IETF Logo Mail Archive

Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)

Klaus Hartke <hartke@projectcool.de> Wed, 29 April 2020 11:11 UTC

Return-Path: <hartke@projectcool.de>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EB373A0C8B; Wed, 29 Apr 2020 04:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpU4DWUVA0FF; Wed, 29 Apr 2020 04:11:32 -0700 (PDT)
Received: from wp382.webpack.hosteurope.de (wp382.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8597::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3A183A0C88; Wed, 29 Apr 2020 04:11:31 -0700 (PDT)
Received: from mail-qt1-f175.google.com ([209.85.160.175]); authenticated by wp382.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1jTkch-0001Xj-FW; Wed, 29 Apr 2020 13:11:27 +0200
Received: by mail-qt1-f175.google.com with SMTP id t20so1394243qtq.13; Wed, 29 Apr 2020 04:11:27 -0700 (PDT)
X-Gm-Message-State: AGi0PuZj6nojj0mCDbhIRWSPcOH8eErnMVUaZFxOjpwReZv4qLTGAORJ jYO00d20rF81/AO4pAzB4tCKDALC+vlRpaxeSZ8=
X-Google-Smtp-Source: APiQypLQ+5IQvJ6qlQHa73XyZIIqNl0LdUz/lGQvF0qI3VB3HDOjb2HGAFTVUNe0sN/fX6CNXl5j9SSA9jjjRpnIOlU=
X-Received: by 2002:ac8:358c:: with SMTP id k12mr34309844qtb.38.1588158686104; Wed, 29 Apr 2020 04:11:26 -0700 (PDT)
MIME-Version: 1.0
References: <158741679923.20291.1071401061463555301@ietfa.amsl.com>
In-Reply-To: <158741679923.20291.1071401061463555301@ietfa.amsl.com>
From: Klaus Hartke <hartke@projectcool.de>
Date: Wed, 29 Apr 2020 13:11:04 +0200
X-Gmail-Original-Message-ID: <CAAzbHvaTq39XG6aY0hsGociCTYYT7VwjPtrKw8KN1sOA30rYDw@mail.gmail.com>
Message-ID: <CAAzbHvaTq39XG6aY0hsGociCTYYT7VwjPtrKw8KN1sOA30rYDw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, core-chairs@ietf.org, draft-ietf-core-stateless@ietf.org, "core@ietf.org WG" <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-bounce-key: webpack.hosteurope.de; hartke@projectcool.de; 1588158692; 32b131e4;
X-HE-SMSGID: 1jTkch-0001Xj-FW
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/FHVo4q5Lp8m6Ftj9dnTXX1gPXek>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 11:11:35 -0000

Hi Ben,

here's the next batch. Please see inline below.

Best regards,
Klaus


Benjamin Kaduk wrote:
> Section 3.1
>
>    o  A client SHOULD integrity protect the state information serialized
>       in a token, unless processing a response does not modify state or
>       cause any other significant side effects.
>
> If the intent is that the "does not modify state" clause is the only case
> when one would disregard the need for integrity protection, "MUST [...]
> unless" seems more appropriate.  (I would prefer unconditional MUST and am
> not sure I understand the cases where there is a need to skip integrity
> protection.)

The intent here is that a client must do integrity protection, but
there may exist valid reasons in particular circumstances to ignore
this requirement. In this case, the full implications must be
understood and carefully weighed.

All of the circumstances that come to my mind here are those where a
modified token doesn't actually hurt. For example, if a client sends a
request to some server at regular intervals, it might only be
interested in whether the response has an error or success code and
not even deserialise the token.

What's the best way to capture this?

>    o  Even when the serialized state is integrity protected, an attacker
>       may still replay a response, making the client believe it sent the
>       same request twice.  For this reason, the client SHOULD implement
>
> (Basically the same comments about "SHOULD".)

See above.

This section is about protecting the serialized state, but of course
the requests and responses need to be protected as a whole as well
(e.g., using DTLS or OSCORE). In some circumstances, receiving a
replayed token might not hurt if the client can verify that the
response is coming from the right server.

>       cause other any significant side effects.  For replay protection,
>       integrity protection is REQUIRED.
>
> I'm not entirely sure if the normative keyword is needed for effect, here;
> it's simply a fact that replay protection is impossible in the absence of
> integrity protection, isn't it?

Right. The intention here was to turn the "SHOULD integrity protect
the state information" from above into a "MUST". But I can lowercase
the "REQUIRED" or remove the sentence.

>    o  If processing a response without keeping request state is
>       sensitive to the time elapsed since sending the request, then the
>       serialized state SHOULD include freshness information (e.g., a
>       timestamp).
>
> Continuing the theme, this seems like a conditional MUST (not SHOULD).
> Actually, all the rest of the SHOULDs in this section do.

See above.

> This particular one should also note that the response processing needs to
> actually check the timestamp and reject ones that are insufficiently fresh.

I've made the following change (ignoring the SHOULD/MUST discussion):

OLD:

    If processing a response without keeping request state is
    sensitive to the time elapsed since sending the request,
    then the serialized state SHOULD include freshness
    information (e.g., a timestamp).

NEW:

    If processing a response without keeping request state is
    sensitive to the time elapsed since sending the request, then the
    client SHOULD include freshness information (e.g., a timestamp) in
    the serialized state and reject any response where the freshness
    information is insufficiently fresh.

> Also, integrity protection is again required for this to work.

Right. I think I'll remove the sentence "For replay protection,
integrity protection is REQUIRED." from above so that I don't have to
repeat it for every item. I think it's quite obvious.

> Section 5.2
>
>    The use of encryption, integrity protection, and replay protection of
>    serialized state is recommended, unless a careful analysis of any
>    potential attacks to security and privacy is performed.  [...]
>
> I suggest an alternative wording:
>
> % It is generally expected that the use of encryption, integrity protection,
> % and replay protection for serialized state is appropriate.  However, a
> % careful analysis of any potential attacks to the security and privacy
> % properties of the system might reveal that there are cases where such
> % cryptographic protections do not add value in a specific case.

Sounds good. Thanks!

v2.23.0 | Report a Bug | By Email