IETF Logo Mail Archive

Re: [Ace] use of object security

Malisa Vucinic <Malisa.Vucinic@imag.fr> Fri, 23 May 2014 16:44 UTC

Return-Path: <Malisa.Vucinic@imag.fr>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3C771A0743 for <ace@ietfa.amsl.com>; Fri, 23 May 2014 09:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.552
X-Spam-Level:
X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_BELOW2=2.154, HELO_EQ_FR=0.35, J_CHICKENPOX_12=0.6, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-SRIzhp_Ukm for <ace@ietfa.amsl.com>; Fri, 23 May 2014 09:44:19 -0700 (PDT)
Received: from rominette.imag.fr (mx2.imag.fr [IPv6:2001:660:5301:59::17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090CD1A024A for <ace@ietf.org>; Fri, 23 May 2014 09:44:18 -0700 (PDT)
Received: from globule.imag.fr (globule.imag.fr [129.88.34.238]) by rominette.imag.fr (8.13.8/8.13.8) with ESMTP id s4NGi9qT010765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 May 2014 18:44:09 +0200
Received: from stradioti.imag.fr (stradioti.imag.fr [129.88.49.44]) (authenticated bits=0) by globule.imag.fr (8.13.8/8.13.8) with ESMTP id s4NGiBrr004793 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 23 May 2014 18:44:11 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Malisa Vucinic <Malisa.Vucinic@imag.fr>
In-Reply-To: <3877.1400783928@sandelman.ca>
Date: Fri, 23 May 2014 18:44:12 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <FD2977B5-0A3E-4633-B26B-E9B29CED565B@imag.fr>
References: <1715C7B6-DC74-447B-B66D-B942D50FE933@imag.fr> <3877.1400783928@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>, ace@ietf.org
X-Mailer: Apple Mail (2.1878.2)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (rominette.imag.fr [129.88.30.17]); Fri, 23 May 2014 18:44:10 +0200 (CEST)
X-IMAG-MailScanner-Information: Please contact MI2S MIM for more information
X-MailScanner-ID: s4NGi9qT010765
X-IMAG-MailScanner: Found to be clean
X-IMAG-MailScanner-SpamCheck:
X-IMAG-MailScanner-From: malisa.vucinic@imag.fr
MailScanner-NULL-Check: 1401468253.75562@Kbm7ZPjTJ3XzUbTYSxMr/A
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/q78r-Y2xGfFSfJFEupO3U-zykPg
Subject: Re: [Ace] use of object security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 16:44:21 -0000

Hi Michael,

Thanks for your time to read the paper. My answers are inline.

Regards,
Malisa Vucinic

On 22 May 2014, at 20:38, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> 
> subject was:
>        Subject: Re: [Ace] Adrian Farrel's Block on charter-ietf-ace-00-00:
>        (with BLOCK)
> 
> Mališa Vučinić <malishav@gmail.com> wrote:
>> I refer everyone interested to our DTLS-based architecture named OSCAR
>> (http://arxiv.org/pdf/1404.7799) that will be presented during IEEE
>> WoWMoM in June.
> 
> Very interesting.
> I think maybe your figure 1 appears too early, or appears without enough
> explanation, or perhaps is too detailed for that point in the paper.

Yes, we get that remark often… The goal with fig 1 was to present at an early stage
in the paper all that we aim to support and the design idea of having the constrained
device (producer) agnostic of the response type. It could be a classical GET 
request/response pair, response to a multicast request or an asynchronous update
to observers, the device needs to locally monitor the physical quantities and anticipate
the preparation of signed objects, which are then encrypted on a per response basis 
(encapsulated in encrypted objects).

You can then have the signed objects traverse the application level gateways and 
achieve nice end-to-end security properties even when the information is stored 
somewhere in the Cloud. 

> 
> You write that "The relation between j'th access secret Sj
>    and i'th resource Ri is dependent on authorization policies and the
>    desired level of confidentiality."
> 
> I guess the point is that the one can make Sj a "group" key, or
> distribute it on per-end-point basis, based upon the level of audit
> and paranoia.  

In terms of the communication security, yes, one could make Sj a group key, with group
members being the end points. From the authorization folks, however, I get the impression
that they would like to have access control with a granularity of RESTful resource 
so we thus have this hybrid approach in sense that we do not differentiate between 
pure communication security and authorization, rather try to approach both in one go.

> The whole thing is very similar to the pre-IKE
> IPsec SKIP mechanism, including the lack of crypto parameter negotiation.
>   http://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol
>   http://tools.ietf.org/html/draft-ietf-ipsec-skip-06

SKIP (and particularly multicast extension to SKIP) could fit as 'access secret' key 
management scheme of OSCAR which would deprecate the need for secure unicast
channels (DTLS) between the Authorization Server (AS) and each host. In our model 
hosts support DTLS (mainly for backwards compatibility with current CoAP spec) so 
given the authenticated channels, the key management scheme could be really 
simplified with all intelligence residing within AS, and with a simple push model for 
key updates over the secure channel.

Indeed, the derivation of the master key in SKIP is similar to the derivation of our
per-response encryption key in terms of the replay protection. Note though that 
we rely here on how CoAP handles the Message ID used for duplicate detection 
so a nice extension (and more appropriate for security usage) would certainly be
the counter mechanism of SKIP. 

> 
> You write earlier:
> 
>> Due to the physical constraints, the number of supported cryptographic
>> ciphers is limited. Indeed, constrained devices often have a single
>> supported cipher suite (selected at the compile time). This fact reverses
>> the paradigm encountered in the Internet where one of the security concerns
>> during the handshake is the downgrade attack (the attacker forces two
>> parties to use the weakest common
> 
> and later:
> 
>> The request contains  header carrying preferred content types. If capable,
>> server responds with the content supported by the client. Therefore, to
>> solve the interoperability issues, we require an additional accept option
>> carrying supported ciphers.
> 
> I am not yet convinced that:
>  a) the downgrade attack can be ignored.
>  b) that this permits us to incrementally deploy new cryptographic
>     protocols as the ones we have become weak over a multi-decade
>     deployment period of many IoT.

Yes, you are right that there is room for the downgrade attack once devices 
start supporting multiple ciphers, so in that sense the cipher negotiation 
approach in the paper is a bit limiting.

Off the top of my head, would it make sense to include the list of supported
ciphers in the certificate of a device, also specifying the default one? You
would need to update the certificate with firmware upgrades introducing new
ciphers but it seems doable? Then the device could use the default signature
algorithm to generate signed objects offline and when needed it would need to  
perform online signing (or depending on RAM available, perform offline signing
with multiple ciphers).

In the model, we require clients to fetch device (server) certificates from the AS so 
client would in that case have a-priori knowledge what ciphers a device supports.
Essentially, this would be reversing the current decision model in terms that
it would be the client who would decide which cipher is going to be used, but
it makes sense with the constrained device and small cipher set on the other 
side, no?

Then, the client can issue the request with the cipher accept option simply 
stating which cipher was chosen. To protect this from downgrade, client could
include in the payload of the request a pre-defined token encrypted from the
derived key (using the chosen cipher), where the derivation procedure from
the paper would need to be extended to include the cipher accept option field.

Does this make sense?

> 
> I am pleased that OSCAR is not shy about asymmetric operations.
> I am reminded of Jari's temperature sensor.  (You bring security to
> Jari's 4-bit microcontroller multicast temperature sender...)
> but, I think it would be easier to think of a light switch.
> 
> Imagine a light bulb receives a message from some sender that it should
> turn on.  But the light bulb is *already* turned on.  In that context,
> there may be no reason to always validate the asymmetric signature.
> This is similar to how the replay counter in IPsec works: if we already
> saw that packet, we can tell that without bothering to authenticate it.

Yes, in fact I was referring to these kinds of optimizations in my original post.
See bellow.

> 
> This assumes no active, on-path, attacker will bother to change an "off"
> signal into a "on" signal (invalidating the signature).  Such an attacker
> is easily caught, and so the attack is very unlikely to succeed.

In the model, only an attacker in possession of the group key (access secret)
can get to the signed objects. In that sense, signed objects should never traverse
the network in clear.

Coming back to the light bulb, it could locally cache ‘on’ and ‘off’ signed objects,
upon first validation. For the following receptions of on/off requests, the light bulb
would first need to decrypt the payload with the derived symmetric key and then
check if the received signed object is in cache (already seen packet from your IPsec
example). Now if you have this light bulb and appropriate switch as hosts in a 
synchronized network with global time awareness, you could easily add expiry 
field to the on/off commands and control for how long the signed objects can 
bounce over the network as valid, without overhead of signature verification.

Do you see any concerns here?

> 
> Is your contiki code available?
I will get back to you regarding this.
> 
> You write at the end:
>> However, as it (IPsec) resides in the Operating System kernel, it is
>> impractical for typical IoT applications.
> 
> 1) There is no requirement that IPsec be in the kernel,
>   the reason people put it there is so that it can act as
>   service for layer-4 protocols, but if you want to re-implement
>   those protocols (UDP is trivial) in userspace, one can easily
>   have IPsec in an application using a raw IP socket.
> 
> 2) when implemented over UDP, one can even have it in application
>   library.
> 
> 3) most IoT operating systems have no concept of a "kernel" anyway,
>   so the concern is really only on the more capable endsystems
>   (the smartphones and desktop systems) which want to talk to
>   the IoT devices.

Thanks for the clarifications, I wasn’t aware of user space IPsec possibility!

> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email