IETF Logo Mail Archive

[Anima] Pinning of raw public keys in Constrained Vouchers

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 27 May 2019 02:50 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1A3120234 for <anima@ietfa.amsl.com>; Sun, 26 May 2019 19:50:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLBMHnMi0j1T for <anima@ietfa.amsl.com>; Sun, 26 May 2019 19:50:47 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2159412022E for <anima@ietf.org>; Sun, 26 May 2019 19:50:46 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 6D3AB3808A; Sun, 26 May 2019 22:49:42 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 1052DD91; Sun, 26 May 2019 22:50:43 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 0EF1283B; Sun, 26 May 2019 22:50:43 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
CC: Esko Dijk <esko.dijk@iotconsultancy.nl>, Jim Schaad <ietf@augustcellars.com>, Göran Selander <goran.selander@ericsson.com>
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 26 May 2019 22:50:43 -0400
Message-ID: <31898.1558925443@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/s7eQDRrfXxvfmQD4FMobsJfHBxU>
Subject: [Anima] Pinning of raw public keys in Constrained Vouchers
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 02:50:49 -0000

I've been trying to improve the text to better explain pinning of registrar keys
(rather than certificates), in order to resolve
   https://github.com/anima-wg/constrained-voucher/issues/18

and also to remove as many bytes on the wire required to do constrained
enrollment, the question came up.  The registrar identity crosses
the wire three times!

1) the registrar sends it's identity (whether raw public key or
   certificate) during the DTLS or EDHOC handshake,

2) the pledge sends the registrar's identity in the voucher-request (signed),

3) then the MASA sends the registrar's identity in the voucher (signed).

Couldn't we send a hash of identity in (2) and (3), and to do this we need a
new element in the constrained voucher.  This I've given the mouthful name
of:  proximity-registrar-sha256-of-subject-public-key-info
and: pinned-sha256-of-subject-public-key-info
(knowing that the YANG->SID process will turn this into a small integer).

A sha256 hash is 32-bytes in size.
A 256-bit ECDSA key is about 32-bytes in size.
An equivalent 2048-bit RSA key is 256 bytes in size.
So the hash only wins if we use bigger ECDSA keys, or if we use RSA.
(okay, so there are a few bytes for the subject-public-key-info (SPKI) wrapping,
which also provides algorithm agility)

We could truncate the hash if we felt this was still secure enough
We could add the length of the thing (the RPK) being hashed if that would
help with pre-image attacks, but that's mostly already there in the SPKI
encoding, but I suppose an attacker might find a way to prepad with nonsense
DER.

Please help me decide if this is a useful thing to do.
If it's useful, is it useful enough to drop the pinned-domain-subject-key-info?

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email