Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02
"Dr. Corinna Schmitt" <schmitt@ifi.uzh.ch> Mon, 07 July 2014 06:52 UTC
Return-Path: <schmitt@ifi.uzh.ch>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEC031A0B0F for <ace@ietfa.amsl.com>; Sun, 6 Jul 2014 23:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, T_HK_NAME_DR=0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOjqt1Qwh9iY for <ace@ietfa.amsl.com>; Sun, 6 Jul 2014 23:52:11 -0700 (PDT)
Received: from bohuslav.ifi.uzh.ch (bohuslav.ifi.uzh.ch [130.60.155.10]) by ietfa.amsl.com (Postfix) with ESMTP id A8CB31A0B0D for <ace@ietf.org>; Sun, 6 Jul 2014 23:52:10 -0700 (PDT)
Received: from authenticated sender schmitt by bohuslav.ifi.uzh.ch (postfix) with ESMTPSA id SA; <F3E847FC82>
Message-ID: <53BA4398.2040500@ifi.uzh.ch>
Date: Mon, 07 Jul 2014 08:52:08 +0200
From: "Dr. Corinna Schmitt" <schmitt@ifi.uzh.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ace@ietf.org, Burkhard Stiller <stiller@ifi.uzh.ch>
References: <53086642.5050609@gmx.net> <53134E58.20608@ifi.uzh.ch> <531F6177.5040704@gmx.net> <53B1209C.5020200@ifi.uzh.ch> <34966E97BE8AD64EAE9D3D6E4DEE36F25817518D@SZXEMA501-MBS.china.huawei.com>
In-Reply-To: <34966E97BE8AD64EAE9D3D6E4DEE36F25817518D@SZXEMA501-MBS.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------020507020703030701080103"
X-Virus-Scanned: clamav-milter 0.97.8 at bohuslav
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/dwhpV6d1ejCL7ihiKMkhIVlOa1Y
Subject: Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 06:52:18 -0000
Dear Kepeng, thanks for the feedback. Some of them we already applied in the updated version: draft-schmitt-ace-twowayauth-for-iot-00 <https://datatracker.ietf.org/doc/draft-schmitt-ace-twowayauth-for-iot/> This draft replaces the one you refer to. > Section 2, Terminology: Currently, our charter and most of the other > submitted drafts use "Client", "Resource Server", "Authorization > Server". To keep consistency, it is better to use these terminologies > to replace "Publisher", "Subscriber" and "Access Control Server". > We will change it in one of the next updates when it is clear for us how to map it. > > Section 3, High Level Design Requirements: the objective of this > section is quite similar to the "design considerations" draft. It is > better to consolidate this section with the draft. > > http://datatracker.ietf.org/doc/draft-seitz-ace-design-considerations/ > Thanks for the hint. > > Section 4, It seems that that most of the design considerations (e.g. > assumed network stack, handshake message flows) will also be applied > for Class 1 devices. It is better to indicate the common design > considerations first, then highlight what more we can achieve by Class > 2 devices. > We already included this. Deleting our TPM request and argument with class 1 and 2 now. > > Section 5.1, 5.2 and 6, Use cases and Requirements: Maybe it is better > to consolidate these sections with the "Use cases and requirements" draft: > > http://datatracker.ietf.org/doc/draft-seitz-ace-usecases/ > Thanks for the hint. The use-case we have in those sections are coming from the draft already. The requirements are based on the things we need. > > Section 5.3, Data Access Procedures: it seems that interactions > between Gateway and Publisher are out of scope? Because from the > flows, the Gateway is not involved in the data access flow any more. > Also about the last two steps "Two-way authentication handshake > between Subscriber and Publisher" and "Data exchange using DTLS > secured channel", in these two steps, is "Access Control Server" > involved in the data access flow? > We will check it and let you know. Sometimes the Gateway might be involved. > > Section 10, Formal Syntax: It is better to put this section as a > sub-section of Section 2, to let readers better understand the meaning > of the abbreviations. > Also a good idea. > Thanks and see you in Toronto, Corinna > > *? ??:*Ace [mailto:ace-bounces@ietf.org] *? ? *Corinna Schmitt > *? ???:*2014?6?30?16:32 > *???:*ace@ietf.org; Hannes Tschofenig > *??:*Burkhard Stiller > *??:*Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02 > > Dear Hannes, > > based on the discussions of the pre-meeting in Stockholm we updated > our draft and generalized it. Our old draft > "draft-schmitt-two-way-authentication-for-iot" is now replaced by > "draft-schmitt-ace-twowayauth-for-iot". > > The mentioned projects are only examples where we have the work > integrated and where it runs already successful. > So we believe the draft fits into ACE and also maps the requirements > outlined in https://tools.ietf.org/html/draft-seitz-ace-usecases-00. > > See you in Toronto at IETF 90, > Corinna > > Am 11.03.14 20:18, schrieb Hannes Tschofenig: > > Hi Corinna, > > > > thanks for the response. > > > > My suggestion would be to produce a write-up that is of generic use > > (independent from your specific implementation and your EU funded project). > > > > However, given the charter discussions and the BOF I have my doubts > > whether the work would meet many of the requirements outlined in > > https://tools.ietf.org/html/draft-seitz-ace-usecases-00. > > > > Ciao > > Hannes > > > > On 03/02/2014 04:29 PM, Dr. Corinna Schmitt wrote: > > Dear Hannes, > > Hi Corinna, Hi Burkhard, > > > > thanks for your document. I have read through it and I ran into a few > > questions. Your response would help me to better understand the proposed > > idea. > > Thanks for reading the draft and make comments to it to improve it. Some > > comments can be answered right away. > > 1) Why do you assume IEEE 802.15.4? Currently it seems that the 15.4 > > radio will mostly be used in specialized industry segments only. Is > > there anything in the document that would make the idea less suitable > > for other radio technologies, for example BTLE? > > Potentially the proposed solution can work on every stack you like. So > > you can do an implementation independently of IEEE 802.15.4. > > We put IEEE 802.15.4 there, because our used stack (BLIP) uses it. > > 2) The assumed network stack does not show 6lowpan. Was this intentional? > > Same as above. You can use the stack you want. So also 6lowpan can be > > used. It depends n you what you require and what you want to support. > > 3) You show RPL in the stack and I was wondering whether you assume it > > being mandatory to implement for your assumed architecture? It does not > > seem to show up elsewhere in the document. It appears to be irrelevant > > for your design. > > RPL was just mentioned due to our other publications. Currently our plan > > is to change to RPL (CoAP) in the future. > > 4) Subscriber identity: You write -- > > " > > The identity of a default subscriber is usually preconfigured on a > > publisher before it is deployed. > > " > > > > Could you explain more what you assume is pre-configured and where it is > > preconfigured? > > Here pre-configures means that our devices are equipped with the > > certification during compiling and programming them before deployment. > > This is due to the application scenario we support at the moment. Before > > deploying the device you have to run to steps: First creation of > > certificate, and second compiling code and play it on the device. > > I would also suggest to avoid the term subscriber since it has two other > > meanings that might confuse: > > a) The term subscriber is often used in context of telecommunication as > > the user who has a contract with a telecommunication operator. > > b) The second use is in context of protocols that use asynchronous > > communication (like XMPP). > > > > I believe your notion of subscriber does not relate to those two > > existing uses. I guess you are more using the term subscriber to refer > > to a device that wants some data from a sensor. Is this correct? > > Thanks for the hint. Yes you are right. The subscriber should be a > > device that wants data from the sensor. > > Usually this is one outside of the WSN. Do you have a suggestion for new > > name? > > 5) Roles in your architecture. > > > > It seems that you assume that the IoT devices are publishers and that > > there are subscribers who talk to these publishers. In some other cases > > I have seen architectures where the IoT devices (sensors) upload the > > data to some servers without having to act as servers themselves. In > > your architecture it feels like the sensor nodes implement the > > server-side functionality > > That was not our intention. > > Our network has push characteristics up to the server. Data publishing > > runs over server, because it has more resources and, therefore, can > > handle requests better. It is the gate to the world. > > Pull is only performed if you require data (measurements) at a time that > > is not pre-defined. > > In Section 4.2.2 you write that you recommend an OpenSSL implementation > > on the server side but the server-side would be the IoT device. While it > > would be inappropriate to recommend a specific implementation in an IETF > > draft/RFC it also raises the questions about the expectations on the > > server-side. > > Thanks for the hint. > > We use OpenSSL on the server but not within the WSN. OpenSSL is used > > especially for managing rights, requests, and certificates. > > 6. Certificate content > > > > In Section 4.2.2 you describe the content of a certificate and you > > indicate that the commonName is set to "localhost". It seems to be > > useless to include this in the certificate since a CA would not be able > > to verify this identity information nor would any party verifying it be > > able to use it in a meaningful way. > > Localhost in our case is a special IP address (here: sink). You are > > right, we should rename it and make clear that it is an IP address. So > > you can set is like you want. > > It also seems to be in violation of what you write in Section 5.2 where > > you state that "every publisher in the network MUST have an unique > > identity.". > > > > You also indicated more complete information for inclusion in the > > certificate but it is not clear to me what purpose it serves. Could you > > explain? > > Will do it asap. > > 7. Privacy > > > > In Section 5 you indicate some privacy related aspects and you hint to " > > access regulations based on legal and regulative implications". Could > > you briefly explain what those requirements are? > > This part we put in due to the deployment and project relations we are > > running at the moment. > > Here it means that not every device can be able to access the data, for > > example, due to legal issues in the region (EU, CH, US rights). > > This has to be stored central in the network and it has to be checked > > before giving access and creating the corresponding access ticket. > > Here we refer to the following publications: > > > > Radhika Garg, Corinna Schmitt, Burkhard Stiller: /Investigating > > Regulative Implications for User-generated Content and a Design > > Proposal/; Degruyter, PIK-Praxis der Informationsverarbeitung und > > Kommunikation, Vol. 36, No. 4, December 2013, ISSN 0930-5157, pp 1--11. > > doi:10.1515/pik-2013-0042<http://dx.doi.org/10.1515/pik-2013-0042> <http://dx.doi.org/10.1515/pik-2013-0042> URL: > > http://www.degruyter.com/view/j/piko.ahead-of-print/pik-2013-0042/pik-2013-0042.xml > > > > Radhika Garg, Christos Tsiaras, Burkhard Stiller, Corinna Schmitt, > > Daniel Dönni: /Deliverable D7.1 - Basics, Requirements, Scenarios, and > > Architecture: In FLAMINGO/; Radhika Garg (Edt.), Zürich, Switzerland, > > October 2013 > > 8. Use Cases. > > > > I suggest to omit the use cases from the document since the description > > is too brief to be useful. A small remark: From my work in the emergency > > services environment I had gotten the impression that there are no plans > > to take sensor input directly when initiating alerts. In fact, sensor > > alerts do rarely even get directly to the emergency services authorities > > but are rather pre-processed by an intermediate organization (by > > humans). Maybe you have spoken with other people, who have different > > plans. Where did you got your information from? > > This section is based on discussion with our project partners within > > SmartenIT (www.smartenit.eu <http://www.smartenit.eu>) and Flamingo (http://www.fp7-flamingo.eu). > > <http://www.fp7-flamingo.eu> <http://www.fp7-flamingo.eu> > > > > 9. Architecture > > > > Figure 3 shows the architecture but it is a bit confusing since it is > > not clear what the boxes and the lines mean. The publisher is a box > > separate from the sensors and from the earlier description I thought > > that the sensors are actually the publishers. Furthermore, the gateway > > was not discussed as a role up to that point in the document. The > > gateway shows up in Section 5.3 and its role confuses me. You write: > > > > " A sensor node has published its data, which is transmitted in > > direction to the global sink (cf. Figure 3 where global sink is > > located in the gateway component). > > " > > > > Does the sensor publish the data at the gateway? From the earlier > > sections I thought that the subscriber talks to the publisher instead. > > Is the gateway the subscriber? Why doesn't the sensor uploads the data > > to some server instead (which is frequently done in today's IoT > > deployments). > > Lots of comments. > > I will address and clarify them asap. > > Furthermore, I will add a legend to the Figure and perhaps modify it > > based on you aforementioned comments. > > Why do you call the entire document "two-way authentication" when the > > the two way authentication is just one small part of the overall > > authentication procedure. In fact the two-way authentication is used > > between the subscriber and the access control server (as shown in Figure > > 4), and between the publisher and the gateway. Furthermore, there has to > > be some authentication between the subscriber and the publisher as well > > (at least I hope so). > > > > What is the purpose of the access ticket? It shows up in Section 5.3 and > > I wonder why there is a need for an access ticket when the two parties > > (subscriber and publisher) already have a certificate. Why cannot you > > use the certificate for authentication with the publisher right away? > > > > Where do you see the access control server being deployed? Is this an > > entity in the local network or something you would have on the Internet? > > > > Why does the publisher have to authenticate to the gateway? From Figure > > 4 it is not clear whether the gateway is just an optional component or > > an integral part of the architecture. > > > > The document does not explain what the access token is and how it is > > exchanged between the subscriber and the publisher. > > > > Btw, the term CA standards for Certification Authority rather than > > Certificate Authority. > > > > Will be addressed soon. > > 10. Hardware requirements. > > > > Hardware requirements typically are not appropriate for IETF documents. > > While you make the argument that an RSA-based public key cryptosystem is > > good enough from a performance point of view the currently mandatory > > ciphersuites used in CoAP are based on ECC (for those that rely on > > asymmetric crypto). While having hardware support for key storage is a > > great idea I was wondering how much your architecture actually relies on > > it. My impression that it would work fine just without a TPM chip. But > > you might have more hardware experience than I have. Could you point me > > to some hardware that you have in mind using? > > > > We put this section for completeness and to show that an implementation > > exists. > > Concerning sensor nodes and TPM we are using OPAL from CSIRO. Trusting > > Computing becomes relevant nowadays when thinking about securing data. > > Drawback is that if the TPM chip is broken or you change something > > during booting everything is lost. Advantage is that the storage root > > key is stored safely and only derivates are used for your applications. > > > > Hope to answer most important questions or comments now. Others will be > > addressed soon. > > You can also talk to me during IETF in London. > > > > Regards, > > Corinna > > > > > > > > _______________________________________________ > > Ace mailing list > > Ace@ietf.org <mailto:Ace@ietf.org> > > https://www.ietf.org/mailman/listinfo/ace > > > > > > > > > _______________________________________________ > > Ace mailing list > > Ace@ietf.org <mailto:Ace@ietf.org> > > https://www.ietf.org/mailman/listinfo/ace > > -- > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace --
- [Ace] draft-schmitt-two-way-authentication-for-io… Hannes Tschofenig
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Dr. Corinna Schmitt
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Hannes Tschofenig
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Corinna Schmitt
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Likepeng
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Dr. Corinna Schmitt