IETF Logo Mail Archive

Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Michael StJohns <mstjohns@comcast.net> Tue, 26 July 2016 16:13 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6887912B00E for <ace@ietfa.amsl.com>; Tue, 26 Jul 2016 09:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.976
X-Spam-Level:
X-Spam-Status: No, score=-3.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtC61mqOzQTF for <ace@ietfa.amsl.com>; Tue, 26 Jul 2016 09:13:54 -0700 (PDT)
Received: from resqmta-po-06v.sys.comcast.net (resqmta-po-06v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E461512D81E for <ace@ietf.org>; Tue, 26 Jul 2016 09:08:05 -0700 (PDT)
Received: from resomta-po-07v.sys.comcast.net ([96.114.154.231]) by resqmta-po-06v.sys.comcast.net with SMTP id S4rib4ekVjWBpS4tpbq1ft; Tue, 26 Jul 2016 16:08:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469549285; bh=y9u/8YRQFJco39nGZjbKkc72WhuLrUhDNS8oZ/Y0NAw=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=evutyFGI64TDesssIkpmAuSDHd+nCbEIj3c2+FWGA9+BprqZCJEMaxEjyMhMWpled uZL32TEfMm/gpjnvtP94Swj4eFZ02QI1B8PH1B+p1uQDXWAbPX6Iw0pCvaGKBYOIBu DHq3J7T6OGMO0pK2qWzZfW2Gg4iFgd9W5cMjUJymZ86KAmLYtMPI4Wp950RbPTYD1m gyNqhMGQWN3wKbIXlATrYzC8lwsJF9FwvmTTa0w8s6BMyPETN73mR2h2HW7cpLR1Ff CBgGXjVBf8kOyCv+NdkU73PcZJFa3BjwZ7ou/ieYa5kRwBgoSDlT1MdNPAKcgbCwI/ 2zOC3wjLpi6+g==
Received: from [IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d] ([IPv6:2601:148:c000:1951:ccd7:589d:2636:a1d]) by comcast with SMTP id S4tobUrMWxDxbS4tobdBDK; Tue, 26 Jul 2016 16:08:05 +0000
To: ace@ietf.org
References: <578F4D59.8050005@gmx.net> <5E393DF26B791A428E5F003BB6C5342AB3716D64@OC11EXPO33.exchange.mit.edu> <23666.1469091857@obiwan.sandelman.ca> <95b0103c-ba2d-6cd8-6241-228df46e530b@sics.se> <8ca27108-a8b9-7b07-e752-656247716708@comcast.net> <HE1PR0601MB22030003D2913DA6096CB3E4FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <a318cda7-ebf2-5a5c-d86a-9d67fb41a82f@comcast.net> <HE1PR0601MB2203D1C2C96278B23D71AD31FC0D0@HE1PR0601MB2203.eurprd06.prod.outlook.com> <f293e325-bea2-5c27-c677-563f05c60da0@cs.tcd.ie> <bf8531981ecd4a0db3607f9ef5328d38@VI1PR9003MB0237.MGDPHG.emi.philips.com> <8bbc028d-0960-3f93-ccc2-e8746fd98ca6@gmail.com> <579d47e5f90a43e194135e8c46c82159@VI1PR9003MB0237.MGDPHG.emi.philips.com> <CAHbuEH4Z071rdTf=x0bUKd3tkt_r-0k5-vXsYYeoHQrgH1AnTg@mail.gmail.com> <CAHbuEH6CnhHPoJ+pSsYxuUur-AQscLeHsJmEBs4je_cGAeLGsA@mail.gmail.com>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <de53e908-9b1f-fe74-46fa-a78a07b8ea76@comcast.net>
Date: Tue, 26 Jul 2016 12:08:13 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAHbuEH6CnhHPoJ+pSsYxuUur-AQscLeHsJmEBs4je_cGAeLGsA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------661B2A5520A9274192F0E8D1"
X-CMAE-Envelope: MS4wfLluE0VKA9fLfG+9wRtbD7g2OJje51YAZ/2KIgKl3YoO+0s9QkFDZd0RIyIgaSgf4ZGjBHRc58lgm+XFJmBHwQBU3OA4jCOxF2jwWxS1MtgCBrl+6hjJ dxktKAN9ruhjjVoGBAjjOcDdbXgyI54UqD6hL5ufQPCHqjvr5opPxrcFrK4xG+QUI3y3bXPBH8crow==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/fduCT2nLyyAqMjaHo6zzmA-g-bY>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 16:13:57 -0000

On 7/26/2016 11:20 AM, Kathleen Moriarty wrote:
> Just to note, I'm interested to see Mike's response on why this higher 
> level of security is necessary in terms of a threat model.  I'm not 
> convinced it is for lightbulbs, but that depends on how the threat 
> model/solution is scoped and the advice for use - lightbulbs of 
> current day capabilities and not other IoT devices with higher risk 
> factors.
>

Hi Kathleen -

Can you describe how you would prevent this protocol from being used in 
"lower security threat environments"?  I can't and I've thought about 
how to write in various crippling conditions in the protocol structure 
without any useful conclusions.

Given that, and given that public key cryptography has the desired 
security properties, I remain unwilling to support symmetric key 
multicast for any cyberphysical protocol.  It's too risky and way too 
shortsighted.

Or put another way - you might as well use hashed passwords for the 
lighting problem - it has similar security properties to symmetric key 
multicast for control.

If we went forward with this, you'd need one of the biggest, blackest 
Black Box warnings on the protocol that we could conceive of to try to 
constrain this to the "low level of security" domains:

DON'T Use this protocol for anything but lighting control.
DON'T Use this protocol where the the maximum output of the lighting 
system could present a fire, thermal or blinding threat to safety.
DON'T Use this protocol to control lighting systems involved in 
decontamination and sterilization. (E.g. UV decontamination).
DON'T Use this protocol to control any power outage backup lighting system.
DON'T Implement this in a way that prevents local physical override of 
the lighting systems.

I'm sure there are others.

Mike



> Thanks,
> Kathleen
>
> On Tue, Jul 26, 2016 at 10:52 AM, Kathleen Moriarty 
> <kathleen.moriarty.ietf@gmail.com 
> <mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
>
>     Hello,
>
>
>
>     On Tue, Jul 26, 2016 at 7:10 AM, Kumar, Sandeep
>     <sandeep.kumar@philips.com <mailto:sandeep.kumar@philips.com>> wrote:
>
>         Hi Rene
>
>         Makes more sense this way. Need to also add replay protection
>         but that should be just part of the hash. Will it make things
>         better for user experience? That depends on how big the pool
>         of (good randomized) pre-computed values can be created before
>         they run out and causes a stuck behavior.
>
>
>     If things can be made better, we should of course do that. 
>     However, there are risk tradeoffs that sometimes make sense.  If
>     it is not possible to precompute keys for speed, storage or some
>     other reason, we need to figure that out and have it factored into
>     a threat model.  This should all be part of a security
>     considerations section (whatever is decided).  We are talking
>     about cyber physical devices and controllers, in this case
>     lightbulbs. Sure, lightbulbs are evolving, so it may make a
>     difference if we are talking about lightbulbs that can turn
>     on/off, dim, change colors, or ones that perform other functions
>     (MIT Media Lab type stuff). It also matters if we are talking
>     about use of lights within a controlled area and whether it is
>     connected to other networks or not (IoT devices, Internet,
>     protected network, etc.).  No one is suggesting that the same key
>     be used in multiple environments, but a single group key for one
>     environment.
>
>     There are always tradeoffs in security and that's okay.  What is
>     the bigger threat model?
>
>     Lights turning on/off in large buildings could result in increased
>     energy costs.
>     Lights turning on/off could result in safety issues (they could be
>     extreme).
>
>     What measures would mitigate these (and maybe other risks)? 
>     Suggest dividing up large buildings into sets so that a single
>     group key could be used in that set.  Limit connections to other
>     networks or have protective measures between them.
>
>     Maybe someone in this space can help more to build out the threat
>     model to help the WG with this decision.  There are still some
>     unanswered questions about the capabilities of hardware, are the
>     alternate solutions to a group key feasible?  Will blocking the
>     use of a single group key prevent the ability to move forward with
>     a standard?
>
>     Thanks,
>     Kathleen
>
>         Regards
>
>         Sandeep
>
>         *From:*Rene Struik [mailto:rstruik.ext@gmail.com
>         <mailto:rstruik.ext@gmail.com>]
>         *Sent:* Tuesday, July 26, 2016 3:00 AM
>         *To:* Kumar, Sandeep; Stephen Farrell; Somaraju Abhinav;
>         Michael StJohns; ace@ietf.org <mailto:ace@ietf.org>
>
>
>         *Subject:* Re: [Ace] Adoption of Low Latency Group
>         Communication Security Work in ACE
>
>         Hi Sandeep:
>
>         Fair enough, but with, e.g., ECDSA, computation of the
>         ephemeral key R:=kG can be carried out independently of the
>         remainder of the signature computation (where one computes
>         e:=h(m), and calculates s:=(1/k)(e-r*d)(mod n) and
>         subsequently outputs (r,s), where r is derived from R). So, if
>         one wishes to, one can pre-compute many ephemeral key pairs
>         (k, kG) and use those on demand {David Naccache, if I remember
>         correctly, elaborated on these types of "labor division" in a
>         1998 paper}. So, in the Philips high-granularity luminary, the
>         one simply hashes the state (still only a few-bytes entry) and
>         then combines e with r, d, k, to produce signature component s
>         -- a simple linear equation with two modular multiplies as cost.
>
>         Let's make things better...
>
>         Rene
>
>         On 7/25/2016 5:34 PM, Kumar, Sandeep wrote:
>
>             Because sometimes a lightswitch can have more than two states.
>
>             http://images.philips.com/is/image/PhilipsConsumer/6916431PH-IMS-en_GB?wid=494&hei=435&$pnglarge$
>
>             The color dial on this switch (src:
>             http://www.philips.co.uk/c-p/6916431PH/livingcolors-remote-control)
>             can set the color of lights one chooses. That would be
>             quite some precomputations.
>
>             Sandeep
>
>             -----Original Message-----
>             From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of
>             Stephen Farrell
>             Sent: Monday, July 25, 2016 9:26 PM
>             To: Somaraju Abhinav; Michael StJohns; ace@ietf.org
>             <mailto:ace@ietf.org>
>             Subject: Re: [Ace] Adoption of Low Latency Group
>             Communication Security Work in ACE
>
>             On 25/07/16 17:59, Somaraju Abhinav wrote:
>
>             > we essentially have 50-100 ms for the
>             signing+verification process and
>
>             > I do not know of a solution that does this
>
>             Just a clarifying question: why can't the signing possibly
>             be done asynchronously? E.g. the private key holder could
>             sign a value that will only be sent later - as long as it
>             has one of those ready to emit whenever needed one can
>             ignore the signing time. That can have power consumption
>             consequences but I'd guess that's ok for a lightswitch.
>
>             If signing can be done ahead of time, then only
>             verification time has to be considered.
>
>             S.
>
>             ------------------------------------------------------------------------
>
>             The information contained in this message may be
>             confidential and legally protected under applicable law.
>             The message is intended solely for the addressee(s). If
>             you are not the intended recipient, you are hereby
>             notified that any use, forwarding, dissemination, or
>             reproduction of this message is strictly prohibited and
>             may be unlawful. If you are not the intended recipient,
>             please contact the sender by return e-mail and destroy all
>             copies of the original message.
>
>
>
>             _______________________________________________
>
>             Ace mailing list
>
>             Ace@ietf.org <mailto:Ace@ietf.org>
>
>             https://www.ietf.org/mailman/listinfo/ace
>
>         -- 
>
>         email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>  | Skype: rstruik
>
>         cell:+1 (647) 867-5658 <tel:%2B1%20%28647%29%20867-5658>  | US:+1 (415) 690-7363 <tel:%2B1%20%28415%29%20690-7363>
>
>
>         _______________________________________________
>         Ace mailing list
>         Ace@ietf.org <mailto:Ace@ietf.org>
>         https://www.ietf.org/mailman/listinfo/ace
>
>
>
>
>     -- 
>
>     Best regards,
>     Kathleen
>
>
>
>
> -- 
>
> Best regards,
> Kathleen
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email