[core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 08 March 2018 02:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: core@ietf.org
Delivered-To: core@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E4FF4120227; Wed, 7 Mar 2018 18:58:42 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-core-object-security@ietf.org, Carsten Bormann <cabo@tzi.org>, jaime.jimenez@ericsson.com, core-chairs@ietf.org, cabo@tzi.org, core@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.74.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152047792293.21279.6463990470584540244.idtracker@ietfa.amsl.com>
Date: Wed, 07 Mar 2018 18:58:42 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/G-kReTE9Lftg84bdcU_lPluoM_g>
Subject: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 02:58:43 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-core-object-security-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-core-object-security/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- https://mozphab-ietf.devsvcdev.mozaws.net/D3075 DISCUSS My overall concern with this document is that I am unable to evaluate the security properties of the system. I have described a number of issues below, but the basic problem is that this sort of partial protection is extremely hard to reason about and the security considerations do not do an adequate job of evaluating the impact of proxies modifying these values. I am similarly concerned about the HTTP mapping and link section which seems extremely sketchy and has essentially no security analysis, and yet potentially have a lot of landmines. At minimum, this document needs to walk through the implications of modifications by the proxy to every unprotected field in the pure CoAP context as well as the HTTP context (if you want to retain that binding). are given in Appendix A. OSCORE does not depend on underlying layers, and can be used anywhere where CoAP or HTTP can be used, including non-IP transports (e.g., [I-D.bormann-6lo-coap-802-15-ie]). IMPORTANT: This document claims to be applicable to protocols other than COAP, in particular HTTP. Has this been reviewed by the HTTP working group? Martin Thomson's review suggests that this is out of step with HTTP practice. IDs MUST be long uniformly random distributed byte strings such that the probability of collisions is negligible. IMPORTANT: I don't understand how this paragraph and the previous paragraph interact. You say that the maximum length is 7 octets in the previous paragraph, which I don't think qualifies as "long". | 1 | If-Match | x | | | 3 | Uri-Host | | x | | 4 | ETag | x | | IMPORTANT: Why do you think that it's not important to have integrity protection for Uri-Host and Uri-port? Outer option message fields (Class U or I) are used to support proxy operations. IMPORTANT: This seems problematic because the proxy cannot verify class I fields. layer only, and not the Messaging Layer (Section 2 of [RFC7252]), so fields such as Type and Message ID are not protected with OSCORE. IMPORTANT: This seems extremely hard to reason about. What are the implications of the proxy being able to change these? o request_piv: contains the value of the 'Partial IV' in the COSE object of the request (see Section 5). IMPORTANT: I think what I am getting here is that the request_piv is used to verify that the request and response match. However, I do not see this explicitly stated anywhere, and it's not clear to me how the client is supposed to recover the request_piv and the text is pretty unclear here? Is the external_aad carried somewhere in the message? Am I supposed to reconstruct it from the message id? For responses, the message binding guarantees that a response is not older than its request. For responses without Observe, this gives IMPORTANT: I am not sure that this is true. What happens of the counterparty lies? What is your threat model? An extension of OSCORE may also be used to protect group communication for CoAP [I-D.tiloca-core-multicast-oscoap]. The use of OSCORE does not affect the URI scheme and OSCORE can therefore be used with any URI scheme defined for CoAP or HTTP. The application decides the conditions for which OSCORE is required. This is pretty surprising to just drop in here. Multicast has totally different security properties from non-multicast. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- but is also able to eavesdrop on, or manipulate any part of the message payload and metadata, in transit between the endpoints. The proxy can also inject, delete, or reorder packets since they are no Nit: you want "eavesdrop on, or manipulate any part of, the message payload and metadata in transit" I.e., move the second comma the endpoints, and those are therefore processed as defined in [RFC7252]. Additionally, since the message formats for CoAP over unreliable transport [RFC7252] and for CoAP over reliable transport Nit: "OSCORE protects neither .... nor...." Salt. Length is determined by the AEAD Algorithm. Its value is > immutable once the security context is established. Nit: you might just say above or below this list that all the values are immutable, different operations. One mechanism enabling this is specified in [I-D.ietf-core-echo-request-tag]. Is this a security condition? of [RFC7252], where the delta is the difference to the previously included class I option. Is the delta here the previously included Class I option or the previously included instance of the same option, as it appears to say in S 3.1. compressed COSE object. The values n = 6 and n = 7 are reserved. How can Partial IV not be present? it's the sequence number. Is the answer that it is the 0 value? response. The server therefore needs to store the kid and Partial IV of the request until all responses have been sent. It was my understanding that the kid was needed to look up the key. Why are kid substitution attacks an issue? The maximum Sender Sequence Number is algorithm dependent (see Section 11), and no greater than 2^40 - 1. If the Sender Sequence Number exceeds the maximum, the endpoint MUST NOT process any more If you take my suggestion about removing senderID from the nonce you will be able to relax this. After boot, an endpoint MAY reject to use existing security contexts from before it booted and MAY establish a new security context with Nit: this is ungrammatical included in the message. If the AEAD nonce from the request was used, the Partial IV MUST NOT be included in the message. IMPORTANT: You are now violating the invariant of using the same nonce twice. That's fine in this case, because you have per-sender keys but it demonstrates that it is unnecessary to encode the sender_id in the nonce field. Security level here means that an attacker can recover one of the m keys with complexity 2^(k + n) / m. Protection against such attacks can be provided by increasing the size of the keys or the entropy of This paragraph is extremely hard to follow but I am not persuaded that it is correct. Do you have a citation for the claim that you can add the key entropy and the nonce entropy like this. style of padding means that all values need to be padded. Similar arguments apply to other message fields such as resource names. The PKCS#7 padding scheme at minimum has potential timing channels The server verifies that the Partial IV has not been received before. The client verifies that the response is bound to the request. How does the client verify this Partial IV (in network byte order) with zeroes to exactly nonce length - 6 bytes, IMPORTANT: I don't understand the reason for this construction. You already require that the key be derived via HKDF from the |master key| and |sender ID| therefore, it is not necessarily to separately encode the sender ID in the nonce. This would ordinarily not be a large issue, but as it requires very extreme restrictions on the sender ID (and essentially precludes random sender IDs) I believe it is worth considering changing, but it's ultimately a WG decision, hence not in my discuss.
- [core] Eric Rescorla's Discuss on draft-ietf-core… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander