IETF Logo Mail Archive

[Ace] Update of access rights

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 05 May 2020 13:36 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D443A0794; Tue, 5 May 2020 06:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrRzeJE6TL8Y; Tue, 5 May 2020 06:36:47 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60062.outbound.protection.outlook.com [40.107.6.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ADA43A0789; Tue, 5 May 2020 06:36:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MALKsU9rv3zcGEDCk6pSDs+rMEMSGNNbpk04rcWnxKmozdhfwkSL0OinntqL/2RdMN25xh5vzHIgRzCqdm1I/GCvGva4zWYZ/2cnN4T+b0dSjlKNuQFSgLWt3S5V8RogPQJ1idKUFE/M0OGrVT+Lc7llqPUtyfXNiOZHBvB8yGVjZClBAJYfThOYjX4LuStmAX7Mop3hXop4N1ZI5LYBH8rGY8tGbXfGFatRhzxzDTefLMOrKDwhL4sPQulDNz+Qmngkgfl7l3cbLHsvIxXcJPT9YNeM4vvd20gsKcKnaw4QQ2X85VGAC8kPfash8lExk6SjRmTGV3j83+hg7F14Mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v80f1YDTI0yJErMc8t+RkKBxZcDIXEVrF7DNaGjgYhQ=; b=NPNsBcmVz/79+Z3cf6rWg2cjhwSyPzFQVQUz7fXnXlidoqORvYtvKyE/bwBL+pB5/6t0IxxMsYG8KAmliGMmmiUfu5Rh4+EGZgoOljCK5ZVaKVGgbiBqsn4KQ6JRvvNHj+orLFDAVDeXvBbZ5TPCxrmKGksCICZ/mjcsI7jCfET20ISd2q6Y4ec/5DKV3ZkelVwHXuZPEGd0JsqKqCXWO6Dslo6iA144IMQ373yexAiB2VWqcSdMrXWud6toSVwmZF60wba0lZIYHKEheey4sYMt32AoRl/bhn4DpmPECpre1V8foc36s5jD8/Qp5ADEUOorS1mbAheQ/BvAqq0h2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v80f1YDTI0yJErMc8t+RkKBxZcDIXEVrF7DNaGjgYhQ=; b=KfxehdzynxG1+7foXY/GfHL7DjmYq1S8vpjjnlyFHRwl1fNCttcu8RImPMAfMcx1VUO7yfcsPcpKPIhJxt8MbMRl1aRyCblQ14urxr6XTC41Vn5uh61VvTyVzqekoFayJ3XUjp6B8K/WpzuhDKqXZGuixBQfURQM63pPGm0cpsk=
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com (2603:10a6:7:8c::18) by HE1PR0702MB3593.eurprd07.prod.outlook.com (2603:10a6:7:7e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.22; Tue, 5 May 2020 13:36:43 +0000
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::f0bb:b1ae:bf22:4526]) by HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::f0bb:b1ae:bf22:4526%6]) with mapi id 15.20.2979.025; Tue, 5 May 2020 13:36:43 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Ace Wg <ace@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Jim Schaad <ietf@augustcellars.com>
CC: "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
Thread-Topic: Update of access rights
Thread-Index: AQHWIuI1Lkw8gf+fQkGotEAa9X56JQ==
Date: Tue, 05 May 2020 13:36:41 +0000
Message-ID: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: abc8bba4-aa67-44ea-08dc-08d7f0f9595b
x-ms-traffictypediagnostic: HE1PR0702MB3593:
x-microsoft-antispam-prvs: <HE1PR0702MB35932FE5F3D0D2580DE2ECD598A70@HE1PR0702MB3593.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0394259C80
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OW7v8+YgRSQd7xwBRIG6ppADz5rqFraCyDDIpTBBwycub6fy5tcatUX7Z0F8Z0IN/P6sKlYrgtBbY5rfuGR7rfn1DWPztWTyFF8FEJ/E2tHqej5KVg5mD3nCVH0OrkNo6QBXdW3JnaZ+bpToTaNbTqfIzHKoW/fHKwvwH/7bGuFpHxtOrSw8+FxQ4jqdp1M7Q4o5ciRChIA35ugmGt78W+OjKaFJNX+yrNMKSPx3I8nhazyoTJ7XwswUgzpMFr/UNefSkr3FKQX7DJS03bxkkhvAto+fZeGE5Oz8J3qn6x4qBHdQJFPaXCbYQzVTwQsUdsosbE2jCJmZFsyalRQSBw3YYdHeGtYCWZSRNQKx0PtqIGfSNyEXViVmDOE2MN5eBJ8TllIoGkQKqUy4BiBPynkap7dC3SaMnUemJn0azJqopYl+Xe/NnKko9EKzFQxYGeYu6a7fDH88G3CGqKgiWORrMlQ/BMGQ8GvrKGcZmnj8VM1EKe5TkujzYxnqfqB6M8xwuYC7ejrY5X4nZhXI4UTWxTaskc+nnvG6fAPAoQS/elf94lrTD22sf0xASJMT5MS0N7sn5mKDL5K/LVtIkOdCFMeg+bX2jrRBxH94n3A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3818.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(33430700001)(186003)(6486002)(26005)(6506007)(4326008)(15650500001)(6512007)(66946007)(76116006)(71200400001)(66556008)(66476007)(2906002)(64756008)(66446008)(44832011)(2616005)(33656002)(36756003)(86362001)(478600001)(3480700007)(5660300002)(8936002)(54906003)(316002)(33440700001)(110136005)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: klAY0nCQKL9e9R1rHlxDovRHRu+kKjUcfAPYqp/6XrsF1xjvHZTmy7zd8QQlaZQhEbQofgPhzUMxqEfPaw4kpqtoQMapMcmRFABa8OtNeWUunG0UWMjeeaLG/l9D5ClPhthtOVZm+Z3xY05EXaHLJh02uJ9HBMlt8WOW696Im48EdkSCu74Km2KZKTOWGHKo2UAbTPry3Q3DwKoR1PRgfK7UOt1VxtxLMe4qJ8f6vxbFDTDh9WU4HIyTspaPtgKwKKlbNPwffc8oi0vseB56hQk6YZ7JCr9agq6Ct9glbKScHBsjpctuOmm0INdwYp3t7UbCtXPWUBnGw0pyCEEplJ1MViT0f0ievi3zHEpckWU/jcOAtq18+nCZjMubirx5KB+NZzuDngywWusQ0J/i17xPorGUSJGDQnxzkxUmaezIRXf22cGv8OzvuFUVV15bXONKkZXtuxBZX6JgMhAYG8DOla4GF8FDG+NFLzALu2KUGw/PmeFxB91gdGFWk4Ur36a2GOFbZdew45RAk8Qo9yhU+cgt8W3QG4Yo8//piah3IPtWSe5XXuGn4ATg3oi6p3vMwM67vtZ4etrBtwSHVrrRYv/X9arYW3j1v5W4n6xnPfZkv0qZupReECT1bHzZZDtmiWHv77U+fdfHD5f8S0KfCX/QGF40Oeu0Sshw1U5sw7XIRHmwSl1rDBBPUqVrIYIVST6flazT39NL7SagPfi3B8REfKkOo1q5Y6zNEfyBFkvZKm+O+kpWGV08wmAuLdaawFMvBUOpXzvlwSio39pYbXEfHYHUV9Mi5UgbcB4HS31EKAQRYkjvPd++/3c6
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <EF21936AB9E45F42B7038FF850F0859A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: abc8bba4-aa67-44ea-08dc-08d7f0f9595b
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2020 13:36:43.0936 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E76347tpB4yQp3q5am6j1gX5IprOPYQrs+Y/kEpWLc6W3JYNOy57CcfBM0/N+SsFGDT7DWAP5W3gfFIg/K3V/xIG1p2s2H3egGVr/q0isFayJgYj2h3DPD+FypqRLEZg
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3593
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/dLkW-MYHXfZqmtY7AP7ZBDJpxOw>
Subject: [Ace] Update of access rights
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 13:36:50 -0000

Hi Ace chairs, DTLS authors, Ace framework authors, Ben,

TL;DR: we propose some changes on the OSCORE profile for the "update of access rights" scenario. We have comments for the DTLS profile and the ACE framework regarding this scenario, and we ask for feedback from ACE OSCORE implementers and Ace in general.

In an attempt to answer Jim's (https://github.com/ace-wg/ace-oscore-profile/issues/20) and Ben's (https://github.com/ace-wg/ace-oscore-profile/pull/30) review of the OSCORE profile, we have been thinking more about the case of updating access rights. This has revealed to us authors that something is missing from the document, and I believe that this part is not explicitly covered in the DTLS profile either, hence this email. 

This is the scenario, and what is currently defined in the OSCORE profile:

1. Client retrieves access token T1 from AS
2. Client posts T1 to RS, together with nonce N1
3. RS replies with 2.01 and nonce N2
4. Client and RS derive OSCORE Sec Ctx "Sec1" from T1 ("osc" object), N1, N2
5. Client uses Sec1 to protect its request to RS
6. RS uses Sec1 to verify request. Verification success => Sec1 is validated and associated with T1 (at the RS)
----
7. Client wants to update its access rights: retrieves T2 from AS. Note that this T2 has different authorization info, but does not contain input keying material ("osc"), only a reference to identify Sec1 ("kid" in "cnf")
8. Client posts T2 to RS, together with nonce N1'
9. RS replies with 2.01 and nonce N2'
10. Client and RS derive OSCORE Sec Ctx "Sec2" from T1 keying input material ("osc" object), N1', N2'
11. Client uses Sec2 to protect its request to RS
12. RS uses Sec2 to verify request. Verification success => Sec2 is validated and associated with T2 (at the RS) ; T1 is removed ; Sec1 is removed

In the document right now, we are missing the exact description of how in 8. RS identifies that this is an update of access rights for C, aiming at replacing T1. We propose to add text stating that (in 3. and 9.) RS MUST check the kid (in the "kid" in the "cnf" of the access token), and match it with existing security contexts, to realize that this is an update for an existing token associated to the sec ctx identified by kid.

Moreover, while comparing with DTLS profile, we realized there is no reason for which 8. should be sent unprotected. In fact, doing so opens up to possible attacks where an old update (token non expired) is re-injected to the RS by an adversary:

* Client sends T1 to RS  --> accepted
* Client sends update of access rights T2 --> accepted
* Client sends update of access rights T3 --> accepted
* Malicious node re-sends T2 --> accepted

Of course that could be mitigated with expiration times and with checking "issued at time" field (which is optional). But we believe even though these are good points (which might actually be worth adding to the framework), sending the token to the RS over the existing protected channel solves this issue. So we propose that 8. is protected with OSCORE and Sec Ctx Sec1. For DTLS authors: I believe Jim has extrapolated from your document that that is the case for the DTLS profile already, i.e. POST token to RS for update of access rights is over DTLS; I think it would be worth explicitly stating that in the DTLS profile.

Additionally, analogously to DTLS where the same channel is kept even if access rights are updated, I do not see any reason at this point to have the endpoints re-derive a new security context. This is the biggest change I propose, and can be summarized by replacing the points above as follows:

7. Client wants to update its access rights: retrieves T2 from AS. Note that this T2 has different authorization info, but does not contain input keying material, only a reference to identify Sec1 
8. Client posts T2 to RS, *without nonce* *protected with Sec1*
9. RS *verifies that this is an update of access right, replacing T1 (associated with Sec1) ; Sec1 is associated with T2; T1 is removed *; RS replies with 2.01 *without nonce* *protected with Sec1*
10. Client uses *Sec1* to protect its request to RS

I can already see the objection from implementers: the authz-info endpoint at the RS becomes accessible both unprotected (in case the Client is posting a token for the first time, points 1. to 6.) and protected (in case Client needs to update rights, points 7. to 10.) I believe that defining a NEW endpoint at the RS for the "update rights" mechanism would be the best solution, but I understand that would require modifications to the framework that Ludwig probably would not want to do, as it might delay the document. I think these would in practice be 2 different endpoints with the same URI, one OSCORE protected and one unprotected. But I need more input from our implementers to know if this absolutely cannot be done.

Our proposal:
An RS receiving a token (point 2 and 8) MUST check the kid of the token against existing security contexts. If a match is found, but the POST was unprotected, reject. If a match is found AND the POST was protected using that same Sec Ctx identified by kid, update access rights. If a match is not found, derive sec ctx as defined before. These 2 endpoints also require different payload: posting the token for the first time unprotected requires a nonce, posting an update using OSCORE does not (and the nonce will be discarded if sent). 

Doing so answers Ben's point about 2 tokens being saved at the RS at the same time, while Sec2 is not yet validated (between 8. and 12. above), since it removes Sec2 altogether. As soon as T2 is verified, T1 can be replaced with T2.

Final point: what happens if the Client posts a second token T2 (to unprotected authz-info) which contains a different "osc" object, different kid etc. The RS will not be able to identify this Client as someone it already has a sec association with, and it will set up a different Sec Ctx with it. I think this is OK, as for it to be accepted, the AS had to provide such a token. The framework RECOMMENDS that an RS stores only one token per proof-of-possession key, which would still be valid, as different tokens would be associated to different Sec ctxs.

Any feedback or comment is appreciated. 

Thanks,
Francesca

v2.23.0 | Report a Bug | By Email