[core] Re: Review of draft-ietf-core-oscore-groupcomm-17

Christian Amsüss <christian@amsuess.com> Mon, 01 July 2024 20:03 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0430C169421; Mon, 1 Jul 2024 13:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 456-dqA2Cl2k; Mon, 1 Jul 2024 13:03:01 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5E0C169402; Mon, 1 Jul 2024 13:02:58 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.2/8.17.2) with ESMTPS id 461K2s5Y017194 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 Jul 2024 22:02:54 +0200 (CEST) (envelope-from christian@amsuess.com)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (hermes.lan [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id EC9113DB3A; Mon, 1 Jul 2024 22:02:53 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:b8f3:68be:587:a349]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id B276A37863; Mon, 1 Jul 2024 22:02:53 +0200 (CEST)
Received: (nullmailer pid 9720 invoked by uid 1000); Mon, 01 Jul 2024 20:02:53 -0000
Date: Mon, 01 Jul 2024 22:02:53 +0200
From: Christian Amsüss <christian@amsuess.com>
To: core@ietf.org, draft-ietf-core-oscore-groupcomm@ietf.org
Message-ID: <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
References: <167155165139.12883.5074467066117832003@ietfa.amsl.com> <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="vUccJHoV/xsR3uco"
Content-Disposition: inline
In-Reply-To: <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com>
X-Scanned-By: MIMEDefang 2.86
Message-ID-Hash: QJTWFYKUCNPU5LPCXP3AMUV2WY7I5NTE
X-Message-ID-Hash: QJTWFYKUCNPU5LPCXP3AMUV2WY7I5NTE
X-MailFrom: christian@amsuess.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [core] Re: Review of draft-ietf-core-oscore-groupcomm-17
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/OPh7UKmk9g3tgBh_gmPQYxH2b2A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>

Hello oscore-groupcomm authors,

as part of having read the updated document, I'm going through the
review that initiated many of the changes for open points.

While there are points which I'm still reviewing in more detail, and
some remarks based on the latest version, what I can start with is a
list of items I found neither changed nor mentioned in a response (or I
missed where that happened). Many of those may easily be fine, just want
to make sure none of that is getting lost:

* 2.1.6 "The label is an ASCII string": Given that the type element in
  the info array is a CBOR item, it can only be a byte or a text string;
  I assume that the latter is meant. (And these don't typically contain
  trailing NUL bytes).

* 4., "OSCORE uses the untagged COSE_Encrypt0 structure with an
  Authenticated Encryption with Associated Data (AEAD) algorithm":
  After compression, it doesn't matter any more whether it's the tagged
  or the untagged COSE_Encrypt0 structure.

* In verifying that the now explicit arithmetic for the Ed25519 /
  Curve25519 mapping is what I'm using, I found that libsodium (from
  where I lifted my implementation) since very recently contains a note
  on its ed25519_..._to_curve25519 functions that "An alternative is do
  the ECDH operation over the Edwards curve, avoiding the conversion
  altogether"[2].

  Given that a lot of work has gone into making the Ed25519/X25519
  conversion work, I hope that no easy alternatives to this moderately
  cumbersome process (admittedly, it's the hardest in terms of spec
  text, and probably easier on the target CPU than on the programmer)
  have been missed, but I'd appreciate if someone who understood what's
  actually going on here could verify that whatever they're proposing
  doesn't apply here.

* Now that authentication credentials are a thing in Group OSCORE, and
  these can in particular be CWTs or ?509 certificates that can have
  chains leading there: Does this mean that for deployments such as the
  pairwise-only one sketched at the last paragraph above Section 1.1,
  it's possible to run a group on more-or-less unchanged group key
  material, and members join by means of learning the current key
  material and obtaining a signed certificate to their key? (When they
  then arrive in the group, they start communicating, and when their
  peers need the credentials, those can be disseminated in a
  self-contained way, eg. by the new node itself -- without involving
  the GM).

* Is the attack described in 13.7 ("Cross-group Message Injection")
  still possible now that request_kid_context and gm_cred are part of
  the eAAD? My impression (but without thorough checking) is that it
  wouldn't work any more because the gm_cred differ.

  Having the OSCORE option in the signature is a bit convoluted in
  implementations (not impossible, and can be optimized out, but
  requires some mental gymnastics), and AIU 13.7 is the only reason to
  have the OSCORE option in the eAAD in the first place.

* A.1, forward and backward security: These look more like objectives
  (A.2) than assumptions (A.1) to me.

* 13.5.1, "the recipient can still try to process the received message
  using the old retained Security Context as a second attempt": Why is
  that a second attempt? This makes it sound like the server attempts
  decryption, encounters a bad signature, and then retries with the old
  context, whereas what actually happens is that the server sees the old
  Gid, and still has that security context around.

* 13.14: Does it make sense to show client aliveness? The server gets
  client aliveness relative to the last rekeying, but an application
  that requires aliveness exceeding that would cause a storm of Echo
  options that could have better been handled by 1:1 communication (or
  more frequent rekeying) in the first place.

BR
Christian

[2]: https://github.com/jedisct1/libsodium-doc/commit/0732187608798b7b6d48d291ed1562fb28cf1e36 / https://doc.libsodium.org/advanced/ed25519-curve25519

-- 
Most people would leave. Not us. We're Vikings. We have stubbornness
issues.
  -- Hiccup, son of Stoic