IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-key-groupcomm-oscore

Marco Tiloca <marco.tiloca@ri.se> Fri, 31 January 2020 11:23 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A345120814; Fri, 31 Jan 2020 03:23:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3Ke3UX9EYSa; Fri, 31 Jan 2020 03:23:54 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2086.outbound.protection.outlook.com [40.107.21.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F31120127; Fri, 31 Jan 2020 03:23:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TXfEvlYs0d13Ld9b/uchZ2h29BRSmdhb7UxQCcsBHJUzKD/FXMOSautZjl9ChwwjyaMCMgqur0lKpHFQCUDY9Iz+zeIzhxTa0Elbr9ZXQUHDlEGcrrVDrXzqxXguxFQho69dAN5pmuoIDNyDLsRQZrjHQbeBva46wvOeuWFO8v08iXHMWuCRaSQUnZ+wkfafsJSCuGwHUT4kMXBGEKG4VBAG316kPLQNyNHWbuad10lyNus7vRz+CqAd1Lgd734CzsHnnz2kb/ZrYzrv3xM1npOSmKE/AogT/9yjSOocsua+00yupY3WjLT+3rZmX7JOli0vcVUuBQnBnGSHdUkd2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPwYN7XQcfW655/4/Bw8iESheImCkk8GFHizUtyFceU=; b=QV9djyWKsB3vRXA8l0AR+6RcZ30pzRDamnpDoem+hLpK45aQ7UDNXtRLr9IFBud9RDy2riw4FPEnaCLawZ3X4oGGmbXSv62JfByUkGcfEWsdaQguGWUyqlnEy5Osz7XPk0Bp0UgAxvNKADv3Y2q9AMeuhSpXRgIObn932JolfWj4cwu89+REooiWbzvQvkV+E4LVmloEhXvJn0T8kzuyU6NCzTPYWr4bSGM0UIYCU6FnWuTxSdKNumw/DHL+tF+O9VZmQJ8m5GgE7YKa/qtdkZRSdA27huLkBXru1GdSm+aGdXrBdwCzi87pBM0tmj3h6KlZ+R3f81B7hVmlQ6YnHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPwYN7XQcfW655/4/Bw8iESheImCkk8GFHizUtyFceU=; b=idY6TtaPyxaEHcy13DnJQ/tzUmccO34ul1geuJNIHvZFxNHqmThBAvJ9/48AbXvHoB2mYWjvLY3aYZZMw68Gg3Lm6FSmoew6uW2UU7vuPGeameB/j6MnD8DNEk+YJirXRcMtTtCtdxz/uMg7Fxcn9bfuGu9xNTWBfOQM/o/Rg2E=
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (10.165.195.159) by VI1P189MB0270.EURP189.PROD.OUTLOOK.COM (10.165.196.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.27; Fri, 31 Jan 2020 11:23:49 +0000
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::3485:ce83:891b:469]) by VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::3485:ce83:891b:469%4]) with mapi id 15.20.2665.027; Fri, 31 Jan 2020 11:23:49 +0000
Received: from [10.8.8.25] (89.187.189.217) by VE1PR08CA0030.eurprd08.prod.outlook.com (2603:10a6:803:104::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.22 via Frontend Transport; Fri, 31 Jan 2020 11:23:46 +0000
From: Marco Tiloca <marco.tiloca@ri.se>
To: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-ace-key-groupcomm-oscore@ietf.org" <draft-ietf-ace-key-groupcomm-oscore@ietf.org>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: draft-ietf-ace-key-groupcomm-oscore
Thread-Index: AdXUuS1YkeMOHqDuQo661Ct1JSFA6wDb7EgA
Date: Fri, 31 Jan 2020 11:23:49 +0000
Message-ID: <9dea28ee-c4c0-40b9-68bc-c78cfad9d40c@ri.se>
References: <010b01d5d7c3$47d36ad0$d77a4070$@augustcellars.com>
In-Reply-To: <010b01d5d7c3$47d36ad0$d77a4070$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-clientproxiedby: VE1PR08CA0030.eurprd08.prod.outlook.com (2603:10a6:803:104::43) To VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=marco.tiloca@ri.se;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.187.189.217]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 457f54e4-e555-49fe-c699-08d7a6400b2d
x-ms-traffictypediagnostic: VI1P189MB0270:
x-microsoft-antispam-prvs: <VI1P189MB0270F48865E9EC02DA36304F99070@VI1P189MB0270.EURP189.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 029976C540
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(376002)(346002)(396003)(39860400002)(199004)(189003)(478600001)(26005)(8936002)(16576012)(966005)(16526019)(8676002)(316002)(31696002)(110136005)(66946007)(86362001)(186003)(956004)(71200400001)(53546011)(64756008)(66556008)(66476007)(66616009)(66446008)(81156014)(81166006)(66574012)(52116002)(6486002)(5660300002)(44832011)(2616005)(31686004)(4326008)(2906002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0270; H:VI1P189MB0398.EURP189.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IsDBBpzN0fSrtNTBOGgtJqjigf3iP1D4QrNPOQCjwGZ0850XGC/FiL70fwALBlDGNl1XwlVTzdVQtmPqlwxHnTVAa7MeGl26kcJROJiyDIDjSNs98BvroapHf3iZQ7uKLMNE27ZJTRAls2gNvoY6lKjLRGFCHzgusYk6kt0mWa9dqyvAZ9qNi+J5IQBvq6OA2gbfeBsboGA35ktn4f8HNVWwaNN0LH1Yj7XGcUNR2tyhiac9ueUaaVFjuJZF509uuzEl8JDK5v7EZT+7J5XSE4N39JNJ9NbpL3mM4piYGzZYBqmkjhUPWFP1ITqRoQlA8Z6o4NXkKKOY2Bo2j3KdR/3ZiLdOPOBhQ/p8OQl5STmXctGwoQYgTDtBBYU3d2IEd8hu1BZEUTKkuNYLVaAHmQrDIydlBVRyhNhaKPhKJNyBWsnCUuPvawHKqv5KVrF+ii4l/kThunMVkTRGJJFyGv3ejRrh3ezD3Cyw5f0jOjzFPNajsA3guWIR88UsUGElaMvSUb0hgMZLlzR/rUsumw==
x-ms-exchange-antispam-messagedata: Go/+t2nytPBFQmLN7ffYcjydNb9Dg/hzDO0/sjFmsGU3Ce9YQFkxUi6odQwGnRRHbRhmLPR0fu3OFeR5FPO1Ma7yWBcFl+xyUKFUPDCK6xnDu8ekZefejUOlEkdhYW2+uZaZW71cvvUSHcOLNMyJew==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="o1tXIBc1u3bqw8HDpngxr0NaEIBA4vtgu"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 457f54e4-e555-49fe-c699-08d7a6400b2d
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2020 11:23:49.4430 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8BdvI0Dkk0QZ2g5I5KZY08BjY5Zow2ObOWN8Bzl9oH9URU3aFzt2gDyM6tRhFsu3eZKYhwvGaUHAKKwawCfTkQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0270
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/qTDvbzrCCqe_FhjADLDqZXs_GZo>
Subject: Re: [Ace] draft-ietf-ace-key-groupcomm-oscore
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 11:23:57 -0000

Hi Jim,

Thanks for these comments!

Please, find some replies below.

Best,
/Marco

On 2020-01-31 00:16, Jim Schaad wrote:
> This is not a finished review - but I wanted to get it out.
>
> Jim
>
>
> General - Should the concept of a legal requester be part of the information
> that is transported with the public key?  I don't believe that this is
> currently done, but would additionally allow for a server to ignore comments
> from individuals who are not authorized for that role.

<MT>
This can be indicated in the public key, and then the Group Manager
indicates this "role" to other group members, when providing them with
the public key of the legal requester.

However, how can the Group Manager verify that a legal requester is
indeed one, as its public key claims? If we stick to raw public keys,
this seems not possible as the only thing that the Group Manager really
does is verifying possession of the corresponding private key upon joining.

This would probably require certificates rather than public keys, as
provided in the 'client_cred' parameter upon joining, which is something
that ace-key-groupcomm is anyway admitting, while we are just not doing
it here. Then, it becomes about trusting the certificate issuer on
legitimately claiming that the certificate owner is indeed a legal
requester.
</MT>

>
> Section 2.2 - must new security parameters be regenerated on each membership
> change?

<MT>
If the application really requires forward and backward security, yes.
This is further discussed in the first security consideration of Section 14.

Related, more general aspects about this are discussed in the security
considerations of ace-key-groupcomm. In particular, the Group Manager
may want to enforce a more relaxed policy than "on each membership
change", though making some compromise on the continuity of backward and
forward security.
</MT>

>
> Section 2.2. - Does completion of a group rekeying include confirmed
> redistribution before the version number is incremented?

<MT>
I would say no, but regardless it's something to clarify, possibly
already in ace-key-groupcomm .

Having the Group Manager generated and sent out the new keying material
is sufficient to also increment the version number.

It is good that the Group Manager can also get confirmation of
distribution, mostly for possible individual re-provisioning, possibly
up to a maximum number of retries.

Worst case, some group members remain behind, will not be able to
retrieve a context or decrypt correctly, and will eventually go to the
Group Manager to understand the current status, including the latest
version number, and get the latest group key material.
</MT>

>
> Section 4.2.1 - I think that we are going to need a discussion on a couple
> of issues related to the OSCORE half of how these values are going to be
> created.  Pieces of the discussion are: 1. What is the POP her going to try
> and prove.  Specifically is timeliness part of the discussion.  2. What do
> we do about  token which grants access to multiple topics.  Is joining the
> second group considered to be a re-join rather than an original join for the
> purposes of this discussion?  3.  What are the interactions about cached
> public keys, when are these ok and how is this communicated to the client as
> a failure?

<MT>
Sure. Some comments on your points for the discussion:

1. Ultimately the POP is about the owned private key used to sign by the
joining node. Building this part of the challenge this way ties the
challenge itself with the OSCORE context the two peers have. This is the
same construction we have in [1] for building a signature challenge, so
probably both documents would likely be affected.

2. Tokens covering multiple groups/topics are a next thing to define in
ace-key-groupcomm. Adapting this challenge-based POP will follow. As a
general case, the client wants to use different public keys in different
groups, which would mean providing one POP signature for each key. Then,
the N_S challenge can be as follows:

--- If the Access Token is posted to /authz-info , the RS returns an
array of N_S, i.e. as many as the number X of groups/topics in the
'scope' of the token. Since the client may then upload Y < X public keys
(some of which for more than one group), the client should include in
the joining request Y signatures, together with the respective used Y
N_C nonces and Y N_S nonces of the X provided by the Group Manager.

--- If a TLS exporter is used, 'context_value' has to be non empty, e.g.
it can include the public key or a hash of it. For simplicity, we may
want to have 'context_value' always non empty, i.e. also when only one
public key is involved and even in the simple case of one group/topic only.

--- In the OSCORE case, HMAC-Hash may take as 'salt' one more
concatenated element, e.g. the public key or a hash of it. For
simplicity, we may want to have 'salt' always including this additional
element, i.e. also when only one public key is involved and even in the
simple case of one group/topic only.

3. Cached public keys and how to handle them are discussed later in
Section 5. If something goes wrong, the joining process fails and the
Group Manager sends error responses as described in Section 4.3.


[1]
https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01#section-3.1

</MT>

>
> Section 4.3 - Does it make sense to return a new rsnoce as part of these
> errors?
>

<MT>
That's certainly possible, though I am not sure of the advantage,
compared to sticking to the first one returned in the response to the
Token POST.
</MT>

>

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

v2.23.0 | Report a Bug | By Email