[Ace] questions on draft-ietf-ace-key-groupcomm-06
Daniel Migault <mglt.ietf@gmail.com> Thu, 21 May 2020 18:49 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70A43A0602 for <ace@ietfa.amsl.com>; Thu, 21 May 2020 11:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEbIppfBDDvI for <ace@ietfa.amsl.com>; Thu, 21 May 2020 11:49:35 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C20C3A065A for <ace@ietf.org>; Thu, 21 May 2020 11:49:35 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id u7so4679695vsp.7 for <ace@ietf.org>; Thu, 21 May 2020 11:49:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=z6NmPDwMuFAV3os6HrWun9sYI5iFOWlnDlS43EwRJU4=; b=RLRYJQDXgqODO6ihkqt8H7hAc0E7BRTvGk8gu2M5FSnaI1nhmX46tmheIiszgMmkkO /YW9CvN8L7RIBnRprwHzY/qkMm0VLeQlsJunS9ihStRMh9dBgzBJAB2NPMNkFjyL62y0 OkLBJYEZLWFn4+T/MohLrC7BNIgQos+U2uWz1EFwUFLgMTvDSGzjGdEKEXsHXhQudLne 05dQWxOCNqlX1YGXt6Ud0ll03dnHgdAHP+0so2C0f65f84gtXm27fxZIpS6WFtbXWRvR +RinXpjeVK25ZYOrJDXUu4Fk10OeG+jFzh8hY59r/2XPQ+Rzq+mi4br8RHJhScYvknsq LFlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=z6NmPDwMuFAV3os6HrWun9sYI5iFOWlnDlS43EwRJU4=; b=boneLNX+SyhRzuedGGpO/b+m/a18WnNvGxQpNfnPa8xpwWH7wc/dAMlbvzgQwA6VuN RfkENH+mGuZW/iUv8TWqJe+gOOuJslMx3qQr9VMnzSj7Ur5+Z9KUG9SnBrmKm0fiDhC8 zillnKy1guQqCB4uVaysHBkeYlt4P+mChLvr3n5VcPYWG/MU+yFGPwilU+bfku2snH3t Bl/w1LPkIhwwSl3Gfg5bfzJ7UXX3mfkz2CWxlkZuxAzFPNAzd4D+9OFsXPXMiybWzzCl 69yDhhDEus6b6ecFYTX7IhnauqrL3QLibcONL+mKaIAoR6iB+OQyf/FMpumH7ggEEUnr skMQ==
X-Gm-Message-State: AOAM532Q0Ix67UT8nbynYXUFTS5e+nbqj+NHQ5aHLceoymuNPTIlcKOI Bmt1S2qHIBJEBYPNWgVPVTxLf7t7b4jXjvFJWDYplMK1
X-Google-Smtp-Source: ABdhPJxdHvDhTIcWpcv44lmaM0VhcOE5JoKKlhxkIg75rOBXfX6qawIXs1GMtqdOPKNkoOgQok24XIWdX8F6UR5/4Pw=
X-Received: by 2002:a67:cb96:: with SMTP id h22mr8642825vsl.97.1590086973120; Thu, 21 May 2020 11:49:33 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 21 May 2020 14:49:21 -0400
Message-ID: <CADZyTkkGfxe+EtHWN1-P9yM3Gwm-E2JCHPjhwfyfFTX8CgUU3w@mail.gmail.com>
To: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031e31b05a62cf946"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/stzPrkGq7Z2AyotJatnIuPlnpVE>
Subject: [Ace] questions on draft-ietf-ace-key-groupcomm-06
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 18:49:40 -0000
Hi, Please find some questions / comments regarding the draft draft-ietf-ace-key-groupcomm-06. I suspect that most of the questions are clarifications for me to better understand the context. Yours, Daniel Key Provisioning for Group Communication using ACE draft-ietf-ace-key-groupcomm-06 [...] 2. Overview +------------+ +-----------+ | AS | | KDC | | | .-------->| | +------------+ / +-----------+ ^ / | / v / +-----------+ +------------+ / +------------+ |+-----------+ | Client |<-' | Dispatcher | ||+-----------+ | |<-------->| (RS) |<------->|| Group | +------------+ +------------+ +| members | +-----------+ Figure 1: Key Distribution Participants The following participants (see Figure 1) take part in the authorization and key distribution. * Client (C): node that wants to join the group communication. It can request write and/or read rights. * Authorization Server (AS): same as AS in the ACE Framework; it enforces access policies, and knows if a node is allowed to join a given group with write and/or read rights. * Key Distribution Center (KDC): maintains the keying material to protect group communications, and provides it to Clients authorized to join a given group. During the first part of the exchange (Section 3), it takes the role of the RS in the ACE Framework. During the second part (Section 4), which is not based on the ACE Framework, it distributes the keying material. In Palombini & Tiloca Expires 12 November 2020 [Page 4] Internet-Draft Key Provisioning for Group Communication May 2020 addition, it provides the latest keying material to group members when requested or, if required by the application, when membership changes. <mglt> The figure indicates the dispatcher as the RS. I have the impression that in our case the KDC could be seen as the RS that provides the necessary material to access the dispatcher. From the text it seems that no authorisation control is performed at the dispatcher, access is granted by the ownership of the (shared) keying material. For that reason I am wondering why do we consider the dispatcher as the RS instead of the KDC. </mglt> * Dispatcher: entity through which the Clients communicate with the group and which distributes messages to the group members. Examples of dispatchers are: the Broker node in a pub-sub setting; a relayer node for group communication that delivers group messages as multiple unicast messages to all group members; an implicit entity as in a multicast communication setting, where messages are transmitted to a multicast IP address and delivered on the transport channel. This document specifies a mechanism for: * Authorizing a new node to join the group (Section 3), and providing it with the group keying material to communicate with the other group members (Section 4). * A node to leave the group of for the KDC to remove a current member of the group (Section 5). * Retrieving keying material as a current group member (Section 4.3 and Section 4.4). * Renewing and re-distributing the group keying material (rekeying) upon a membership change in the group (Section 4.9 and Section 5). Figure 2 provides a high level overview of the message flow for a node joining a group communication setting, which can be expanded as follows. 1. The joining node requests an Access Token from the AS, in order to access a specific group-membership resource on the KDC and hence join the associated group. The joining node will start or continue using a secure communication association with the KDC, according to the response from the AS. <mglt> "continue using a secure communication" is here I think to indicate that establishment of a new secure communication is not necessary. If that is correct, we we could clarify that by adding the communication to the AS is secured. </mglt> 2. The joining node transfers authentication and authorization information to the KDC, by posting the obtained Access Token to the /authz-info endpoint at the KDC. After that, a joining node MUST have a secure communication association established with the KDC, before starting to join a group under that KDC. Possible ways to provide a secure communication association are DTLS [RFC6347] and OSCORE [RFC8613]. <mglt> The relation between the KDC (application) and the secure transport or communication is not entiorely clear to me. A secure communication includes authentication of the peers and encryption of the traffic. I suppose that encryption is performed by DTLS or OSCORE, but I am wondering if authentication and authorization are performed by the DTLS layer or by the KDC application. I have the impression that KDC is entirely relying on DTLS/OSCORE for encryption and authentication/authorisation because the text seems to assume that authz-info may be not protected. I thus assume authorization is characterized by the ability to set a DTLS/OSCORE session. Of course other information will be needed by the KDC (scope for exampel). If this use case makes sense, it might be good to clarify the interactions between dtls-authorized works, in particular how these access tokens ( the merged access token) are/is used. The other alternative could be to set an unauthenticated DTLS/OSCORE and then proceed to the communication of the access token. </mglt> [ ...] 3. Authorization to Join a Group This section describes in detail the format of messages exchanged by the participants when a node requests access to a group. This exchange is based on ACE [I-D.ietf-ace-oauth-authz]. As defined in [I-D.ietf-ace-oauth-authz], the Client requests from the AS an authorization to join the group through the KDC (see Section 3.1). If the request is approved and authorization is granted, the AS provides the Client with a proof-of-possession access token and parameters to securely communicate with the KDC (see Section 3.2). Communications between the Client and the AS MUST be secured, as defined by the transport profile of ACE used. The Content-Format used in the messages is the one specified by the used transport profile of ACE (e.g. application/ace+cbor for the first two messages and application/cwt for the third message, depending on the format of the access token). <mglt> At that point, I assume that Client to AS communication is secured via a standard DTLS session. I am wondering if the POST can be unsecured or is send over a secure channel. </mglt> The transport profile of ACE also defines a number of details such as the communication and security protocols used with the KDC (see Appendix C of [I-D.ietf-ace-oauth-authz]). Figure 3 gives an overview of the exchange described above. Client AS KDC | | | |---- Authorization Request: POST /token ------>| | | | | |<--- Authorization Response: 2.01 (Created) ---| | | | | |----- POST Token: POST /authz-info --------------->| | | Figure 3: Message Flow of Join Authorization 3.1. Authorization Request The Authorization Request sent from the Client to the AS is as defined in Section 5.6.1 of [I-D.ietf-ace-oauth-authz] and MAY contain the following parameters, which, if included, MUST have the corresponding values: <mglt> I believe that some parameters are mandatory. If that is the case, it would be good to explain which parameters are optional or mandatory. </mglt> * 'scope', containing the identifier of the specific group(s), or topic(s) in the case of pub-sub, that the Client wishes to access, and optionally the role(s) that the Client wishes to take. Palombini & Tiloca Expires 12 November 2020 [Page 7] Internet-Draft Key Provisioning for Group Communication May 2020 This value is a CBOR byte string, encoding a CBOR array of one or more entries. <mglt> from the text above I understand that the value is the output of a CBOR object, which somehow requires the CBOR compression to be run twice. I might be missing something, but it seems unclear to me why this should be different from: This value is an array of one or more entries. This is my understanding from the text: scope = [ entry, entry ] entry = [group_id, ([ role, role, ] )] </mglt> An entry has as value a CBOR array, which contains: - As first element, the identifier of the specific group or topic. - Optionally, as second element, the role (or CBOR array of roles) that the Client wishes to take in the group. This element is optional since roles may have been pre-assigned to the Client, as associated to its verifiable identity credentials. Alternatively, the application may have defined a single, well-known role for the target resource(s) and audience(s). In each entry, the encoding of the group or topic identifier (REQ1) and of the role identifiers (REQ2) is application specific, and part of the requirements for the application profile. <mglt> Maybe it would worth specifying the reference the REQ refer to. </mglt> [...] 3.2. Authorization Response The Authorization Response sent from the AS to the Client is as defined in Section 5.6.2 of [I-D.ietf-ace-oauth-authz] and MUST contain the following parameters: * 'access_token', containing the proof-of-possession access token. * 'cnf' if symmetric keys are used, not present if asymmetric keys are used. This parameter is defined in Section 3.2 of [I-D.ietf-ace-oauth-params] and contains the symmetric proof-of- possession key that the Client is supposed to use with the KDC. * 'rs_cnf' if asymmetric keys are used, not present if symmetric keys are used. This parameter is as defined in Section 3.2 of [I-D.ietf-ace-oauth-params] and contains information about the public key of the KDC. * 'expires_in', contains the lifetime in seconds of the access token. This parameter MAY be omitted if the application defines how the expiration time is communicated to the Client via other means, or if it establishes a default value. Additionally, the Authorization Response MAY contain the following parameters, which, if included, MUST have the corresponding values: * 'scope' containing the granted scope, if different from the scope requested by the client. This parameter has the same format and encoding of 'scope' in the Authorization Request, defined in Section 3.1. * Other additional parameters as defined in [I-D.ietf-ace-oauth-authz], if necessary. The proof-of-possession access token (in 'access_token' above) MUST contain the following parameters: Palombini & Tiloca Expires 12 November 2020 [Page 9] Internet-Draft Key Provisioning for Group Communication May 2020 * a confirmation claim (see for example 'cnf' defined in Section 3.1 of [RFC8747] for CWT); * an expiration time claim (see for example 'exp' defined in Section 3.1.4 of [RFC8392] for CWT); * a scope claim (see for example 'scope' registered in Section 8.13 of [I-D.ietf-ace-oauth-authz] for CWT). This claim has the same encoding as 'scope' parameter above. Additionally, this claim has the same value of the 'scope' parameter if the parameter is present in the message, or it takes the value of 'scope' in the Authorization Request otherwise. The access token MAY additionally contain other claims that the transport profile of ACE requires, or other optional parameters. As in [I-D.ietf-ace-oauth-authz], these parameters are included in the payload, which is formatted as a CBOR map. The Content-Format "application/ace+cbor" is used. When receiving an Authorization Request from a Client that was previously authorized, and for which the AS still owns a valid non expired access token, the AS MAY reply with that token. Note that it is up to application profiles of ACE to make sure that re-posting the same token does not cause re-use of keying material between nodes (for example, that is done with the use of random nonces in [I-D.ietf-ace-oscore-profile]). <mglt> I am wondering if it is expected the client reads the values contained in the access_token. I suppose not, and even when the acces_token is not encrypted the client is supposed to pass the access token as opaque data to the KDC. Is that correct ? I am also wondering how the AS could inform which transport are available to the KDC. What is a little bit unclear to me is when the access token is combined with another access token from the transport layer. I suppose that the two tokens are "merged" in some ways and I am wondering if the transport access token is expected to include those of the upper layers in our case the KDC. </mglt> 3.3. Token Post The Client sends a CoAP POST request including the access token to the KDC, as specified in Section 5.8.1 of [I-D.ietf-ace-oauth-authz]. If the specific transport profile of ACE defines it, the Client MAY use a different endpoint than /authz-info at the KDC to post the access token to. <mglt> I think the overview section mentions application/cwt is used for that exchange. I think it might be helpful to specify that post uses application/cwt since later we indicate that application/ace+cbor may carry another meaning. It might worth updating this section as well. I also have the impression that the response to the post is called "AS Request Creation Hints". If that is correct, the designation is misleading, as hints are not targeting the AS in the case. Maybe that would be good to indicate this is this exchange that is being considered with a different meaning as it has been defined in the framework. If that is still correct, I am wondering how the client can make a difference between the AS Request Creation Hints as a Response that provides additional information related to the group communication. In particular I am wondering if parameters are used to distinguish these two responses. </mglt> Optionally, the Client might want to request necessary information concerning the public keys in the group, as well as concerning the algorithm and related parameters for computing signatures in the group. In such a case, the joining node MAY ask for that information to the KDC in this same request. To this end, it sends the CoAP POST request to the /authz-info endpoint using the Content-Format "application/ace+cbor". The payload of the message MUST be formatted as a CBOR map, including the access token and the following parameters: * 'sign_info' defined in Section 3.3.1. Palombini & Tiloca Expires 12 November 2020 [Page 10] Internet-Draft Key Provisioning for Group Communication May 2020 * 'pub_key_enc' defined in Section 3.3.2, encoding the CBOR simple value Null, to require information on the exact encoding of public keys used in the group. Alternatively, the joining node may retrieve this information by other means. After successful verification, the Client is authorized to receive <mglt> I am wondering if the verification goes beyond the signature validation. The remaining of the text seems also to assume that ace+cbor is used. Is that correct ? </mglt> the group keying material from the KDC and join the group. In particular, the KDC replies to the Client with a 2.01 (Created) response, using Content-Format "application/ace+cbor" defined in Section 8.14 of [I-D.ietf-ace-oauth-authz]. The payload of the 2.01 response is a CBOR map. If the access token contains a role that requires the Client to send its own public key to the KDC when joining the group, the CBOR map MUST include the parameter 'kdcchallenge' defined in Section Section 3.3.3, specifying a dedicated challenge N_S generated by the KDC. <mglt> I am wondering how the client provides the public key, and I am wondering if the public key is not provided through the access_token to the KDC. If that would be correct, it seems then that the key is provided by the AS or the access token instead of the client. Maybe the public keys are those of the members of the group. </mglt> The Client uses this challenge to prove possession of its own private key (see the 'client_cred_verify' parameter in Section 4). <mglt> I have not yet read section 4, but it seems that additional exchanges are performed that goes beyond the Token post exchange. If my understanding is correct, I am wondering if that description fits the title of this section. </mglt> Note that the payload format of the response deviates from the default as defined in the ACE framework (see Section 5.8.1 of [I-D.ietf-ace-oauth-authz]). The KDC MUST store the 'kdcchallenge' value associated to the Client at least until it receives a join request from it (see Section 4.2), to be able to verify the proof of possession. The same challenge MAY be reused several times by the Client, to generate new proof of possessions, e.g. in case of update of the public key, or to join a different group with a different key, so it is RECOMMENDED that the KDC keeps storing the 'kdcchallenge' after the first join is processed as well. If the KDC has already discarded the 'kdcchallenge', that will trigger an error response with a newly generated 'kdcchallenge' that the client can use to restart the join process, as specified in Section 4.2. If either of 'sign_info' or 'pub_key_enc' were included in the request, the KDC MAY include the 'sign_info' parameter defined in Section 3.3.1, optionally including the 'pub_key_enc' parameter Section 3.3.2. The 'sign_info' parameter MUST be present if the POST request included the 'sign_info' parameter and/or the pub_key_enc with value Null. The encoding of the 'sign_info' parameter in the response is defined in Section 3.3.2. Note that the field 'id' takes the value of the group identifier for which the 'sign_info' applies to, in this specification. Palombini & Tiloca Expires 12 November 2020 [Page 11] Internet-Draft Key Provisioning for Group Communication May 2020 Note that the CBOR map specified as payload of the 2.01 (Created) response may include further parameters, e.g. according to the signalled transport profile of ACE. Applications of this specification MAY define alternative specific negotiations of parameter values for signature algorithm and signature keys, if 'sign_info' and 'pub_key_enc' are not used (OPT2). 3.3.1. 'sign_info' Parameter The 'sign_info' parameter is an OPTIONAL parameter of the AS Request Creation Hints message defined in Section 5.1.2. of [I-D.ietf-ace-oauth-authz]. <mglt> The text can be read as 'sign_info' is defined in Section 5.1.2. I believe that clarifying the response is designated in the framework as AS Request Creation Hints but has a different meaning here may solve this issue. </mglt> [...] 3.3.2. 'pub_key_enc' Parameter The 'pub_key_enc' parameter is an OPTIONAL parameter of the AS Request Creation Hints message defined in Section 5.1.2. of [I-D.ietf-ace-oauth-authz]. This parameter contains information about the exact encoding of public keys to be used between the Client and the RS. Its exact content is application specific. In this specification and in application profiles building on it, this parameter is used to ask the KDC information about the encoding of public keys used in the group. The CDDL notation of the 'pub_key_enc' parameter formatted as in the request is given below. pub_key_enc_req = nil <mglt> It is not entirely clear to me what pub_key_enc is about. It is the format of the public key itself or the encryption algorithm ? Then it is unclear to me which public key is referred to. "public keys used in the group" make me think of a private/public key that is shared by all members of the group. This public key is used with the RS, that is the dispatcher, not to authenticate the client. Am I correct ? </mglt> 3.3.3. 'kdcchallenge' Parameter The 'kdcchallenge' parameter is an OPTIONAL parameter of the AS Request Creation Hints message defined in Section 5.1.2. of [I-D.ietf-ace-oauth-authz]. This parameter contains a challenge generated by the KDC and provided to the Client. The Client may use this challenge to prove possession of its own private key in the Joining Request ((see the 'client_cred_verify' parameter in Section 4). <mglt> I suppose that will be clarified in section , but of "its own private key" make me think that the key in question is to authenticate the client, instead of the key used for the group. If that is correct, it is unclear to me why there is a need to authenticate the client and why this should not be performed instead by the AS. It seems I am missing something here. </mglt> 4. Keying Material Provisioning and Group Membership Management [...] Upon receiving a request from a Client, the KDC MUST check that it is storing a valid access token from that Client for the group identifier assiciated <mglt> associated </mglt> to the endpoint. If that is not the case, i.e. the KDC does not store a valid access token or this is not valid for that Client for the group identifier at hand, the KDC MUST respond to the Client with a 4.01 (Unauthorized) error message. 4.1. Interface at the KDC The KDC is configured with the following resources. Note that the root url-path "ace-group" given here are default names: implementations are not required to use these names, and can define their own instead. The Interface Description (if=) Link Target Attribute value ace-group is registered (Section 8.9) and can be used to describe this inferface. <mglt> interface. </mglt> -- Daniel Migault Ericsson
- [Ace] questions on draft-ietf-ace-key-groupcomm-06 Daniel Migault
- Re: [Ace] questions on draft-ietf-ace-key-groupco… Francesca Palombini