IETF Logo Mail Archive

Re: [Ace] Update of access rights

Seitz Ludwig <ludwig.seitz@combitech.se> Tue, 05 May 2020 14:07 UTC

Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12ADF3A07A5; Tue, 5 May 2020 07:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pF5TmQFQfVPc; Tue, 5 May 2020 07:07:53 -0700 (PDT)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B45193A07A9; Tue, 5 May 2020 07:07:51 -0700 (PDT)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald.air.saab.se (8.14.4/8.14.4) with ESMTP id 045E75H8009756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 5 May 2020 16:07:05 +0200
DKIM-Filter: OpenDKIM Filter v2.11.0 weald.air.saab.se 045E75H8009756
Received: from corpappl16592.corp.saab.se (corpappl16592.corp.saab.se [10.12.12.98]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 045E6qjK001028 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 5 May 2020 16:06:52 +0200
Received: from corpappl16593.corp.saab.se (10.12.12.125) by corpappl16592.corp.saab.se (10.12.12.98) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 5 May 2020 16:06:52 +0200
Received: from corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3]) by corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3%4]) with mapi id 15.01.1847.009; Tue, 5 May 2020 16:06:52 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Francesca Palombini <francesca.palombini@ericsson.com>, Ace Wg <ace@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Jim Schaad <ietf@augustcellars.com>
CC: "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
Thread-Topic: Update of access rights
Thread-Index: AQHWIuI1Lkw8gf+fQkGotEAa9X56JaiZhN0A
Date: Tue, 05 May 2020 14:06:51 +0000
Message-ID: <3a43784230a343cabb594b30a08dee96@combitech.se>
References: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com>
In-Reply-To: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.199]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 045E6qjK001028
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.498, required 5, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -0.50, SURBL_BLOCKED 0.00, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1589292413.44973@0Gut6Rg3MDqBKkZ0At8BrQ
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald.air.saab.se [136.163.212.3]); Tue, 05 May 2020 16:07:06 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/y-7atNNq1So-JMR3wCctcurOTt8>
Subject: Re: [Ace] Update of access rights
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 14:07:57 -0000

Hello Francesca,

I have not followed this discussion in detail so excuse me if I missed an important detail. That said: I cannot understand why you would want to negotiate a new context in step 8 by sending N1'? At that point you have a functional OSCORE context established and could just send T2 associated to the same context Sec1. That is how I assumed it would work, if that is not clear we need to add text to the profiles to clarify.

It is a bit complicated code-wise to have an endpoint that is accessible both unprotected and with OSCORE, but I think it is feasible (however not be my in the ACE-Java codebase, @Marco?).

/Ludwig

-----Original Message-----
From: Francesca Palombini <francesca.palombini@ericsson.com> 
Sent: den 5 maj 2020 15:37
To: Ace Wg <ace@ietf.org>; Benjamin Kaduk <kaduk@mit.edu>; Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-dtls-authorize@ietf.org; draft-ietf-ace-oscore-profile@ietf.org
Subject: Update of access rights

Hi Ace chairs, DTLS authors, Ace framework authors, Ben,

TL;DR: we propose some changes on the OSCORE profile for the "update of access rights" scenario. We have comments for the DTLS profile and the ACE framework regarding this scenario, and we ask for feedback from ACE OSCORE implementers and Ace in general.

In an attempt to answer Jim's (https://github.com/ace-wg/ace-oscore-profile/issues/20) and Ben's (https://github.com/ace-wg/ace-oscore-profile/pull/30) review of the OSCORE profile, we have been thinking more about the case of updating access rights. This has revealed to us authors that something is missing from the document, and I believe that this part is not explicitly covered in the DTLS profile either, hence this email. 

This is the scenario, and what is currently defined in the OSCORE profile:

1. Client retrieves access token T1 from AS 2. Client posts T1 to RS, together with nonce N1 3. RS replies with 2.01 and nonce N2 4. Client and RS derive OSCORE Sec Ctx "Sec1" from T1 ("osc" object), N1, N2 5. Client uses Sec1 to protect its request to RS 6. RS uses Sec1 to verify request. Verification success => Sec1 is validated and associated with T1 (at the RS)
----
7. Client wants to update its access rights: retrieves T2 from AS. Note that this T2 has different authorization info, but does not contain input keying material ("osc"), only a reference to identify Sec1 ("kid" in "cnf") 8. Client posts T2 to RS, together with nonce N1'
9. RS replies with 2.01 and nonce N2'
10. Client and RS derive OSCORE Sec Ctx "Sec2" from T1 keying input material ("osc" object), N1', N2'
11. Client uses Sec2 to protect its request to RS 12. RS uses Sec2 to verify request. Verification success => Sec2 is validated and associated with T2 (at the RS) ; T1 is removed ; Sec1 is removed

In the document right now, we are missing the exact description of how in 8. RS identifies that this is an update of access rights for C, aiming at replacing T1. We propose to add text stating that (in 3. and 9.) RS MUST check the kid (in the "kid" in the "cnf" of the access token), and match it with existing security contexts, to realize that this is an update for an existing token associated to the sec ctx identified by kid.

Moreover, while comparing with DTLS profile, we realized there is no reason for which 8. should be sent unprotected. In fact, doing so opens up to possible attacks where an old update (token non expired) is re-injected to the RS by an adversary:

* Client sends T1 to RS  --> accepted
* Client sends update of access rights T2 --> accepted
* Client sends update of access rights T3 --> accepted
* Malicious node re-sends T2 --> accepted

Of course that could be mitigated with expiration times and with checking "issued at time" field (which is optional). But we believe even though these are good points (which might actually be worth adding to the framework), sending the token to the RS over the existing protected channel solves this issue. So we propose that 8. is protected with OSCORE and Sec Ctx Sec1. For DTLS authors: I believe Jim has extrapolated from your document that that is the case for the DTLS profile already, i.e. POST token to RS for update of access rights is over DTLS; I think it would be worth explicitly stating that in the DTLS profile.

Additionally, analogously to DTLS where the same channel is kept even if access rights are updated, I do not see any reason at this point to have the endpoints re-derive a new security context. This is the biggest change I propose, and can be summarized by replacing the points above as follows:

7. Client wants to update its access rights: retrieves T2 from AS. Note that this T2 has different authorization info, but does not contain input keying material, only a reference to identify Sec1 8. Client posts T2 to RS, *without nonce* *protected with Sec1* 9. RS *verifies that this is an update of access right, replacing T1 (associated with Sec1) ; Sec1 is associated with T2; T1 is removed *; RS replies with 2.01 *without nonce* *protected with Sec1* 10. Client uses *Sec1* to protect its request to RS

I can already see the objection from implementers: the authz-info endpoint at the RS becomes accessible both unprotected (in case the Client is posting a token for the first time, points 1. to 6.) and protected (in case Client needs to update rights, points 7. to 10.) I believe that defining a NEW endpoint at the RS for the "update rights" mechanism would be the best solution, but I understand that would require modifications to the framework that Ludwig probably would not want to do, as it might delay the document. I think these would in practice be 2 different endpoints with the same URI, one OSCORE protected and one unprotected. But I need more input from our implementers to know if this absolutely cannot be done.

Our proposal:
An RS receiving a token (point 2 and 8) MUST check the kid of the token against existing security contexts. If a match is found, but the POST was unprotected, reject. If a match is found AND the POST was protected using that same Sec Ctx identified by kid, update access rights. If a match is not found, derive sec ctx as defined before. These 2 endpoints also require different payload: posting the token for the first time unprotected requires a nonce, posting an update using OSCORE does not (and the nonce will be discarded if sent). 

Doing so answers Ben's point about 2 tokens being saved at the RS at the same time, while Sec2 is not yet validated (between 8. and 12. above), since it removes Sec2 altogether. As soon as T2 is verified, T1 can be replaced with T2.

Final point: what happens if the Client posts a second token T2 (to unprotected authz-info) which contains a different "osc" object, different kid etc. The RS will not be able to identify this Client as someone it already has a sec association with, and it will set up a different Sec Ctx with it. I think this is OK, as for it to be accepted, the AS had to provide such a token. The framework RECOMMENDS that an RS stores only one token per proof-of-possession key, which would still be valid, as different tokens would be associated to different Sec ctxs.

Any feedback or comment is appreciated. 

Thanks,
Francesca

v2.23.0 | Report a Bug | By Email