Re: [Ace] minor comments on draft-ietf-ace-oscore-profile-16

Göran Selander <goran.selander@ericsson.com> Thu, 04 March 2021 16:18 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28083A0EFB; Thu, 4 Mar 2021 08:18:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWa07Rmlu7V4; Thu, 4 Mar 2021 08:18:08 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70059.outbound.protection.outlook.com [40.107.7.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8593A0EFC; Thu, 4 Mar 2021 08:18:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KwQidnBDUhd7/5076//C86gbGqz2i2fQS/n8lwjSFVvJyuikXYUZC+rbjzS9EYa56vQrHisB+nZJ21T3OlWvzzdgH5Vb8NiKsG5L+RL7KtWaOO+4gxAy4ch7KeMVTEqzzqZcMa4NITvMqjbhUwjAvOg31pPscEND3mzmTmCD5eZJqiAXefzIkWuYGPVYb28GU7eDElw0BMH7JCb+aUNmIkf1XdO2glbNNI3LDk2uoN3azgNY3kjy9vOnGNDzUckxsEVFZ1X6idRdjIfolcdiMEyIRmn/Wgb5TpJQXf0quDz2tq1uP0Ledu0uaWQ9twGkAvxAiAyuKiAHOiBBL0XSJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A+FhkgC7xVWR5hQ6U4SFGDsEc0xOKV7uJ7Dt7GtHqVE=; b=PCOJG6aGxcWLbKQ5Ybz9M9+nRoUEhY99m9DkepIlA8NNryDdCyoW+OFlGLhrEjyQ+Rmz9vbYvpeuueaMtMfpPofyxMRtBE5ld5hL0Nr5BTTJJXbZcHo6Jf0sx+ieQTIjhcl4yVZGySxZ3YyvFulm28CHuLBENU3yIE+RLFvaf5cSWQpK0LQmjfpxj/UHTKkU67I5beMvfZSo+RxTOH3+0GmlFHZhsLD/85cxfz60YCxJhfNNbK0PwZm1E3j0fHkhsaqGspiQWohALkCYXSfoWyIc2TUdIDzithxrcya7M2i0+l0hA3TDeTW/rfMMDMN5Rkf2GtzK3E28lqQzCE3LgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A+FhkgC7xVWR5hQ6U4SFGDsEc0xOKV7uJ7Dt7GtHqVE=; b=YIQT5o1NNrwCtppAYARplrqjV1aoYYzH+d52LVmZCIPrG3CRly+ApmrZQJ1kLclaXLeEkrSKX6OeSxQruAQzduYffdCGhUgKL/GkGLz8q6IQXauPj5/1P1MKGhHFJ0xctyPXTiCdPGR5AobWFNi0xmMXZKwdO2GV3BPjn1eluFE=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0701MB2955.eurprd07.prod.outlook.com (2603:10a6:3:4a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.13; Thu, 4 Mar 2021 16:17:53 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8%5]) with mapi id 15.20.3912.015; Thu, 4 Mar 2021 16:17:53 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: minor comments on draft-ietf-ace-oscore-profile-16
Thread-Index: AQHXEJ5E+BYySV+PiEK9WInHmkhHtap0E1+A
Date: Thu, 4 Mar 2021 16:17:52 +0000
Message-ID: <7D651AAF-74DB-4DE7-A688-DEB5DD2FB4C8@ericsson.com>
References: <20210304022922.GN56617@kduck.mit.edu>
In-Reply-To: <20210304022922.GN56617@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21022404
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4bcfc18d-c955-46ea-0285-08d8df291033
x-ms-traffictypediagnostic: HE1PR0701MB2955:
x-microsoft-antispam-prvs: <HE1PR0701MB295578ABC722CEE4F0CC1828F4979@HE1PR0701MB2955.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3kGsBWMiZ/fvxgADcdUB/HLww62laCS5ACjzveA5i+WYlZn3F4GSNjSzPUEHbdDP5R0eRMO9ViTUe3FnSE98xeBkIAHLSny+o9jkfbNqNOwCZOJGmhu66cy6ImUn94k+lP1MJQrWe1l7yE1eO3xHmG4ivUmuQ5xaCI14ZMfegPIWOTIWpAXwSVws5aPrV+auCX8VIFhdtGEgirXMWbww9pfgP65qrF9b/Xczrssb1wdIadW/hMLANGj653p7IiANAX+khDrvJrDWsiZsYcGCpZYyjs/EkJnLjgqXPX+Xla1Qy++JCwZdWgDhB+pEEKi3Q7bDXS8baxb1jGCCVPQUZX4X+YAv2pWLqAiL+5xpl5pbv+qRzFqUPia9jLSVTdBlDDr5YqPkATTUWaG85BNs+7lxho9WeoSrvgw+W3SZUwZKniCuA/sZ8IpKWrIc4xio/SGE4CaX7VxL8pbe36yJ1/evbWIkUAP+78CQRCMtk2EV9GVqd+aLFQSpFHQgbGORxneiH3CNi+lYWuavGdQzZejhv/Wd9XbE8cFMdBO9aVn2yKDsxaW1pODZn31rTAVmkls7X9mAqv8XZvsHgl4265dE+tBYuEI/dPs91P8lLy49hjAOUURkqZ/IguYBLRP/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(366004)(396003)(346002)(39860400002)(4326008)(110136005)(316002)(6506007)(6486002)(2616005)(6512007)(33656002)(66556008)(2906002)(66476007)(76116006)(8936002)(66446008)(8676002)(64756008)(478600001)(66946007)(85182001)(186003)(66574015)(5660300002)(71200400001)(26005)(83380400001)(85202003)(36756003)(86362001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?MDZnelBCUzVyQ3d5U0QyV28rZWJ6ZC9MZlNpZEMzbUJpVGtPcjFJKy8vbFQv?= =?utf-8?B?dEtlT282Yng2YnR0ZWR3MmtpYkhqbnRGbkdPSFlMK2J6YnFpaTc5TTAveEVD?= =?utf-8?B?b0syNDhYajZXOEJwRFVqMDBaYUpGV0l0R3RoaFJ1VzZVcUFsZDlSTFhSbnhY?= =?utf-8?B?U1oyZU1lTGF1dG1ObnBHWFVHL2tWcnpJNHFSMWRSenNnZFBBeXh1aDBiVTlm?= =?utf-8?B?bWdrbWh2OUpuSWdxeFo2OWNXRWp3R1ZJUWtaQnpYS2FpSWhRWFNBT1ZDOFVt?= =?utf-8?B?MU9OaCt4YzdBLyt5K3pYd2hlcTZZWmpQanNIUWtYamgrMEFwWStNTXQvbDM3?= =?utf-8?B?S2pKWHQ2RFQ0ZVFXZjRsWWl0L2p0VFVNaEwxUG1MQnN4TVFBWlNzaHp4SW5J?= =?utf-8?B?S0pqWkJMY3R3R3dXVTUyY0JUM05qKzNnVzB1c1FjeitJZUxieEp4UFZEQWU2?= =?utf-8?B?QWFqYVVHaFlHK3lEN1g0bHVoOVU1bHZBeXQvZXBOTjVOdDFzQWNIOFcwek5t?= =?utf-8?B?VHI1czVmME1Cd1I5Ykkvd1NZTW43N0lyUEs0U0VkL0ZoMTlxaXJaZWJwVWg4?= =?utf-8?B?cjRlZkdjSnE5OTdCVUM4b3FVblRWMThlaGJtZHA2SVFOM0ZZNXF2RnQzcGp3?= =?utf-8?B?TEJQWDJObEhkM3MzSW5BL1k5Qks4VnM5MDFyajdsTitLT3lRNzZsUUMxUlBC?= =?utf-8?B?aW9EZzlhTHpCSjEzZmFtTWM4dXJMZkhKRHp5UFR1dzBQNFp6SEh0V1Z2WGZF?= =?utf-8?B?OXVBQU1GbUx5RmxEbU4xbW95SVZ2aC90Qk4rYzlMRjNaTGdtNlpFVEpwVHhx?= =?utf-8?B?dDFRb2FPK2tpTXpaejRCWU9LMTNQMGIvSEdveUs2UVJHd3BRZUowNkcyWml1?= =?utf-8?B?RFZnNS94UkVvekt2clpUV3cwKzhQZ0lPTHR1a3ZvWXY3V1EvaERIczF1akQ3?= =?utf-8?B?RmdmZjJtUm1QdytrS2dob2diRU45UEprMFNGR0Rsc0tJUHB6bkpPeHBIR1lt?= =?utf-8?B?MGE5V1FuRnlSUUxHOE1zbVpUajZKT0pxeWNFeW1qcGZ4TnVrSkJnVmliMjNi?= =?utf-8?B?M0szejEwY1R3UGVjZlhWTGJ3UHYxVnhZUm5qRVhLR3JlUU43QXpSNEtuTnJ0?= =?utf-8?B?M2dSanhYSnZiR0ZBaEZyU2FSbkFIWVJlUk9XUER5Rk5EZDhIRlp5NVJoTTls?= =?utf-8?B?ZG1LajlzeExoakk2MWljaTVNMzFRcURwT1pKUFErcnJjejNpeW0vb2p3dUhL?= =?utf-8?B?b0hwaXBzN1dobkVkZ1NZM0ZqWVBjYzdCR2d4UEdFWFFoUE1MbE02ZWx2YTVv?= =?utf-8?B?SlVnSlljVzRORHV6T0VWdkdJcmpHaVJzSEVNRGU4VFhrODNjeGI1aEJaUlpt?= =?utf-8?B?VkpQR3I1aC9xNUxWaEUyZ1pTS2JjRXhac21wN2RyTVhsbHF2bm90R0twcWZz?= =?utf-8?B?dG11UDdYUXMxZjJSQUJwSlBySHNPeGtnODBLYjNIeldhMTBKYkk2aVYvNGRQ?= =?utf-8?B?cUtVRnhneG1IQU1ES2lUMjZqOHFJOWtUTkwyN241TkQ5OXNVWHpiVktKTTA4?= =?utf-8?B?MXJBelM3VU85SmszY1VucFI1d0ZqQnNwOTRZV2RvUi80S3lyVU9PYXJjaVRq?= =?utf-8?B?UjUzd0xRbXp0OThPd2kyU1hHcEVsTDNPM3VTREg4WE1EYzZ3SlhzNzl5NmJh?= =?utf-8?B?dkpvc3p4TDQ2bjJjdGVMbWc0SDRhbjgrdjNMU3V3VTQ2UUdjQ1hCeksrZjd1?= =?utf-8?Q?/7CcbYwqeCEZrXoKX65qPuFMnnIirXycIqXxMQm?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <99FAB70080218D4DB8583E74CE780B44@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bcfc18d-c955-46ea-0285-08d8df291033
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2021 16:17:53.0387 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Eqb0/ukSMcU3GdYThMo4xDfERzJ+IYj+3AUtUUTMwGRPbKetyhc0VSTyICdD4ScoVSCdcd3tg+3VGp24FNrFlBPOeeKCVcTtZyijpuFKZPw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2955
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/eFTLOMtlbRauA7pBxb4KWwJjT68>
Subject: Re: [Ace] minor comments on draft-ietf-ace-oscore-profile-16
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 16:18:10 -0000

Hi Ben,

Thanks for good comments. 

Starting with the second comment, I agree the text "mutual authentication" in the figure should appear after the first exchange. It seems to have been left and forgotten during the ASCII art session. It is described in Section 4 so could be removed from the figure if it isn't possible to find a place for it to print well.

On 2021-03-04, 03:29, "Benjamin Kaduk" <kaduk@mit.edu> wrote:

    Hi all,

    I was going through the four drafts that have been "waiting for writeup"
    for a while, to check that the latest changes are good and they are ready
    to go once the last point from the secdir review of
    draft-ietf-ace-dtls-authorize is wrapped up.  In short: they are, but I had
    a couple comments on the OSCORE profile that might help improve it.

    In section 2, we have some discussion:

       The use of nonces during the exchange prevents the reuse of an
       Authenticated Encryption with Associated Data (AEAD) nonces/key pair
       for two different messages.  Reuse might otherwise occur when client
       and RS derive a new Security Context from an existing (non- expired)
       access token, as might occur when either party has just rebooted, and
       might lead to loss of both confidentiality and integrity.  Instead,
       by using nonces as part of the Master Salt, the request to the authz-
       info endpoint posting the same token results in a different Security
       Context, by OSCORE construction, since even though the Master Secret,
       Sender ID and Recipient ID are the same, the Master Salt is different
       (see Section 3.2.1 of [RFC8613]).  If nonces were reused, a node
       reusing a non-expired old token would be susceptible to on-path
       attackers provoking the creation of OSCORE messages using old AEAD
       keys and nonces.

[GS] Here is a proposal to address your first comment. There are already nonce qualifications in partial use so it didn't make sense to me to insert extra adjectives on every occasion. See below.

      The use of nonces during the exchange prevents the reuse of an
       Authenticated Encryption with Associated Data (AEAD) nonces/key pair
       for two different messages. 

[GS] In the sentence above the difference between the nonces should be clear, right?

      Reuse might otherwise occur when client
       and RS derive a new Security Context from an existing (non- expired)
       access token, as might occur when either party has just rebooted, and
       might lead to loss of both confidentiality and integrity.  Instead,
       by using nonces as part of the Master Salt, the request to the authz-

[GS] "Instead, by using the exchanged nonces as part of the Master Salt, ..."

       info endpoint posting the same token results in a different Security
       Context, by OSCORE construction, since even though the Master Secret,
       Sender ID and Recipient ID are the same, the Master Salt is different
       (see Section 3.2.1 of [RFC8613]).  If nonces were reused, a node

[GS] "If the exchanged nonces were reused, ... "

       reusing a non-expired old token would be susceptible to on-path
       attackers provoking the creation of OSCORE messages using old AEAD
       keys and nonces.

[GS] "... the creation of an OSCORE message using an old AEAD key and nonce."

[GS] In the rest of the document we would use nonce without qualification as it is referring to the exchanged value. Is that clear enough or do you want a consistent adjective throughout the draft?

Thanks,
Göran



    Where we talk about how the nonces (N1 and N2) exchanged during the
    authz-info request/response are used to prevent the use of nonce+key
    combinations for the AEAD used for the OSCORE messages.  But there's really
    two classes of nonce: the ones for the AEAD, and the ones used in
    constructing the master salt.  Whenever we just say "nonce" or "nonces"
    there is potential for ambiguity, so we might want to add an adjective
    every time we use the word, as tedious as it is to do so.


    Also in Section 2, I just wanted to check on the location of the "mutual
    authentication" indication -- currently it's show after the second OSCORE
    Response, but I am not sure why it is not achieved after just the first
    Request/Response exchange that performs proof of possession.

    Thanks!

    -Ben