Re: [core] integrity protection for trial-and-error determine of token length
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 01 October 2020 19:17 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2DA3A0E60 for <core@ietfa.amsl.com>; Thu, 1 Oct 2020 12:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFYoOgd5EHOP for <core@ietfa.amsl.com>; Thu, 1 Oct 2020 12:17:14 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0364E3A0E5E for <core@ietf.org>; Thu, 1 Oct 2020 12:17:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 0B74238A13 for <core@ietf.org>; Thu, 1 Oct 2020 15:22:14 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id UpfJCy7llKUH for <core@ietf.org>; Thu, 1 Oct 2020 15:22:10 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 00F4C38A0E for <core@ietf.org>; Thu, 1 Oct 2020 15:22:10 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A9E26CF4 for <core@ietf.org>; Thu, 1 Oct 2020 15:17:08 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: core@ietf.org
In-Reply-To: <17803.1601577368@localhost>
References: <30317.1601403281@localhost> <99764840-E759-40AF-A80D-1E5F4984C334@tzi.org> <17803.1601577368@localhost>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 01 Oct 2020 15:17:08 -0400
Message-ID: <27172.1601579828@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/7UVEPOJWEUrdpraLDfog7wc_FuQ>
Subject: Re: [core] integrity protection for trial-and-error determine of token length
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 19:17:16 -0000
> #5 lack of integrity protection results in spoofed responses
> https://github.com/core-wg/stateless/issues/5
bk> Also, when integrity protection is not in use, the client is susceptible
bk> to spoofed responses that had no corresponding request -- only a very
bk> limited subset of request/response pairs are safe to convert to
bk> "unauthenticated server push", as that would effectivley do, and we
bk> should probably mention that explicitly.
This is, I think, not about the responses to the trial-and-error, but about
fake/spoofed replies to queries that the client makes that have a token.
I'm not sure how stateless is intended to interact with OBSERVE, which I
think that this is about. Have I understood this part?
bk> I'd also suggest noting that a self-encrypted state token bears
bk> significant resemblance to a TLS self-encrypted session ticket, and
bk> reference the RFC 5077 security considerations. (Yes, I know that RFC
bk> 8446 Obsoletes RFC 5077; it would be an informational reference only.)
It's certainly similar in that it is a self-encrypted thing in which state is
placed. I don't think that a reference to RFC5077 will be helpful here, but
I can look for a good place to insert this if desired.
bk> This could also lead to some discussion about having in general an
bk> appropriate amount of sanity checks on the returned token that may or may
bk> not reflect serialized state, to limit the scope of various attacks even
bk> in the absence of cryptographic protections.
I think that an appropriate thing is to caution against using state tokens
that do not have integrity protection. I think that we try to do this in
5.2, but maybe we do in text too cryptic:
5.2. Stateless Clients and Intermediaries
...
It is generally expected that the use of encryption, integrity
protection, and replay protection for serialized state is
appropriate. In the absence of integrity and reply protection, an
on-path attacker or rogue server/intermediary could return a state
(either one modified in a reply, or an unsolicited one) that could
alter the internal state of the client. However, a careful analysis
of any potential attacks to the security and privacy properties of
the system might reveal that there are cases where such cryptographic
protections do not add value in a specific case.
https://github.com/core-wg/stateless/pull/13
diff --git a/draft-ietf-core-stateless.xml b/draft-ietf-core-stateless.xml
index aa44479..748ef21 100644
--- a/draft-ietf-core-stateless.xml
+++ b/draft-ietf-core-stateless.xml
@@ -856,10 +856,15 @@
in a reply, or an unsolicited one) that could alter the internal state
of the client.
- However, a careful analysis of any potential attacks to the security
- and privacy properties of the system might reveal that there are cases
- where such cryptographic protections do not add value in a specific
- case.
+ It is this reason that at least the use of integrity protection on
+ the token is always recommended.
+ </t>
+
+ <t>
+ It maybe that in some very specific case, as a result of a careful
+ and detailed analysis of any potential attacks, that there may be cases
+ where such cryptographic protections do not add value. The authors
+ of this document have not found such a use case as yet.
</t>
<t>
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [core] issues for stateless AD review Michael Richardson
- Re: [core] issues for stateless AD review Carsten Bormann
- Re: [core] issues for stateless AD review Michael Richardson
- Re: [core] issues for stateless AD review Carsten Bormann
- Re: [core] issues for stateless AD review Michael Richardson
- [core] stateless issue #10 -- 60 minutes Michael Richardson
- [core] integrity protection for trial-and-error d… Michael Richardson
- Re: [core] integrity protection for trial-and-err… Michael Richardson
- Re: [core] stateless issue #10 -- 60 minutes Carsten Bormann
- Re: [core] issues for stateless AD review Michael Richardson
- Re: [core] stateless issue #10 -- 60 minutes Michael Richardson
- Re: [core] stateless issue #10 -- 60 minutes Carsten Bormann
- Re: [core] issues for stateless AD review Jaime Jiménez
- Re: [core] issues for stateless AD review Michael Richardson
- Re: [core] issues #8, pull request #11 - fixing t… Michael Richardson
- Re: [core] issues for stateless AD review Michael Richardson
- Re: [core] issues for stateless AD review Carsten Bormann
- Re: [core] issues for stateless AD review Michael Richardson