Re: [Atlas] Status Update
Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com> Fri, 13 July 2018 17:19 UTC
Return-Path: <prvs=725043644=abhijan.bhattacharyya@tcs.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 798D4130E5A for <atlas@ietfa.amsl.com>; Fri, 13 Jul 2018 10:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tcs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URsyBS7GZkbv for <atlas@ietfa.amsl.com>; Fri, 13 Jul 2018 10:19:09 -0700 (PDT)
Received: from indelg02.tcs.com (indelg02.tcs.com [203.200.109.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5D2D130E79 for <atlas@ietf.org>; Fri, 13 Jul 2018 10:19:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tcs.com; i=@tcs.com; q=dns/txt; s=default2048; t=1531502349; x=1563038349; h=in-reply-to:references:to:cc:mime-version:subject: message-id:from:date; bh=r8PRtWgVSE2MaMICL84Y4GNQ02TBrjO+vxJSZb5EchE=; b=SMiRr5MxD/qv+kZzLKaVfLQK4Cd/M1arzsOu6ps7Jd1QBn1bAP922P4F UMf0eOLXIq2Ovp7sF/gofcnTJPjZXD4lLYPYX+k+Tb2kwyL1GRt+qOvoj Ua46C8TIO00m/NKR9GxsrQ42DlNwwPOoOOAWteFto3eCfAGCvmhjS1Fy4 VHio/UdVhGHs2OG3X3T8MVCSO6DFvnRZKfoqliax6kpj2nkMLVJ3edfoe HjO0cbOWpnUIyCrGISMYpmGIAZRzFEVI1MLIQExZ78KjX6TlduokSVRrX kHcqLm4BmR89xbRDEyIA/Cd+iOcHauppzrb8GM0xH2zlNi5UgZXN4EbkM g==;
IronPort-PHdr: 9a23:wliFLxXPqlLfs9zTD3M692sAhgXV8LGtZVwlr6E/grcLSJyIuqrYbB2Ot8tkgFKBZ4jH8fUM07OQ7/i+HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9zIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAIy8YZUBAOUcM+hfrIfzp1UAowOiCgS3Huzj1iVFi2Xs0KEmzegsFxzN0gw6H9IJtXTZtMn4O7wSUeC0zqnH1zPDZO5L1Df98ofIbgwhruuQUrJwa8XR00kuFgPfgV6NroHqJSia1uQMs2iZ9eVgU/ijhHUnqw5rvjiv2t0jhZXJho0P0FDF9SV4z5wuKN2kVEF7esSoH4dXtyGfLoZ7RN4pTW9vuCY/0LIGuJi7cTALyJs52x7fZeaLc4+S4hLsTOqRPSt3hGl/dL2jgBay9E6twfD/WMmsyFtGsyhInsfWunwQ1BHf8NaLR/Vn8kqu3zuEyhrd5fteIU8ukKrWM5shwrktmZUNqUnDBSr2mFnujK+Ra0Uk5vCk6+T5bbXioZ+RL4x6hBn7PKo3nMKxHPg1PA4AUWad4+qy06Pt8FHkTLlSj/02lLfWsIzCKMgGpKO1HRVZ3psg5hqlETur3s4UkHYfIFJAYh2HjozpO1/UIPD/CPeym06jnyxrx/DHPL3uGJPNImLYn7fhZ7l991JcxxAvwtBf/Z1UELEAIfLpVULqqNzXEgQ5PxaozObgDdVxzpkeVn6XAq+FLKPStkeF6fgzI+mIfoAVoy3wK/k76P7yg381g1gdfbOm3ZEPcnC3AuxmI1mFYXrrmtoBEn0FsRcjTOzpk1CCVD9TZ2qoU60i+z47FdHuMYCWbI2rgrWE3SHzPZRae2MOXlOFHWrrX4CFR7EBZD/EceF7lTlRfLKhSo0o01mEtAbm17NsLuPO6zwR/cbq3th05eTV0xsy/CBoBs+d2nucXmhcgmgTATQx2fYs8gRG1l6f3P0g0LRjHttJ6qYMC19iOA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2CSAACn3khb/wQXEqxcDgwBAQEBAQIBAQEBCAEBAQGDG4ERgSeLf45ElTkUgWYuhEkCgnA0GAECAQECAQECAYEIDII1JAGCXAEBAQEDZwQOEAsHBgQDAQIBJwdGCQgGCwgbgwUBgg6oRQEBAYIahFyFYIY+gQaBIT53foERgxGDGQEBA4EhFQsGBjCDDgSCJAKHaYVYhDCHawcCgXCEGopgjCKHfYI8iRyCCnCDOQmFeIUUhQRCZ4l8gkgBAQ
X-IPAS-Result: A2CSAACn3khb/wQXEqxcDgwBAQEBAQIBAQEBCAEBAQGDG4ERgSeLf45ElTkUgWYuhEkCgnA0GAECAQECAQECAYEIDII1JAGCXAEBAQEDZwQOEAsHBgQDAQIBJwdGCQgGCwgbgwUBgg6oRQEBAYIahFyFYIY+gQaBIT53foERgxGDGQEBA4EhFQsGBjCDDgSCJAKHaYVYhDCHawcCgXCEGopgjCKHfYI8iRyCCnCDOQmFeIUUhQRCZ4l8gkgBAQ
X-IronPort-AV: E=Sophos;i="5.51,348,1526322600"; d="scan'208";a="10625751"
In-Reply-To: <20180626034623.GA79565@kduck.kaduk.org>
References: <20180622194221.Horde.S372V87Px9x-QO2U9y-zhA7@webmail.um.es> <VI1PR0801MB2112385E74223CC722B0E2A1FA7B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <OF2AB8BDA9.34065D36-ON652582B1.00498E9D-652582B1.00498EA3@tcs.com> <ee2be3a1-77ba-f471-a7a4-cecff6472d65@tik.ee.ethz.ch> <VI1PR0801MB211255800C10B61A4830FD57FA760@VI1PR0801MB2112.eurprd08.prod.outlook.com> <OFC193300F.99706FBD-ON652582B4.006C82A6-652582B4.006CE18C@tcs.com> <20180626034623.GA79565@kduck.kaduk.org>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: atlas@ietf.org
MIME-Version: 1.0
X-KeepSent: DBD80394:BB4ED206-652582C9:005A8DBC; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0 March 08, 2013
Message-ID: <OFDBD80394.BB4ED206-ON652582C9.005A8DBC-652582C9.005F1FB3@tcs.com>
From: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com>
Date: Fri, 13 Jul 2018 22:49:00 +0530
X-MIMETrack: Serialize by Router on InKolM02/TCS(Release 9.0.1FP10HF213 | April 26, 2018) at 07/13/2018 22:49:02, Serialize complete at 07/13/2018 22:49:02
Content-Type: multipart/alternative; boundary="=_alternative 005F1FB2652582C9_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/P2fdq71OsJtAXsXxSlQ_ZN6jHU8>
Subject: Re: [Atlas] Status Update
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 17:19:14 -0000
Hi Ben, Thanks for your valuable comment. It helps further analysis. There is a little difference in the intended purpose of this draft than N-S scheme (and subsequently Kerberos). In this draft we considered a situation where there is no 3rd entity in the form of Trusted Agent (TA). We assumed that the client is constrained with limited processing power and memory. The server is relatively powerful (at least enough to generate session-key pairs for multiple clients). Here we tried to stick to the philosophy of DTLS handshake (of course TLS 1.3 was not place when we proposed it) and tried to establish a secure session (both mutual authentication as well as key-pair distribution for channel security) mechanism which 1) would be more lightweigh in terms of communication cost, 2) would have higher success rate of session-establishment in case of lossy channel and 3) would not be less vulnerable than DTLS. All the encrypted exchanges are done through standard AES-128-CCM-8. So in this case the intention was to distribute the key-pair tuple from the server itself without burdening the constrained client. The IV generation is localized as in DTLS channel encryption. So, unlike Kerberos, the server (which is Bob to follow the standard crypto nomenclature) itself is the key generator and distributor. The session is not dependent on a single key but on a 2-tuple (server-write, client-write) to match the channel encryption parameter set required for re-using the underlying channel security of DTLS. So in this case there no distribution of tickets. The authentication is done by challenge / response through the server-rand and client-rand. So, from Fig. 2 of the draft, Server is able to authenticate the client in the 3rd flight and the client counter authenticates the server. Probably this way chosen-cipher text and known-session-key attacks can be prevented to ensure that an intruder is not able to fool the client. Reuse of the channel encryption mechanism of DTLS ensures protection from replay-attack. Note: The AES_128_CCM_8. CCM algo needs 12 bit nonce for each encryption and an additional data.'hello_rand', 'server_rand' and 'client_rand' serves as the required nonce values in steps 2, 3 and 4 respectively. The 'additional data' can be the header for each message of CoAP. Regarding the issue of freshness: Since there is no third-party ticket involved, so freshness of the ticket is not considered. But the draft speaks about session time out and resumption mechanism. Though the details are left TBD. However, so-far as the freshness of the individual handshakes during key determination and exchange is concerned, just wondering whether a clever use of the MAX_AGE option can provide a frugal solution since we are anyway using the RESTful semantics of CoAP. There are many things to improve in the draft and surely a detail attack-model based analysis from an expert would be helpful. Further things can be worked on provided there are forward moving activities in IETF regarding the concerned problem space. Thank you. With Best Regards Abhijan Bhattacharyya Associate Consultant Scientist, TCS Research Tata Consultancy Services Building 1B,Ecospace Plot - IIF/12 ,New Town, Rajarhat, Kolkata - 700160,West Bengal India Ph:- 033 66884691 Cell:- +919830468972 Mailto: abhijan.bhattacharyya@tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ From: Benjamin Kaduk <kaduk@mit.edu> To: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com> Cc: DAN GARCIA CARRILLO <dan.garcia@um.es>, atlas@ietf.org, SARA NIEVES MATHEU GARCIA <saranieves.matheu@um.es>, RAFAEL MARIN <rafa@um.es> Date: 06/26/2018 09:16 AM Subject: Re: [Atlas] Status Update On Sat, Jun 23, 2018 at 01:19:16AM +0530, Abhijan Bhattacharyya wrote: > +1 Dan. > The draft https://tools.ietf.org/html/draft-bhattacharyya-dice-less-on-coap-01 also proposes how the session initiation part of DTLS can be switched to CoAP to optimise the resource usage during session establishment by leveraging the lightweight semantics of CoAP. Also, to accomplish the stated objective of establishing end-to-end security association in a secure manner and managed at the application itself. The draft also tries to be less disruptive to existing DTLS implementations by defining an adaptation layer that ensures channel security by allowing the reuse of the existing DTLS record-layer encryption through the session key tuple from the CoAP layer. Of course there can be several other ways to accomplish this than what has been described in the draft. There seems to be some "novel crypto" in here; it would be good to build on standard blocks like Needham-Schroeder (e.g., as realized in Kerberos), to make sure all the needed key confirmation and freshness properties are realized. The best freshness properties tend to occur when one endpoint proposes a subsession key that must be confirmed by the other, which then produces its own sub-subsession key that is likewise confirmed by the original party. It's best if there is contributory behavior for the keys as opposed to just encrypting sub-keys in the previous key, though that does tend to involve more hashing which induces cost. -Ben =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
- Re: [Atlas] Status Update Hannes Tschofenig
- Re: [Atlas] Status Update Hannes Tschofenig
- Re: [Atlas] Status Update Benjamin Kaduk
- Re: [Atlas] Status Update Mirja Kühlewind
- Re: [Atlas] Status Update Abhijan Bhattacharyya
- Re: [Atlas] Status Update Hannes Tschofenig
- Re: [Atlas] Status Update Mirja Kühlewind
- Re: [Atlas] Status Update Mirja Kühlewind
- Re: [Atlas] Status Update Abhijan Bhattacharyya
- Re: [Atlas] Status Update DAN GARCIA CARRILLO
- Re: [Atlas] Status Update Martin Thomson
- [Atlas] Status Update Hannes Tschofenig
- Re: [Atlas] Status Update Russ Housley
- Re: [Atlas] Status Update Dan García Carrillo
- Re: [Atlas] Status Update Abhijan Bhattacharyya
- Re: [Atlas] Status Update Abhijan Bhattacharyya