IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-key-groupcomm-oscore

Marco Tiloca <marco.tiloca@ri.se> Fri, 31 January 2020 18:32 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA40120B85; Fri, 31 Jan 2020 10:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c41t5OtUCFeC; Fri, 31 Jan 2020 10:32:03 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2041.outbound.protection.outlook.com [40.107.22.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31ACC120838; Fri, 31 Jan 2020 10:32:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UyboLUeEdPc9SilFx4M/DPe0/iDxFS+FVB7pTTXz1ik8d+pwCvNKBn+cdjlGxx2LOYU+q3sw7a7b/OWyGfgItvlryar9w5wYX7A8B0Hmvobs41YqS4aFIYOWkkBVIcwe8DMHRA4gPgnB4FP1ZYHKHn68XygqBRIRD7VIC+uw7bPY0zlh+q7otqxAkZANRiNxeGehCZHklFUHQlS21r3+abDMhrhuWrHCmtVcodlPlkbFeBZ+6KhQAFpTRQ+nEqYDF/WP/GLRkkwE3n3p5XRsgAmmX2gbY2Uu2tmAm92IoIHrhsHrs8N4LhMU4D+xDoyiO8+1qMw0g2SFJWIc5thRmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AnZ+kt/aWqv1PzzNkKChCay5uT/0I1YxHrZDd8oY+iY=; b=aB/0PekFHtce9BRbcKwYd228rGOx10qxDOskjUIUNuURT1SWEMfaohsx+oWc0kNR1baLKQHRI1NmYKLJKFJR1CCvolHfCy619imV0EUpdtvfGE0ZgEo1Eu7v8YrbMgFH2lkZ50t/xn0NFfxAOQv41IutmRsXPZzWoG9q46vUo72s7MFilprdtaFMIrrF9TlkJoP5cy05vuH11ZU0ZK+oROS2SyC9cpezZIy6NKqj95EMpCH5rt8hxvG3bgeAZ/vBw8wbMYTeSajMYIU410oFNBPbc6OsosQdfJzGoOp+1O4yVZ1MNPS7yf+7akI6LEMU35w6izgSt6iM/3AM7MPpYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AnZ+kt/aWqv1PzzNkKChCay5uT/0I1YxHrZDd8oY+iY=; b=IOe3KY4RcUrRwqnSleEm+7qZaH2NH2xcsMq0EuXAJJwE+hT4Hm2p99N8hxp7Th5qEoV28GpCGI7YY0PQciD/Wzec7KL/TDkDgj0iWNy/gU0G55V59n59hFB0NK35/bTo1qGVEeypvp2lXwIelKaA4ce11rAguK0sL4KUxepZX7I=
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (10.165.195.159) by VI1P189MB0480.EURP189.PROD.OUTLOOK.COM (10.165.195.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.23; Fri, 31 Jan 2020 18:32:00 +0000
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::3485:ce83:891b:469]) by VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::3485:ce83:891b:469%4]) with mapi id 15.20.2665.027; Fri, 31 Jan 2020 18:32:00 +0000
Received: from [10.8.8.25] (89.187.189.217) by VE1PR08CA0034.eurprd08.prod.outlook.com (2603:10a6:803:104::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.22 via Frontend Transport; Fri, 31 Jan 2020 18:31:59 +0000
From: Marco Tiloca <marco.tiloca@ri.se>
To: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-ace-key-groupcomm-oscore@ietf.org" <draft-ietf-ace-key-groupcomm-oscore@ietf.org>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: draft-ietf-ace-key-groupcomm-oscore
Thread-Index: AdXUuS1YkeMOHqDuQo661Ct1JSFA6wDb7EgAAAkrFIAABcqrgA==
Date: Fri, 31 Jan 2020 18:32:00 +0000
Message-ID: <856e7de6-c11d-5ef0-3077-047b10537609@ri.se>
References: <010b01d5d7c3$47d36ad0$d77a4070$@augustcellars.com> <9dea28ee-c4c0-40b9-68bc-c78cfad9d40c@ri.se> <013701d5d84d$8cdfdb60$a69f9220$@augustcellars.com>
In-Reply-To: <013701d5d84d$8cdfdb60$a69f9220$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-clientproxiedby: VE1PR08CA0034.eurprd08.prod.outlook.com (2603:10a6:803:104::47) To VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=marco.tiloca@ri.se;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.187.189.217]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 812b2669-c493-4ef1-0244-08d7a67bdc21
x-ms-traffictypediagnostic: VI1P189MB0480:
x-microsoft-antispam-prvs: <VI1P189MB0480E1E8236CE2F0AFB2CDD999070@VI1P189MB0480.EURP189.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 029976C540
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(366004)(346002)(396003)(136003)(189003)(199004)(4326008)(31696002)(81156014)(8936002)(478600001)(81166006)(8676002)(26005)(966005)(110136005)(186003)(16526019)(6666004)(53546011)(316002)(66556008)(66446008)(66946007)(66476007)(2906002)(956004)(16576012)(2616005)(86362001)(66574012)(71200400001)(5660300002)(31686004)(36756003)(66616009)(64756008)(52116002)(44832011)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0480; H:VI1P189MB0398.EURP189.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nBuOinWtxRp4jtaRLsJK/NG+sRwqM/tm49hUSc+5JlqAqurZjqAruwKAsz2/Hz0lwLaoGG/G5k9LlAMMdbXbTK8ZBRp+CNNs/D27BWYP7YbWCj0rzunF2yFBMf2wEjRqJWaQyQbNIu0vkhNzX7ocADPVzLRbH/cNbRJWQSSTG+lLEKUf6q2tH3Pn/8SYTiPZ1uASz8neUm8EzRwNmTfYdPJ8mh5xHkHSObu1Zqkr8m/ucLYB/ATYvwOtjGzps9mHKxSVi59Q0+F+X63RMjJ7wHxgWJaVhHts2PAVW6cJaH2kPgH9aUxPm/mrlviNx+CYEVCRM7KmvTHZGYr4BjyaPXErZStcw97jAV9kPZnZNvLrT1Zh4Bfa+s/Aps+8fK7X+L1nL7UNpe30EW2slk/C2b4tftbaB9W3/htMCDnsOdcT50on2aYHbjBiL36N6gFcYGP6x4+LTb3yhY6sp9rguUZ/Y87CGFyQYHGBy9nkys4H2SkPZKg0Yvjq8Fz87TtacBHf46bFPToQYgDrBMJEJA==
x-ms-exchange-antispam-messagedata: gd3d3rXsKUmru4VlF/DiWuusbyQAWhv6RipT2QyydFzt/ORcyXf1SotYdXF2nMkp8mwJXDk/0XLkewxwxHXssnzhQ3ncxMyO5zPywUpBAIHl+b21kKRDfhsG+F9uMDOA9QrwgSTGgKhOL0sD560vPg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="32j9GqaTdoozIDymv0rFZ29HQ3ZP6p6pd"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 812b2669-c493-4ef1-0244-08d7a67bdc21
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2020 18:32:00.4041 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZolLEW6B7kEb2+MYJFA64fnTNU3GJ/1iBJTsS7V/Zxoun4VxjS7y7BlCx5WgB6lVr8qbhooxEYYSS3f2CsZxCg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0480
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ayRe6xsMiOjxhOzD-N26GbelK-E>
Subject: Re: [Ace] draft-ietf-ace-key-groupcomm-oscore
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 18:32:07 -0000

Hi Jim,

On 2020-01-31 16:46, Jim Schaad wrote:
>
> -----Original Message-----
> From: Marco Tiloca <marco.tiloca@ri.se> 
> Sent: Friday, January 31, 2020 3:24 AM
> To: Jim Schaad <ietf@augustcellars.com>; draft-ietf-ace-key-groupcomm-oscore@ietf.org
> Cc: ace@ietf.org
> Subject: Re: draft-ietf-ace-key-groupcomm-oscore
>
> Hi Jim,
>
> Thanks for these comments!
>
> Please, find some replies below.
>
> Best,
> /Marco
>
> On 2020-01-31 00:16, Jim Schaad wrote:
>> This is not a finished review - but I wanted to get it out.
>>
>> Jim
>>
>>
>> General - Should the concept of a legal requester be part of the 
>> information that is transported with the public key?  I don't believe 
>> that this is currently done, but would additionally allow for a server 
>> to ignore comments from individuals who are not authorized for that role.
> <MT>
> This can be indicated in the public key, and then the Group Manager indicates this "role" to other group members, when providing them with the public key of the legal requester.
>
> However, how can the Group Manager verify that a legal requester is indeed one, as its public key claims? If we stick to raw public keys, this seems not possible as the only thing that the Group Manager really does is verifying possession of the corresponding private key upon joining.
>
> This would probably require certificates rather than public keys, as provided in the 'client_cred' parameter upon joining, which is something that ace-key-groupcomm is anyway admitting, while we are just not doing it here. Then, it becomes about trusting the certificate issuer on legitimately claiming that the certificate owner is indeed a legal requester.
> </MT>
> [JLS] I was assuming that the GM could pull this information from the 'scope' field of the token.

<MT>
Ok, so it should be just about adding one more role to the current valid
ones for 'scope', and updating the list of possible role combinations.

Then it's up to the policy evaluation at the AS to confirm that a client
is indeed a legal requester, and that that ends up in the token.
</MT>

>
>> Section 2.2 - must new security parameters be regenerated on each 
>> membership change?
> <MT>
> If the application really requires forward and backward security, yes.
> This is further discussed in the first security consideration of Section 14.
>
> Related, more general aspects about this are discussed in the security considerations of ace-key-groupcomm. In particular, the Group Manager may want to enforce a more relaxed policy than "on each membership change", though making some compromise on the continuity of backward and forward security.
> </MT>
> [JLS] My problem is that I consider the secret key different from the parameters - might be a semantic issue

<MT>
Other than that, the ID Context (Group ID) is also renewed; the Master
Salt may be renewed; the used Sender IDs have to remain the same.

Maybe we can have here some of the text on this from the first paragraph
of
https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm-06#section-2.1
</MT>

>
>> Section 2.2. - Does completion of a group rekeying include confirmed 
>> redistribution before the version number is incremented?
> <MT>
> I would say no, but regardless it's something to clarify, possibly already in ace-key-groupcomm .
>
> Having the Group Manager generated and sent out the new keying material is sufficient to also increment the version number.
>
> It is good that the Group Manager can also get confirmation of distribution, mostly for possible individual re-provisioning, possibly up to a maximum number of retries.
>
> Worst case, some group members remain behind, will not be able to retrieve a context or decrypt correctly, and will eventually go to the Group Manager to understand the current status, including the latest version number, and get the latest group key material.
> </MT>
> [JLS] This is how I read the text - please do some clarification

<MT>
Yes, will do.
</MT>

>
>> Section 4.2.1 - I think that we are going to need a discussion on a 
>> couple of issues related to the OSCORE half of how these values are 
>> going to be created.  Pieces of the discussion are: 1. What is the POP 
>> her going to try and prove.  Specifically is timeliness part of the 
>> discussion.  2. What do we do about  token which grants access to 
>> multiple topics.  Is joining the second group considered to be a 
>> re-join rather than an original join for the purposes of this 
>> discussion?  3.  What are the interactions about cached public keys, 
>> when are these ok and how is this communicated to the client as a failure?
> <MT>
> Sure. Some comments on your points for the discussion:
>
> 1. Ultimately the POP is about the owned private key used to sign by the joining node. Building this part of the challenge this way ties the challenge itself with the OSCORE context the two peers have. This is the same construction we have in [1] for building a signature challenge, so probably both documents would likely be affected.
>
> 2. Tokens covering multiple groups/topics are a next thing to define in ace-key-groupcomm. Adapting this challenge-based POP will follow. As a general case, the client wants to use different public keys in different groups, which would mean providing one POP signature for each key. Then, the N_S challenge can be as follows:
>
> --- If the Access Token is posted to /authz-info , the RS returns an array of N_S, i.e. as many as the number X of groups/topics in the 'scope' of the token. Since the client may then upload Y < X public keys (some of which for more than one group), the client should include in the joining request Y signatures, together with the respective used Y N_C nonces and Y N_S nonces of the X provided by the Group Manager.
>
> --- If a TLS exporter is used, 'context_value' has to be non empty, e.g.
> it can include the public key or a hash of it. For simplicity, we may want to have 'context_value' always non empty, i.e. also when only one public key is involved and even in the simple case of one group/topic only.
>
> --- In the OSCORE case, HMAC-Hash may take as 'salt' one more concatenated element, e.g. the public key or a hash of it. For simplicity, we may want to have 'salt' always including this additional element, i.e. also when only one public key is involved and even in the simple case of one group/topic only.
>
> 3. Cached public keys and how to handle them are discussed later in Section 5. If something goes wrong, the joining process fails and the Group Manager sends error responses as described in Section 4.3.
>
>
> [1]
> https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01#section-3.1
>
> </MT>
>
>> Section 4.3 - Does it make sense to return a new rsnoce as part of 
>> these errors?
>>
> <MT>
> That's certainly possible, though I am not sure of the advantage, compared to sticking to the first one returned in the response to the Token POST.
> </MT>
> [JLS] depends on the "nonce" quality - that is one time only use.

<MT>
We can make it optional for the server to return a new nonce in the
error response.

If received, the client has to use that latest nonce when building the
challenge to sign for the new joining request.
</MT>

Best,
/Marco

> Jim
>
>
> --
> Marco Tiloca
> Ph.D., Senior Researcher
>
> RISE Research Institutes of Sweden
> Division ICT
> Isafjordsgatan 22 / Kistagången 16
> SE-164 40 Kista (Sweden)
>
> Phone: +46 (0)70 60 46 501
> https://www.ri.se
>
>
>

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

v2.23.0 | Report a Bug | By Email