[Ace] Group Communication Security Disagreements
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 21 July 2016 09:04 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5BF12DC33 for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 02:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.888
X-Spam-Level:
X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BO7Z1LPxGtxK for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 02:04:46 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD83E12DC24 for <Ace@ietf.org>; Thu, 21 Jul 2016 02:04:45 -0700 (PDT)
Received: from [192.168.10.131] ([31.133.155.135]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LcSWg-1b1JXR12F4-00jnn5 for <Ace@ietf.org>; Thu, 21 Jul 2016 11:04:43 +0200
To: "Ace@ietf.org" <Ace@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <57909032.10809@gmx.net>
Date: Thu, 21 Jul 2016 11:04:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="3PQBejWtXeQ9dj04NfMXlkH7Rxt12X2n1"
X-Provags-ID: V03:K0:2D83wcHeGpyhgyk7C2/c+8CWi5SnmB6Bp5lVZ+PZJLcnM5qZ1wY oQt5D89Q8g5/hF+UQtT0+C+6TJoUt3gk8cUxLdrXh7P9VWGsaoXyCW8kuGUOPtShR0MwdSI IAu0Dhm1mEHyJHNld/r/3FJVNR/Bxf44MWqdNgDMjSwJsp7GMfKE2+MqoPUse57E0Py3QlE +vvblzJExBUPNrlf3Qf+A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Z60gNU30/nY=:bK3t6dovHXQWwFy5lzPP9x RNxr+j0/3Ha9PpBujtJ6KgAZpL7SeSDQIvU6dJKNjVXLNhkykQ5ZqOZlEmAHcWpDJpeTCfQN5 zAGHBoJb5Hdvcc7wt7xm/zfDUQ/54mb4wc2MGTa/oTp8ddjBwVKiY6BLbNq7oTUozKyEr2SJx hr7sahMNuWssKA1typYqedGGDba2s1CfkP/ynPbp7N1N6iVKdrBRbAbG2+4Mag67dWPgE8Yx/ UqH2Dfo27Usv/YtkbFI6z2rM8S3IAmlGlI/fXncTkjmfLTbdP6S7blpOvpZ8ArMRENA/rFT5B lL8dsGNmLVfj1h/D6yEKUxuUuyf643SkaphkvSvKgaxrTxRcJU8myg8qLOoMNsn9uk8CQ6OBm 2h0uz1Q0AFwbGCf8Pvmv45E3A8UgRDTEYq4zUKhV4FX+/TveFzmrnEU+WGhVFy10Q3vEd/ZQ9 nlPxNE8eP0F8Gvo9rbDnA/IihuXzduG2/X5nV0CabivkHEC0HHgwr0t+57t81zP0xtB7jhYhy v0yyz/WqjnyrPnvKfh2VZPcbKBe+jwyqV0Fk1cig5HgO7S3mTGRgkqSHk9YOYeeGXSqc5uHkz Y5bt8F3olmF5z80BbAKTw7plAygbudMyMyE7Yc1UnMirFx3zUWzmQDu82WSj6apZ47O4wOaJX hkX0Dkq1g4mnzr1iulACxH58+CEZp1Kl2sw85pjcNsYbfWSzkBtIOapibwCQ4KuBuzKtbNYdv vd+1c/cAf/HEv+FDRgLuIVFm9NZ1Xgyd4ATlxpIzdisSGaaBY1zYPT/S2jI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wbO4UFkdVmksqlYZCNWOYmBEcY8>
Subject: [Ace] Group Communication Security Disagreements
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 09:04:48 -0000
Hi all, this is an attempt to summarize the discussions around the group communication security topic from the ACE meeting yesterday. Please correct me if I am wrong. The concern is the following: How can we ensure that a compromised IoT device, which is part of a multicast group, is unable to trigger actions at other nodes? The underlying assumption is that one can use the obtained group key to then trigger actions that such a device would normally not be able to do. Here is an example: Imagine a luminare A that belongs to a group that consists of a light switch and other luminaires. Luminare A gets compromised and is not able to issue on/off commands to other luminaires in that group. Normally, only the light switch would issue such commands. The story then continues that such a compromised luminare would then also be able to issue commands to a door lock. So far, so good. Here is the disagreement. Some folks in the group believe that in order to disallow a compromised luminare to have such a functionality we need to introduce source authentication. So, instead of using symmetric group keys we would be using digital signatures and the luminaires in our example would then verify whether the command came from a light switch. Some other folks, including myself, believe that we would not just use the group key to determine the authorization decision but would instead rely on the authorization mechanism to prevent larger harm. This means that a compromised luminare would indeed turn on and off other luminaires in the group but they would not be able to successfully send commands to a door lock since those would (a) not use group communication and (b) if they use group communication then that would require an interaction with the authorization server to first obtain a different group key for such an interaction. Most likely there is no need for a luminare to obtain a group key for communicating with a door lock. As a way forward it was suggested to explore the use of digital signatures and to make use of some of the more recent developments done in the CFRG. So, if a researcher has free cycles please contribute your thoughts on this subject. What we would like to know is the following: * How large would a message be when we use some command (like a CoAP packet) with an application layer digital signature (e.g., using COSE) using ECC? We are particularly interested in the verification operation. * What is the performance impact on processors in the M-class category? * What are the implications for power consumption? Here is my initial impression regarding the second aspect from a performance analysis I ran on an LPC1768. It took 458 msec to do a verify computation with optimization enabled* for a secp256r1 curve. The LPC 1768 demo board uses a ARM Cortex-M3 CPU running at 96MHz. I also did a performance test with the STM DISCO-F746NG, which uses a Cortex-M7 CPU running at 216 MHz. For the ECDSA secp256r1 verify operation it took 10, 205 msec. No hardware speedup or assembly optimizations were used in these tests. I believe we would need something that accomplishes the verify operation in about 150 msec to meet the delay budget we have since the verify operation is not the only processing task. Ciao Hannes *: Optimizations in this case means: - NIST Optimization Utilizes special structure of NIST chosen curves. Appendix 1 of http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf Longer version in FIPS PUB 186-4: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf - Fixed Point Optimization: Pre-computes points, as described in https://eprint.iacr.org/2004/342.pdf - Window: Technique for more efficient exponentiation Sliding window technique described in https://en.wikipedia.org/wiki/Exponentiation_by_squaring
- Re: [Ace] Group Communication Security Disagreeme… Michael Richardson
- Re: [Ace] Group Communication Security Disagreeme… Mohit Sethi
- Re: [Ace] Group Communication Security Disagreeme… Hannes Tschofenig
- Re: [Ace] Group Communication Security Disagreeme… Mohit Sethi
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Hannes Tschofenig
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Hannes Tschofenig
- Re: [Ace] Group Communication Security Disagreeme… Derek Atkins
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Michael StJohns
- [Ace] (on signature verification times) Re: Group… Rene Struik
- [Ace] Group Communication Security Disagreements Hannes Tschofenig
- Re: [Ace] Group Communication Security Disagreeme… Derek Atkins
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Paul Duffy
- Re: [Ace] Group Communication Security Disagreeme… Michael Richardson
- Re: [Ace] Group Communication Security Disagreeme… Grunwald, Markus
- Re: [Ace] Group Communication Security Disagreeme… Michael StJohns
- Re: [Ace] Group Communication Security Disagreeme… Michael Richardson
- Re: [Ace] Group Communication Security Disagreeme… Kathleen Moriarty
- Re: [Ace] Group Communication Security Disagreeme… Michael StJohns
- Re: [Ace] Group Communication Security Disagreeme… Ludwig Seitz
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Somaraju Abhinav
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Michael StJohns
- Re: [Ace] Group Communication Security Disagreeme… Eliot Lear
- Re: [Ace] Group Communication Security Disagreeme… Michael StJohns