Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 08 March 2018 15:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87036127078 for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 07:40:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQUJ1epJhVqq for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 07:40:03 -0800 (PST)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1789F124207 for <core@ietf.org>; Thu, 8 Mar 2018 07:39:59 -0800 (PST)
Received: by mail-qt0-x22b.google.com with SMTP id n12so7177141qtl.5 for <core@ietf.org>; Thu, 08 Mar 2018 07:39:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5MpEdLOXzFlTRXBraZI8BUW9j/DC46/lXIbxlLqnr1A=; b=bqJV4siRljFnSwKv4JUERWtQIdeA2bomnw8o5M5aNk2vKT0Mpn8y0iuH5rqFeDP621 jFcFbN2yaCFSurkGfwsv0E7z4dxRZPdN/p+ISZek0K4dB5AUvTwQ2QPMfT164QLylg/6 qbl5UICtKgR95Z5BukMzx1DruV2G/CCK0HK0SUog+jlGzxEygISUgLUjiPLjPcIk9RE3 mwao7YsnpQpVHZgUDdf0m45gfZ8/Mtv3JO8qIxptjuuQerszPBgGN3F7/0lC37/kABoP x1yb/muyd9canVr8pnhjn7UvZTiY1AFJZ6XNTMoMIVyr1k7V6bCIDmN3OeMhrwCEEIM3 zL2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5MpEdLOXzFlTRXBraZI8BUW9j/DC46/lXIbxlLqnr1A=; b=czGG1Mm9qL2RULdc//pWifCumZaPHc68jIjdVJrmo5ztfsduUsbVPO9avf3dnwtJxQ vdxim3OvO6PIU5XBa75+gjtRZcUQA3q37zK8owYnmxqxFFKBYxzhhwwjswxqW0znxJqA pZssxyYxrGqMEd3Rn1TERFlRwt9sTias4VUiBN/cYAtn6o/FTRZzWM5MvkOJVafr7Gfa 7Rv2SzsaFBv5Hn347dNCtG8JnChMQyyYGzBQqfwAGz0di6Wda2QjUhIyCfWo65o+/HzI L7rgrolEB8/GMJo67jlGED5HBRSLCPD32dR2d+wXQLGX5k0SF82Gz6gWL4dLKwvUX3Yr 5myw==
X-Gm-Message-State: AElRT7EGbh5g6lU6tO1o+ak3QBgx3CykTxOkeVzt80SrzDyKgrHJfgUP eXsXbk23dmcFuev5+BF16aBrO5sLS8JjgcNnBtdCLg==
X-Google-Smtp-Source: AG47ELvPlOeT58kEG755FcEnbRHMo6EJ6hzoKgJVdUehijRAEy0IffGRQxSKB1kF5HnahafY5T7rhaqk4vy8sYfekeQ=
X-Received: by 10.200.7.77 with SMTP id k13mr40268806qth.165.1520523598061; Thu, 08 Mar 2018 07:39:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Thu, 8 Mar 2018 07:39:17 -0800 (PST)
In-Reply-To: <D6C710F5.A15D5%goran.selander@ericsson.com>
References: <152047792293.21279.6463990470584540244.idtracker@ietfa.amsl.com> <D6C70BE1.A15AA%goran.selander@ericsson.com> <CABcZeBP2oTYTMzp-6Fdb=engmwxZBjQ5r7mDcufS0dC4oAgJ=g@mail.gmail.com> <D6C710F5.A15D5%goran.selander@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Mar 2018 07:39:17 -0800
Message-ID: <CABcZeBPpHWGua074aFDruvZHrGN3cmVmSpjR0D7CgT9uMbfw9A@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" <draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" <core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org>
Content-Type: multipart/alternative; boundary="f403043a8c74ef751d0566e87c6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/536HOADNCrzw33kg75QegNgBOqw>
Subject: Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 15:40:06 -0000
On Thu, Mar 8, 2018 at 7:23 AM, Göran Selander <goran.selander@ericsson.com> wrote: > > > From: Eric Rescorla <ekr@rtfm.com> > Date: Thursday 8 March 2018 at 16:06 > To: Göran Selander <goran.selander@ericsson.com> > Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" < > draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, > Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" < > core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org> > Subject: Re: Eric Rescorla's Discuss on draft-ietf-core-object-security-09: > (with DISCUSS and COMMENT) > > > > On Thu, Mar 8, 2018 at 6:59 AM, Göran Selander < > goran.selander@ericsson.com> wrote: > >> Another recurring comment is the impact of a proxy changing certain CoAP >> message fields like e.g. Message ID, Token or Uri-Host. Since CoAP defines >> legitimate proxy operations, these message fields cannot be integrity >> protected end-to-end. Current security solutions either does not allow >> proxy operations or leave all message fields unprotected in the proxy. We >> will try to make this more clear. >> > > The question is what the security impact of these is. > > > Yes, and we will try to address this. But it is a general property of CoAP > when proxies are used. > Yes, but the whole point of this design is to protect to some extent against malicious proxies. A third thing in Eric’s review is the construction of the nonce where the >> ID is included. The reason for this is to handle endpoints switching roles >> (CoAP client <-> CoAP server) which is supported by CoAP, and in >> particular >> group communications with one sender and multiple recipients > > > I don't see how that is relevant, given that you already have key > separation > for the sender key, what separate information is there in the nonce? > > > The sender key is used both in the role of client making a request (with > own partial IV) and in the role of server responding to a request (with the > other endpoint’s partial IV). > This seems extremely hard to analyze. You should just use separate keys. -Ekr > Göran > > > -Ekr > > > >> . While the >> latter is the topic of a separate draft >> (draft-tiloca-core-multicast-oscoap) and the properties in that setting >> is >> out of scope of this draft, we will add more explanation to the security >> design and the unicast security properties in general to this draft. >> >> >> More later. >> >> Göran >> >> >> >> >> On 2018-03-08 03:58, "Eric Rescorla" <ekr@rtfm.com> wrote: >> >> >Eric Rescorla has entered the following ballot position for >> >draft-ietf-core-object-security-09: Discuss >> > >> >When responding, please keep the subject line intact and reply to all >> >email addresses included in the To and CC lines. (Feel free to cut this >> >introductory paragraph, however.) >> > >> > >> >Please refer to https://www.ietf.org/iesg/stat >> ement/discuss-criteria.html >> >for more information about IESG DISCUSS and COMMENT positions. >> > >> > >> >The document, along with other ballot positions, can be found here: >> >https://datatracker.ietf.org/doc/draft-ietf-core-object-security/ >> > >> > >> > >> >---------------------------------------------------------------------- >> >DISCUSS: >> >---------------------------------------------------------------------- >> > >> >https://mozphab-ietf.devsvcdev.mozaws.net/D3075 >> > >> >DISCUSS >> >My overall concern with this document is that I am unable to evaluate >> >the security properties of the system. I have described a number of >> >issues below, but the basic problem is that this sort of partial >> >protection is extremely hard to reason about and the security >> >considerations do not do an adequate job of evaluating the impact of >> >proxies modifying these values. I am similarly concerned about the >> >HTTP mapping and link section which seems extremely sketchy and has >> >essentially no security analysis, and yet potentially have a lot >> >of landmines. >> > >> >At minimum, this document needs to walk through the implications >> >of modifications by the proxy to every unprotected field in >> >the pure CoAP context as well as the HTTP context (if you want >> >to retain that binding). >> > >> > are given in Appendix A. OSCORE does not depend on underlying >> > layers, and can be used anywhere where CoAP or HTTP can be used, >> > including non-IP transports (e.g., [I-D.bormann-6lo-coap-802-15-ie]). >> > >> >IMPORTANT: This document claims to be applicable to protocols other >> >than COAP, in particular HTTP. Has this been reviewed by the HTTP >> >working group? Martin Thomson's review suggests that this is out of >> >step with HTTP practice. >> > >> > IDs MUST be long uniformly random distributed byte strings such that >> > the probability of collisions is negligible. >> > >> >IMPORTANT: I don't understand how this paragraph and the previous >> >paragraph interact. You say that the maximum length is 7 octets in the >> >previous paragraph, which I don't think qualifies as "long". >> > >> > | 1 | If-Match | x | | >> > | 3 | Uri-Host | | x | >> > | 4 | ETag | x | | >> >IMPORTANT: Why do you think that it's not important to have integrity >> >protection for Uri-Host and Uri-port? >> > >> > Outer option message fields (Class U or I) are used to support proxy >> > operations. >> >IMPORTANT: This seems problematic because the proxy cannot verify class I >> >fields. >> > >> > layer only, and not the Messaging Layer (Section 2 of [RFC7252]), so >> > fields such as Type and Message ID are not protected with OSCORE. >> > >> >IMPORTANT: This seems extremely hard to reason about. What are the >> >implications of the proxy being able to change these? >> > >> > o request_piv: contains the value of the 'Partial IV' in the COSE >> > object of the request (see Section 5). >> > >> >IMPORTANT: I think what I am getting here is that the request_piv is >> >used to verify that the request and response match. However, I do not >> >see this explicitly stated anywhere, and it's not clear to me how the >> >client is supposed to recover the request_piv and the text is pretty >> >unclear here? Is the external_aad carried somewhere in the message? Am >> >I supposed to reconstruct it from the message id? >> > >> > For responses, the message binding guarantees that a response is not >> > older than its request. For responses without Observe, this gives >> > >> >IMPORTANT: I am not sure that this is true. What happens of the >> >counterparty lies? What is your threat model? >> > >> > An extension of OSCORE may also be used to protect group >> > communication for CoAP [I-D.tiloca-core-multicast-oscoap]. The use >> > of OSCORE does not affect the URI scheme and OSCORE can therefore be >> > used with any URI scheme defined for CoAP or HTTP. The application >> > decides the conditions for which OSCORE is required. >> > >> >This is pretty surprising to just drop in here. Multicast has totally >> >different >> >security properties from non-multicast. >> > >> > >> >---------------------------------------------------------------------- >> >COMMENT: >> >---------------------------------------------------------------------- >> > >> > >> > >> > but is also able to eavesdrop on, or manipulate any part of the >> > message payload and metadata, in transit between the endpoints. The >> > proxy can also inject, delete, or reorder packets since they are no >> >Nit: you want >> >"eavesdrop on, or manipulate any part of, the message payload and >> >metadata in >> >transit" >> > >> >I.e., move the second comma >> > >> > the endpoints, and those are therefore processed as defined in >> > [RFC7252]. Additionally, since the message formats for CoAP over >> > unreliable transport [RFC7252] and for CoAP over reliable transport >> >Nit: "OSCORE protects neither .... nor...." >> > >> > Salt. Length is determined by the AEAD Algorithm. Its value is >> >> immutable once the security context is established. >> >Nit: you might just say above or below this list that all the values are >> >immutable, >> > >> > different operations. One mechanism enabling this is specified in >> > [I-D.ietf-core-echo-request-tag]. >> >Is this a security condition? >> > >> > of [RFC7252], where the delta is the difference to the previously >> > included class I option. >> >Is the delta here the previously included Class I option or the >> previously >> >included instance of the same option, as it appears to say in S 3.1. >> > >> > compressed COSE object. The values n = 6 and n = 7 are >> > reserved. >> >How can Partial IV not be present? it's the sequence number. Is the >> >answer that >> >it is the 0 value? >> > >> > response. The server therefore needs to store the kid and Partial IV >> > of the request until all responses have been sent. >> >It was my understanding that the kid was needed to look up the key. Why >> >are kid >> >substitution attacks an issue? >> > >> > The maximum Sender Sequence Number is algorithm dependent (see >> > Section 11), and no greater than 2^40 - 1. If the Sender Sequence >> > Number exceeds the maximum, the endpoint MUST NOT process any more >> >If you take my suggestion about removing senderID from the nonce you will >> >be >> >able to relax this. >> > >> > After boot, an endpoint MAY reject to use existing security contexts >> > from before it booted and MAY establish a new security context with >> >Nit: this is ungrammatical >> > >> > included in the message. If the AEAD nonce from the request was >> > used, the Partial IV MUST NOT be included in the message. >> >IMPORTANT: You are now violating the invariant of using the same nonce >> >twice. >> >That's fine in this case, because you have per-sender keys but it >> >demonstrates >> >that it is unnecessary to encode the sender_id in the nonce field. >> > >> > Security level here means that an attacker can recover one of the m >> > keys with complexity 2^(k + n) / m. Protection against such attacks >> > can be provided by increasing the size of the keys or the entropy of >> >This paragraph is extremely hard to follow but I am not persuaded that it >> >is >> >correct. Do you have a citation for the claim that you can add the key >> >entropy >> >and the nonce entropy like this. >> > >> > style of padding means that all values need to be padded. Similar >> > arguments apply to other message fields such as resource names. >> >The PKCS#7 padding scheme at minimum has potential timing channels >> > >> > The server verifies that the Partial IV has not been received before. >> > The client verifies that the response is bound to the request. >> >How does the client verify this >> > >> > Partial IV (in network byte order) with zeroes to exactly nonce >> > length - 6 bytes, >> > >> >IMPORTANT: I don't understand the reason for this construction. You >> >already require that the key be derived via HKDF from the |master key| >> >and |sender ID| therefore, it is not necessarily to separately encode >> >the sender ID in the nonce. This would ordinarily not be a large >> >issue, but as it requires very extreme restrictions on the sender ID >> >(and essentially precludes random sender IDs) I believe it is worth >> >considering changing, but it's ultimately a WG decision, hence not >> >in my discuss. >> > >> > >> >> >
- [core] Eric Rescorla's Discuss on draft-ietf-core… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander