IETF Logo Mail Archive

Re: [core] Missing must in the Group OSCORE document

Marco Tiloca <marco.tiloca@ri.se> Tue, 04 August 2020 08:09 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2AB93A0C20 for <core@ietfa.amsl.com>; Tue, 4 Aug 2020 01:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QeUPW-ehvZB4 for <core@ietfa.amsl.com>; Tue, 4 Aug 2020 01:09:00 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80058.outbound.protection.outlook.com [40.107.8.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8577C3A0C18 for <core@ietf.org>; Tue, 4 Aug 2020 01:09:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bkUTuPUdd841Y4Df13oOHPZiFoQzePfbDHtYDFsmZRh0HRzXiB7AP2QtnARNEbzU7XNcNp7soJTrVKNt95i8oM80SXoRJ67mAgZ/TNVedgkiKQzyuqHwm10pvEHKNYFKdJYnP9qmf1PlhAgOt9vnaHGeR7HH9kVzvFi74UHbGMZXJCKodE4pSPUTXqRCyDe86Go0xTVc49ESLWdcUNNaFab1NtQk+f70/YROvhxnMOMC2GRlHSxhCI3nr9Fxp1YvK1Yd5u4N7U12kd2Jj9seHwQKg4PauWxTj4Zl85XKv7Exdkt7dl6M+NietzZ187hjiCXeOw4X7eLcZ4/qKFMW2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3GpoE1eVeassuf9pOthhnf7DFLsVhhOvF1EcVR+6zK0=; b=hlSEjZ4RAhosO8wTwxgzIRRuMXdtQPe5ezG67GTvG6l02eyOkt4h8jIs+A6LWw8FNVox0xjV2j64KaW9f0fVi+lIHbEG2m/FUMNMpCOaz+D67n4KySJ75LSeLctYCxygj4I2n8QPTQySEMA2XMRz9l1S8Xp0HhJvRrGApJBu9VYLK+JCssgsN4lK6VifqEbwXZ6KFNuYDEn/F73JuarO6ncnD6CpVak4nNvdue7xUcUNCmk/RgLg21zbA3zJEKKdhsCwsndmOzLpH7l9KcznCu+nQAJLAKVC8gYF7ZE5e6XWrSBL4CssoaJh1/rBn0YrDnx5QJwoh1U1ETJQffjNKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3GpoE1eVeassuf9pOthhnf7DFLsVhhOvF1EcVR+6zK0=; b=ZtgwVPbtWemlK/81KGHXGtD7i/5RULcNyJkeVPitTuxW34xOXJHjLBwvpwdykcIkqsLfNn6kXiG0haYflM2mRwAqFheuHuiKf8MYwFXt6fwKmd9js2JIsfiYoYgEFyhKzYRrJB5GjhoYeAKpF128aLYUSKMOXuC0ccezALqxS7c=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ri.se;
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31) by VI1P18901MB0095.EURP189.PROD.OUTLOOK.COM (2603:10a6:801:10::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.19; Tue, 4 Aug 2020 08:08:57 +0000
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::2124:eed3:60cd:95a2]) by VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::2124:eed3:60cd:95a2%6]) with mapi id 15.20.3239.021; Tue, 4 Aug 2020 08:08:57 +0000
To: Jim Schaad <ietf@augustcellars.com>, 'Christian Amsüss' <christian@amsuess.com>, 'Francesca Palombini' <francesca.palombini@ericsson.com>
Cc: core@ietf.org
References: <04a301d66839$83672d50$8a3587f0$@augustcellars.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; prefer-encrypt=mutual; keydata= mQENBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAG0Nk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPokBNwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzuQENBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAGJAR8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
Message-ID: <29181983-83ab-e7fa-0049-5b11df700a55@ri.se>
Date: Tue, 04 Aug 2020 10:08:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <04a301d66839$83672d50$8a3587f0$@augustcellars.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="KrV6oh1aYKstRxxpi0P0Hzya2mXzZwlXE"
X-ClientProxiedBy: HE1PR0202CA0044.eurprd02.prod.outlook.com (2603:10a6:3:e4::30) To VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.8.0.8] (45.83.91.212) by HE1PR0202CA0044.eurprd02.prod.outlook.com (2603:10a6:3:e4::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16 via Frontend Transport; Tue, 4 Aug 2020 08:08:57 +0000
X-Originating-IP: [45.83.91.212]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b1bf4aca-a303-40a0-9b7b-08d8384da342
X-MS-TrafficTypeDiagnostic: VI1P18901MB0095:
X-Microsoft-Antispam-PRVS: <VI1P18901MB00954928E2F5A6920ACC7F34994A0@VI1P18901MB0095.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jgkwRqLcQzGTC24aAviJxMmn7bUQ96MlTRJCuyQ0EznhmiTwSY+7OXW8Le9Lc74vh2YOsn6CYz7VNp7BsMqjF7PGI0PyJf2dninXoFBd9o3UnD3M6ukeoxR0TzFkO4z3m+yVHpizEN86l9QRAheddcah845onr9QIQeR144fut/RQ/XwX4qdtsBZpaeQw3dM1uAQiSOcgk9RCjRbG1UO5G0/qfrH5TdUBlX7JyTedvfoqhr3uoMM/2AT69ODrvEZSNiRNgrcuf+acb66xX6OdDcLD9LzXzxtVxO1q9MMAODCG/80ocZDb3nUZ2LWN/rTXTVf6oY/gnIoBTiJw54kV/9uJbMck780n/lhvp7+beNna7v6tUWPWvVLz8qBB5rax4YaMqVLODnfLXX1bH4qdvHV63X9ioCRFHMWcBSJYoxnCF6zweLA3WxZSeBdLRuJC4ZXrmrMlwGVQdeRLkO9qA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1P189MB0398.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(39850400004)(376002)(396003)(136003)(36756003)(52116002)(26005)(5660300002)(66476007)(16576012)(44832011)(31686004)(2906002)(33964004)(186003)(53546011)(2616005)(16526019)(21480400003)(956004)(110136005)(83380400001)(478600001)(66574015)(31696002)(966005)(66556008)(66946007)(86362001)(6666004)(8676002)(8936002)(316002)(235185007)(4326008)(6486002)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: FXHKj4ept92EA/SFHAh1tMfoTqN6ZFAovEmy6/R9n2L+wOWrArR9c/jmAPNnHrPWSFPVgtTrN6AcTG8P0ID+0E6Qx8wIsOYosdXqgRl/4ttPoQBr1bojAuon5dpZqwF7M76MFxFwvLuyplC9la3qnhonwfH8F6kcJnLYJq42qRIcIkSF8U2Lomdx1NVv4HXN8/zY9B1532JZppEKoMYe3hTm+VHaLEimSQ1Vo0W4R8xEb8xM+viyQnvkbEAn5ueRB+1pa1E6qj2fOThh24LpcZiWl74BaaGnm/L+c8OdGdqWrEYLitrsL9uFWjyq1w0lSWTPueOhpCSzZAiuSqMRfZb1lS5B/bhwJEKvXjKt77OfkMkEqVUkx4tCkbZXdzYqrNkrdXzWmAW9zgeaWMXwM3uw7d1pXP2FtQej4zjkCkuTVhF6cdPRGddk1kQC8w0NRlc2hYjAAHe+7h+itYlGvX7xGZySt/7r3zpLUPllFqFi/YjHylEMjxIu/9TK2/bVNyncy1cQf15gt3XNZcrHUOYXED+LrMf/sTJCo1AIt7JttzOXEkZ+6yNS7h62fONFO5eVL0ZXaTQWzFBBsWu5ToUVXCA9P+XaVTBht2KPlcU5H3ZoP9S+KO/AC0/lFCCrS0JXrP4O6UVHpNqI/jlUzQ==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: b1bf4aca-a303-40a0-9b7b-08d8384da342
X-MS-Exchange-CrossTenant-AuthSource: VI1P189MB0398.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Aug 2020 08:08:57.7162 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: KhhGrJDd3MY2Bw/zVCiPVN8WHjHDItfXjFZzhNBiDwLPITE6cGxMQxZWdvfRmRLVu0G+xOgkGxeKCCzrOhzFNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P18901MB0095
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/47Y79azLbfoEpEqPyfCJ8w7uokM>
Subject: Re: [core] Missing must in the Group OSCORE document
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 08:09:05 -0000

Hi Jim,

On 2020-08-01 21:25, Jim Schaad wrote:
> Christian,
>
>  I have been thinking about the problem case of having a duplicate IV reuse
> in the case where I suggested that we use separate IV spaces for the group
> and pairwise keying materials.  I agree that this is a problem, however the
> problem is greater than what you outlined.  This is going to be a situation
> that will arise anytime that the request comes in under one security context
> and the response goes out under a different security context.  In this
> situation you will always have the problem that a reflected IV value from
> context 1 will lead to a potential IV reuse in context 2.
>
> Missing requirement in the document:
>
> A server MUST use a PIV value from it's own sender context when ever it
> would normally use a reflected IV, but the security context for the request
> and response are not the same.

==>MT
I guess here "different security context" means "different protection
mode" - hence different PIV space - regardless a possible group rekeying
happening. Correct?

This seems to confirm the issue (1) raised in slide 9 of [1]. So this
MUST-requirement would be needed if the two different PIV spaces are
introduced.

Just to clarify, do you think that the requirement is needed also in the
current document with only one PIV space?

Thanks,
/Marco

[1]
https://www.ietf.org/proceedings/108/slides/slides-108-core-sessa-group-oscore-00
<==

>
> Jim
>
>

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

v2.23.0 | Report a Bug | By Email