrOVVUSGEzacaI5gzSZSGG8PkvMLrzHfPiZaHD1tQ70Tgu60uzMUIiLzv40lbiROOGL1R5AMTJ2Sv4KwoUh2rsQdE=
Received: from HE1PR0601MB2203.eurprd06.prod.outlook.com (10.168.35.138) by HE1PR0601MB2201.eurprd06.prod.outlook.com (10.168.35.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Mon, 25 Jul 2016 12:21:21 +0000
Received: from HE1PR0601MB2203.eurprd06.prod.outlook.com ([10.168.35.138]) by HE1PR0601MB2203.eurprd06.prod.outlook.com ([10.168.35.138]) with mapi id 15.01.0544.019; Mon, 25 Jul 2016 12:21:21 +0000
From: Somaraju Abhinav <abhinav.somaraju@tridonic.com>
To: Michael StJohns <mstjohns@comcast.net>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
Thread-Index: AQHR4zAQ/n8I622G20qJJ3j/0zgcZqAinnCAgAA3sACABj/pQA==
Date: Mon, 25 Jul 2016 12:21:21 +0000
Message-ID: <HE1PR0601MB22030003D2913DA6096CB3E4FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com>
References: <578F4D59.8050005@gmx.net> <5E393DF26B791A428E5F003BB6C5342AB3716D64@OC11EXPO33.exchange.mit.edu> <23666.1469091857@obiwan.sandelman.ca> <95b0103c-ba2d-6cd8-6241-228df46e530b@sics.se> <8ca27108-a8b9-7b07-e752-656247716708@comcast.net>
In-Reply-To: <8ca27108-a8b9-7b07-e752-656247716708@comcast.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=abhinav.somaraju@tridonic.com;
x-originating-ip: [146.108.200.10]
x-ms-office365-filtering-correlation-id: 7fa9e572-dc5a-40ea-9fbd-08d3b4863059
x-microsoft-exchange-diagnostics: 1; HE1PR0601MB2201; 6:hF5PYiBiBRl3dg/GFYBAAGudChrb7Y1d/65Fk+jfDJtVnkakr+KSuwBMfnVDgr+P/P6+qkSEGWnb0zzJu/nHfBy9K47e59sJRw6CC0WPk4SwvBF+/Jg3s2FkXz7RNMChrNMaaHCc4Slyw17c6clvEm8YTFCv+bAD9w5BUWhoHWp3oXs7evS+gWeC1f/zVQ9BAlfXbc5EqlOm+9nbX+gqVMeOgPKzRLColJPfDK9dJvLSsvMoDbWKV/h2qARUUDvLUXDhRvIkqAcHJNYr/bkxpCVNOucRmEs1/NAzpu8SOykeP06MxHjE85PbnJEVZDMB0g2eiur91kpWviruanJ60A==; 5:qoJWzTXC0o7hiwTh77bW31zGbEdG2LiJo0BYByEHdrDkwFdyIchSLinBa6Imovp1Ujfkq5pxVhzr5365PEYBbo3VcqlcDUKTqK3scYLr+04YKfxqk9cQtKK/EUuJ4t4Jxm48AcVHinwG9BTLPOlXAQ==; 24:hT9Eq8Tmhl8S/9AKf1vU7a5qPk2s+G8lVjbXoUvJv8qiJHwNPwFR+FyxQX/adAsP2AKaMuyS8BCGQR9++qoxDwiYxoz6tAXqXifkaIVoQJw=; 7:2IB8WsvwTwssNiYNttwZR6sWmOnAzSdB5We9TCMWuuAX0hbfo5LIIJMfx4H4pG7bvodtuNqABnXPwCU6VBp5HTjA/rM5d8NF21vm6yzYz3+pUHhWH3NY7or7HVDsuRY0NVrBRlIegidxrWQ3Pzy4NMWAt+zayAyvq0omQADc4Scfi9Pc5MeL0PGKHkfSbJRxy+FgbQOmtu2ouR9ZSKJkMEPtUN4ljeWj8XX8tQImOAdRXm2AhIn0ShUKT5z/S4MI
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0601MB2201;
x-microsoft-antispam-prvs: <HE1PR0601MB22017555FEC9258086C2B609FC0D0@HE1PR0601MB2201.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:HE1PR0601MB2201; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0601MB2201;
x-forefront-prvs: 0014E2CF50
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(189002)(199003)(77096005)(5002640100001)(7736002)(5003600100003)(7696003)(7906003)(2900100001)(5890100001)(2501003)(7846002)(8666005)(74316002)(9326002)(2950100001)(92566002)(106116001)(106356001)(107886002)(2420400007)(97736004)(15650500001)(9686002)(5001770100001)(8676002)(66066001)(8936002)(15975445007)(3660700001)(189998001)(3280700002)(7110500001)(81166006)(81156014)(10400500002)(68736007)(33656002)(19617315012)(19625215002)(76576001)(101416001)(87936001)(2906002)(93886004)(16236675004)(19300405004)(86362001)(3846002)(6116002)(790700001)(50986999)(76176999)(54356999)(102836003)(586003)(11100500001)(105586002)(19580395003)(10710500007)(19580405001)(122556002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0601MB2201; H:HE1PR0601MB2203.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: tridonic.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0601MB22030003D2913DA6096CB3E4FC0D0HE1PR0601MB2203_"
MIME-Version: 1.0
X-OriginatorOrg: tridonic.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2016 12:21:21.8168 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8b206608-a593-4ace-a4b6-ef1fc83c9169
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0601MB2201
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/aURFDc4d8EFtIL0rxsGUORjmW1M>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 12:21:29 -0000

Hi Mike,

The group key is also the authorization key in the model proposed.  Any entity that holds that key can forge a message that can cause the action authorized by the issuance of that key. In your example, assuming that the door lock and the lightbulb share the same group key, then compromising the lightbulb allows you to control the door lock.
[AS] This is not the model we have in mind in the document. It is clear that the document needs some more specification work which relies on OSCOAP/COSE being complete. However, if you look at sections 3.3 and 3.4 both the AT-R and AT-KDC assume that there is a field "Scope" which mentions permissions of the entity holding the token including "which resources maybe accessed with the token". So, compromising a lightbulb group key does not automatically imply that the door-lock can be controlled with the same key.

In general, authentication comes with the key that you have - authorization is then tied to that key.  In DTLS  (as in TLS), your session key is also your authorization key once your TLS session is tied to a particular identity (e.g. via an HTTP login, via a client cert exchange, via OAuth).

So - cosmetic differences only.

Mike








/Ludwig






_______________________________________________

Ace mailing list

Ace@ietf.org<mailto:Ace@ietf.org>

https://www.ietf.org/mailman/listinfo/ace



________________________________________________________ The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments.

v2.23.0 | Report a Bug | By Email