[core] Re: Review of draft-ietf-core-oscore-groupcomm-17
Christian Amsüss <christian@amsuess.com> Mon, 01 July 2024 20:03 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0430C169421; Mon, 1 Jul 2024 13:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 456-dqA2Cl2k; Mon, 1 Jul 2024 13:03:01 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5E0C169402; Mon, 1 Jul 2024 13:02:58 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.2/8.17.2) with ESMTPS id 461K2s5Y017194 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 Jul 2024 22:02:54 +0200 (CEST) (envelope-from christian@amsuess.com)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (hermes.lan [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id EC9113DB3A; Mon, 1 Jul 2024 22:02:53 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:b8f3:68be:587:a349]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id B276A37863; Mon, 1 Jul 2024 22:02:53 +0200 (CEST)
Received: (nullmailer pid 9720 invoked by uid 1000); Mon, 01 Jul 2024 20:02:53 -0000
Date: Mon, 01 Jul 2024 22:02:53 +0200
From: Christian Amsüss <christian@amsuess.com>
To: core@ietf.org, draft-ietf-core-oscore-groupcomm@ietf.org
Message-ID: <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
References: <167155165139.12883.5074467066117832003@ietfa.amsl.com> <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="vUccJHoV/xsR3uco"
Content-Disposition: inline
In-Reply-To: <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com>
X-Scanned-By: MIMEDefang 2.86
Message-ID-Hash: QJTWFYKUCNPU5LPCXP3AMUV2WY7I5NTE
X-Message-ID-Hash: QJTWFYKUCNPU5LPCXP3AMUV2WY7I5NTE
X-MailFrom: christian@amsuess.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [core] Re: Review of draft-ietf-core-oscore-groupcomm-17
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/OPh7UKmk9g3tgBh_gmPQYxH2b2A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>
Hello oscore-groupcomm authors, as part of having read the updated document, I'm going through the review that initiated many of the changes for open points. While there are points which I'm still reviewing in more detail, and some remarks based on the latest version, what I can start with is a list of items I found neither changed nor mentioned in a response (or I missed where that happened). Many of those may easily be fine, just want to make sure none of that is getting lost: * 2.1.6 "The label is an ASCII string": Given that the type element in the info array is a CBOR item, it can only be a byte or a text string; I assume that the latter is meant. (And these don't typically contain trailing NUL bytes). * 4., "OSCORE uses the untagged COSE_Encrypt0 structure with an Authenticated Encryption with Associated Data (AEAD) algorithm": After compression, it doesn't matter any more whether it's the tagged or the untagged COSE_Encrypt0 structure. * In verifying that the now explicit arithmetic for the Ed25519 / Curve25519 mapping is what I'm using, I found that libsodium (from where I lifted my implementation) since very recently contains a note on its ed25519_..._to_curve25519 functions that "An alternative is do the ECDH operation over the Edwards curve, avoiding the conversion altogether"[2]. Given that a lot of work has gone into making the Ed25519/X25519 conversion work, I hope that no easy alternatives to this moderately cumbersome process (admittedly, it's the hardest in terms of spec text, and probably easier on the target CPU than on the programmer) have been missed, but I'd appreciate if someone who understood what's actually going on here could verify that whatever they're proposing doesn't apply here. * Now that authentication credentials are a thing in Group OSCORE, and these can in particular be CWTs or ?509 certificates that can have chains leading there: Does this mean that for deployments such as the pairwise-only one sketched at the last paragraph above Section 1.1, it's possible to run a group on more-or-less unchanged group key material, and members join by means of learning the current key material and obtaining a signed certificate to their key? (When they then arrive in the group, they start communicating, and when their peers need the credentials, those can be disseminated in a self-contained way, eg. by the new node itself -- without involving the GM). * Is the attack described in 13.7 ("Cross-group Message Injection") still possible now that request_kid_context and gm_cred are part of the eAAD? My impression (but without thorough checking) is that it wouldn't work any more because the gm_cred differ. Having the OSCORE option in the signature is a bit convoluted in implementations (not impossible, and can be optimized out, but requires some mental gymnastics), and AIU 13.7 is the only reason to have the OSCORE option in the eAAD in the first place. * A.1, forward and backward security: These look more like objectives (A.2) than assumptions (A.1) to me. * 13.5.1, "the recipient can still try to process the received message using the old retained Security Context as a second attempt": Why is that a second attempt? This makes it sound like the server attempts decryption, encounters a bad signature, and then retries with the old context, whereas what actually happens is that the server sees the old Gid, and still has that security context around. * 13.14: Does it make sense to show client aliveness? The server gets client aliveness relative to the last rekeying, but an application that requires aliveness exceeding that would cause a storm of Echo options that could have better been handled by 1:1 communication (or more frequent rekeying) in the first place. BR Christian [2]: https://github.com/jedisct1/libsodium-doc/commit/0732187608798b7b6d48d291ed1562fb28cf1e36 / https://doc.libsodium.org/advanced/ed25519-curve25519 -- Most people would leave. Not us. We're Vikings. We have stubbornness issues. -- Hiccup, son of Stoic
- [core] I-D Action: draft-ietf-core-oscore-groupco… internet-drafts
- [core] Fwd: I-D Action: draft-ietf-core-oscore-gr… Marco Tiloca
- [core] Review of draft-ietf-core-oscore-groupcomm… Christian Amsüss
- [core] Re: Review of draft-ietf-core-oscore-group… Christian Amsüss
- [core] Re: Review of draft-ietf-core-oscore-group… chrysn
- [core] Re: Review of draft-ietf-core-oscore-group… Marco Tiloca
- [core] Re: Review of draft-ietf-core-oscore-group… Marco Tiloca