Re: [Ace] ACE Implementation for Disadvantaged Environments

Sebastian Echeverria <secheverria@sei.cmu.edu> Mon, 28 January 2019 20:20 UTC

Return-Path: <secheverria@sei.cmu.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A2A1311E0 for <ace@ietfa.amsl.com>; Mon, 28 Jan 2019 12:20:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sei.cmu.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJpfjFcguR82 for <ace@ietfa.amsl.com>; Mon, 28 Jan 2019 12:20:02 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B3C81311DF for <ace@ietf.org>; Mon, 28 Jan 2019 12:20:02 -0800 (PST)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x0SKJrxu013664; Mon, 28 Jan 2019 15:19:53 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x0SKJrxu013664
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sei.cmu.edu; s=t52kn2igOmwp; t=1548706798; bh=NTxVK/iipavGGtgPqWGh52HqbeGF1RtnqYd97AdjfCA=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=eAlz6tzPzFq3EsCrCSHCdSFgCbofWxmWXvMJCg1srjydNoAbX3e/tRufU1mctz5pl AVbpmc8XVlVchrXOMnjYzc8LGvFI/tJAN4SCiT9WSWPNEgjzgW/TPDQ+GM/bFxolJW zKg/8ZCPF/eka8JpWpBvP64E9P0saIv2xCh5LXUA=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x0SKJpWe029517; Mon, 28 Jan 2019 15:19:51 -0500
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0435.000; Mon, 28 Jan 2019 15:19:51 -0500
From: Sebastian Echeverria <secheverria@sei.cmu.edu>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: Grace A Lewis <glewis@sei.cmu.edu>, "ace@ietf.org" <ace@ietf.org>, "Dan Klinedinst" <djklinedinst@cert.org>
Thread-Topic: ACE Implementation for Disadvantaged Environments
Thread-Index: AQHUs0cwxz8vJeWIVUGFns83Bt0/66XEercQgAA76QCAABjZAIAAAtXQgABP35A=
Date: Mon, 28 Jan 2019 20:19:50 +0000
Message-ID: <45D237D6DC600143A1C52C1C82BEBD1AAC927B8D@marathon>
References: <11C08BF5-0060-459C-99DC-EABEA88DF44B@sei.cmu.edu> <VI1PR0801MB211293C28BD614D6CD8D7254FA960@VI1PR0801MB2112.eurprd08.prod.outlook.com> <0FCF1038-D6C8-4C25-9B4C-E493EB817592@sei.cmu.edu> <7387610A-D857-49FE-9964-77D54CDDA2F4@sei.cmu.edu> <VI1PR0801MB21120BD915B4E99352EC25F9FA960@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB21120BD915B4E99352EC25F9FA960@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: multipart/alternative; boundary="_000_45D237D6DC600143A1C52C1C82BEBD1AAC927B8Dmarathon_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/hiw_3oTaTFQmyLL-Vd9BL8bQT5Y>
Subject: Re: [Ace] ACE Implementation for Disadvantaged Environments
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2019 20:20:06 -0000

Hi Hannes,

Regarding your questions:

1. “How easy do you think would it be to port the code to some other OS? (or in other words: how tightly have you coupled it to Contiki?)”


-          Most of the code is called by Contiki processes, so it is not that coupled, and the cn-cbor and TinyDTLS dependencies are independent from Contiki. The code depends on two main things from Contiki: the Erbium CoAP server, and the CFS file system. The coupling with Erbium is not that strong, but wherever the code is ported, it would need a CoAP/CoAPs server on that OS, or the actual porting of a subset of Erbium (which I guess is doable, but it may be substantial work). The dependency on the CFS file system is for storing keys and tokens, and that would need to be adapted to whatever another OS offers, though this dependency is fairly contained in one module, and changes should not be that hard.

2. “Is the COSE/CWT parsing library separable from the rest? “


-          Yes, it is fairly separable from the rest, other than the fact that it uses cn-cbor for cbor parsing, and TinyDTLS for AES decryption. However, at the moment it is very limited in terms of COSE parsing, only supporting the COSE wrapper and cypher suites we are actually using/supporting in our implementation.

3. “For the 300 Kb flash: does this contain the firmware update mechanism?”


-          No, this does not include the firmware update mechanism.

Any more questions, just let me know.

Thanks,

Sebastian

From: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
Sent: Monday, January 28, 2019 10:19 AM
To: Sebastian Echeverria <secheverria@sei.cmu.edu>
Cc: Grace A Lewis <glewis@sei.cmu.edu>du>; ace@ietf.org; Dan Klinedinst <djklinedinst@cert.org>
Subject: RE: ACE Implementation for Disadvantaged Environments

Hi Sebastian,

Thanks for the details. How easy do you think would it be to port the code to some other OS? (or in other words: how tightly have you coupled it to Contiki?)

Is the COSE/CWT parsing library separable from the rest?

For the 300 Kb flash: does this contain the firmware update mechanism?

Ciao
Hannes

From: Sebastian Echeverria <secheverria@sei.cmu.edu<mailto:secheverria@sei.cmu.edu>>
Sent: Montag, 28. Januar 2019 16:06
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Cc: Grace A Lewis <glewis@sei.cmu.edu<mailto:glewis@sei.cmu.edu>>; ace@ietf.org<mailto:ace@ietf.org>; Dan Klinedinst <djklinedinst@cert.org<mailto:djklinedinst@cert.org>>
Subject: Re: ACE Implementation for Disadvantaged Environments

Hello,

Here is some more information about it:

-          We used Contiki as the base/OS for the code. More specifically, we forked from the 6lbr project (https://github.com/cetic/6lbr), as that version already had some code for handling DTLS connections and AES encryption in it.
-          We are using the TI CC2538dk board as our constrained target platform.
-          The implementation has support for the DTLS profile, using pre-shared keys, as this was enough for our use case.
-          The implementation handles CWT tokens.
-          We modified the Erbium CoAP server in 6lbr to be able to simultaneously listen for CoAP and CoAPs connections (using TinyDTLS underneath).
-          The implementation uses the cn-cbor library for decoding CBOR data.
-          The implementation supports receiving tokens at the authz-info endpoint, and then giving access to a couple of sample resources based on the claims from the received tokens.
-          The implementation has some additional optional features related to our disadvantaged network environments, such as bootstrapping of the PSK credentials, and detecting revoked tokens through introspection.
-          The current binary is around 300 kb, which is good enough for the 512 kb flash on the TI boards, though it may be a bit too large for a class II device. We can probably make it a bit smaller. In terms of RAM, it fits in the 32 KB available on the TI boards.

Best,

---
Sebastian Echeverria
Tactical Technologies Group (TTG)
Software Engineering Institute
Carnegie Mellon University



From: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Date: Monday, January 28, 2019 at 5:05 AM
To: Grace Lewis <glewis@sei.cmu.edu<mailto:glewis@sei.cmu.edu>>, "ace@ietf.org<mailto:ace@ietf.org>" <ace@ietf.org<mailto:ace@ietf.org>>
Subject: RE: ACE Implementation for Disadvantaged Environments

Congrats to the work. Could you say a little bit the (constrained) resource server implementation?

Ciao
Hannes

From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> On Behalf Of Grace A Lewis
Sent: Mittwoch, 23. Januar 2019 19:12
To: ace@ietf.org<mailto:ace@ietf.org>
Subject: [Ace] ACE Implementation for Disadvantaged Environments

Hello,

I just wanted to make the group aware of our ACE implementation (SEI-ACE), which includes an implementation for a resource-constrained server.

Details available in this news article: https://www.sei.cmu.edu/news-events/news/article.cfm?assetid=539184

Article includes the link to our Git repo.

Enjoy!

- Grace Lewis

______________________________________________
Grace A. Lewis, Ph.D.
Principal Researcher and TTG Initiative Lead
Carnegie Mellon Software Engineering Institute
Software Solutions Division (SSD)
Tactical Technologies Group (TTG)

4500 Fifth Ave. #5412
Pittsburgh, PA 15213
Phone: (412) 268-5851
http://www.sei.cmu.edu/staff/glewis

“A change in perspective is worth 80 IQ points” --- Alan Kay
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.