Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 08 March 2018 15:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DBDB127023 for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 07:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zK-fK1AHnYO for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 07:07:35 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26964126CD6 for <core@ietf.org>; Thu, 8 Mar 2018 07:07:32 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id c7so7054479qtn.3 for <core@ietf.org>; Thu, 08 Mar 2018 07:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NUaAi6n0ZxtMYz5q8LajEvwB5piVDxwoefSANAcPSk0=; b=gxrMkW2DuE+DxxNW4NSG+w1/5HT4671gLGRatUUSEzONALEJF//KdjYrtHaAK38Bu1 u5b4fK/VT3uBuR85d4rpSSs712vJGsEbtllVfaq8wWhPADUfYmm+/VontEkMkYbK8qxL QmWVJ26gp3lho0HQs3/3vgCPE+UHPgWNUIY3m3/1MRSV9+Gb78XmUoqXZctxG7UbINPh Wvd6O7lsaN/RmSH7YCRwP6onb34MhEvDzCL8w9DbM0tecx+eOjkPrHf7hTOJA13BgquD jHr5SJzPJVEb913kh8rtiL8R6OXn1gQiphzA5NV4H7WbGy9/4TjOsvFT1gT1yoBxo1E0 xKmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NUaAi6n0ZxtMYz5q8LajEvwB5piVDxwoefSANAcPSk0=; b=KsLlGGi/Ikcn//gnmRm2I47sP3pjPLH1NKQysFM2oMah4tRUCy5qvCNIe6eIr1BDlf XS9VEXko8X1oLhnSKxrSLj5BYAw3Jl9E+5R7ZADmrdDRjPt9VpfiZdyx33lbze438HEG Wy0oQtPDdykVDJT1bOqYODuKI6pQw+384h+9iwuaxu3L7vhS2Fv4MsIeXUNakj0YI/G7 oAVjj/g7phv73jLICieXcpE+ynIC+xbMewoTwYjIprMqIqIc3sO9TJMuLfmPw3DCvr9+ u/0UQaeyMd3LO96BynfdA2C9mep/kthGJ8SMipmtT7VhPaHEtdBYL28PUKTtxRiBcl1p EBMg==
X-Gm-Message-State: AElRT7HhQ/4EaMxKMiwvwjdTr9gGU0/kNBdXm1W9bYyt7sxK0k9+fqxx 7NRmKdwP1iQKIYGVi4/dRkuCR1L16PQ6zSCJKmMw/Q==
X-Google-Smtp-Source: AG47ELuxXotURCYP8dd8QklHuSBKNRDITHHeiP2+z4S+SN6QrPimgXqtp97QLXHllROQWpbG50ib7eglzhjnXjXM9wY=
X-Received: by 10.237.61.112 with SMTP id h45mr40426954qtf.225.1520521651059; Thu, 08 Mar 2018 07:07:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Thu, 8 Mar 2018 07:06:50 -0800 (PST)
In-Reply-To: <D6C70BE1.A15AA%goran.selander@ericsson.com>
References: <152047792293.21279.6463990470584540244.idtracker@ietfa.amsl.com> <D6C70BE1.A15AA%goran.selander@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Mar 2018 07:06:50 -0800
Message-ID: <CABcZeBP2oTYTMzp-6Fdb=engmwxZBjQ5r7mDcufS0dC4oAgJ=g@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" <draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" <core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org>
Content-Type: multipart/alternative; boundary="001a113520e0e297510566e80860"
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/YDKgzpUMJF5HBIwkWxXAhswy-BY>
Subject: Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 15:07:38 -0000
On Thu, Mar 8, 2018 at 6:59 AM, Göran Selander <goran.selander@ericsson.com> wrote: > Another recurring comment is the impact of a proxy changing certain CoAP > message fields like e.g. Message ID, Token or Uri-Host. Since CoAP defines > legitimate proxy operations, these message fields cannot be integrity > protected end-to-end. Current security solutions either does not allow > proxy operations or leave all message fields unprotected in the proxy. We > will try to make this more clear. > The question is what the security impact of these is. > A third thing in Eric’s review is the construction of the nonce where the > ID is included. The reason for this is to handle endpoints switching roles > (CoAP client <-> CoAP server) which is supported by CoAP, and in > particular > group communications with one sender and multiple recipients I don't see how that is relevant, given that you already have key separation for the sender key, what separate information is there in the nonce? -Ekr > . While the > latter is the topic of a separate draft > (draft-tiloca-core-multicast-oscoap) and the properties in that setting is > out of scope of this draft, we will add more explanation to the security > design and the unicast security properties in general to this draft. > > > More later. > > Göran > > > > > On 2018-03-08 03:58, "Eric Rescorla" <ekr@rtfm.com> wrote: > > >Eric Rescorla has entered the following ballot position for > >draft-ietf-core-object-security-09: Discuss > > > >When responding, please keep the subject line intact and reply to all > >email addresses included in the To and CC lines. (Feel free to cut this > >introductory paragraph, however.) > > > > > >Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > >for more information about IESG DISCUSS and COMMENT positions. > > > > > >The document, along with other ballot positions, can be found here: > >https://datatracker.ietf.org/doc/draft-ietf-core-object-security/ > > > > > > > >---------------------------------------------------------------------- > >DISCUSS: > >---------------------------------------------------------------------- > > > >https://mozphab-ietf.devsvcdev.mozaws.net/D3075 > > > >DISCUSS > >My overall concern with this document is that I am unable to evaluate > >the security properties of the system. I have described a number of > >issues below, but the basic problem is that this sort of partial > >protection is extremely hard to reason about and the security > >considerations do not do an adequate job of evaluating the impact of > >proxies modifying these values. I am similarly concerned about the > >HTTP mapping and link section which seems extremely sketchy and has > >essentially no security analysis, and yet potentially have a lot > >of landmines. > > > >At minimum, this document needs to walk through the implications > >of modifications by the proxy to every unprotected field in > >the pure CoAP context as well as the HTTP context (if you want > >to retain that binding). > > > > are given in Appendix A. OSCORE does not depend on underlying > > layers, and can be used anywhere where CoAP or HTTP can be used, > > including non-IP transports (e.g., [I-D.bormann-6lo-coap-802-15-ie]). > > > >IMPORTANT: This document claims to be applicable to protocols other > >than COAP, in particular HTTP. Has this been reviewed by the HTTP > >working group? Martin Thomson's review suggests that this is out of > >step with HTTP practice. > > > > IDs MUST be long uniformly random distributed byte strings such that > > the probability of collisions is negligible. > > > >IMPORTANT: I don't understand how this paragraph and the previous > >paragraph interact. You say that the maximum length is 7 octets in the > >previous paragraph, which I don't think qualifies as "long". > > > > | 1 | If-Match | x | | > > | 3 | Uri-Host | | x | > > | 4 | ETag | x | | > >IMPORTANT: Why do you think that it's not important to have integrity > >protection for Uri-Host and Uri-port? > > > > Outer option message fields (Class U or I) are used to support proxy > > operations. > >IMPORTANT: This seems problematic because the proxy cannot verify class I > >fields. > > > > layer only, and not the Messaging Layer (Section 2 of [RFC7252]), so > > fields such as Type and Message ID are not protected with OSCORE. > > > >IMPORTANT: This seems extremely hard to reason about. What are the > >implications of the proxy being able to change these? > > > > o request_piv: contains the value of the 'Partial IV' in the COSE > > object of the request (see Section 5). > > > >IMPORTANT: I think what I am getting here is that the request_piv is > >used to verify that the request and response match. However, I do not > >see this explicitly stated anywhere, and it's not clear to me how the > >client is supposed to recover the request_piv and the text is pretty > >unclear here? Is the external_aad carried somewhere in the message? Am > >I supposed to reconstruct it from the message id? > > > > For responses, the message binding guarantees that a response is not > > older than its request. For responses without Observe, this gives > > > >IMPORTANT: I am not sure that this is true. What happens of the > >counterparty lies? What is your threat model? > > > > An extension of OSCORE may also be used to protect group > > communication for CoAP [I-D.tiloca-core-multicast-oscoap]. The use > > of OSCORE does not affect the URI scheme and OSCORE can therefore be > > used with any URI scheme defined for CoAP or HTTP. The application > > decides the conditions for which OSCORE is required. > > > >This is pretty surprising to just drop in here. Multicast has totally > >different > >security properties from non-multicast. > > > > > >---------------------------------------------------------------------- > >COMMENT: > >---------------------------------------------------------------------- > > > > > > > > but is also able to eavesdrop on, or manipulate any part of the > > message payload and metadata, in transit between the endpoints. The > > proxy can also inject, delete, or reorder packets since they are no > >Nit: you want > >"eavesdrop on, or manipulate any part of, the message payload and > >metadata in > >transit" > > > >I.e., move the second comma > > > > the endpoints, and those are therefore processed as defined in > > [RFC7252]. Additionally, since the message formats for CoAP over > > unreliable transport [RFC7252] and for CoAP over reliable transport > >Nit: "OSCORE protects neither .... nor...." > > > > Salt. Length is determined by the AEAD Algorithm. Its value is > >> immutable once the security context is established. > >Nit: you might just say above or below this list that all the values are > >immutable, > > > > different operations. One mechanism enabling this is specified in > > [I-D.ietf-core-echo-request-tag]. > >Is this a security condition? > > > > of [RFC7252], where the delta is the difference to the previously > > included class I option. > >Is the delta here the previously included Class I option or the previously > >included instance of the same option, as it appears to say in S 3.1. > > > > compressed COSE object. The values n = 6 and n = 7 are > > reserved. > >How can Partial IV not be present? it's the sequence number. Is the > >answer that > >it is the 0 value? > > > > response. The server therefore needs to store the kid and Partial IV > > of the request until all responses have been sent. > >It was my understanding that the kid was needed to look up the key. Why > >are kid > >substitution attacks an issue? > > > > The maximum Sender Sequence Number is algorithm dependent (see > > Section 11), and no greater than 2^40 - 1. If the Sender Sequence > > Number exceeds the maximum, the endpoint MUST NOT process any more > >If you take my suggestion about removing senderID from the nonce you will > >be > >able to relax this. > > > > After boot, an endpoint MAY reject to use existing security contexts > > from before it booted and MAY establish a new security context with > >Nit: this is ungrammatical > > > > included in the message. If the AEAD nonce from the request was > > used, the Partial IV MUST NOT be included in the message. > >IMPORTANT: You are now violating the invariant of using the same nonce > >twice. > >That's fine in this case, because you have per-sender keys but it > >demonstrates > >that it is unnecessary to encode the sender_id in the nonce field. > > > > Security level here means that an attacker can recover one of the m > > keys with complexity 2^(k + n) / m. Protection against such attacks > > can be provided by increasing the size of the keys or the entropy of > >This paragraph is extremely hard to follow but I am not persuaded that it > >is > >correct. Do you have a citation for the claim that you can add the key > >entropy > >and the nonce entropy like this. > > > > style of padding means that all values need to be padded. Similar > > arguments apply to other message fields such as resource names. > >The PKCS#7 padding scheme at minimum has potential timing channels > > > > The server verifies that the Partial IV has not been received before. > > The client verifies that the response is bound to the request. > >How does the client verify this > > > > Partial IV (in network byte order) with zeroes to exactly nonce > > length - 6 bytes, > > > >IMPORTANT: I don't understand the reason for this construction. You > >already require that the key be derived via HKDF from the |master key| > >and |sender ID| therefore, it is not necessarily to separately encode > >the sender ID in the nonce. This would ordinarily not be a large > >issue, but as it requires very extreme restrictions on the sender ID > >(and essentially precludes random sender IDs) I believe it is worth > >considering changing, but it's ultimately a WG decision, hence not > >in my discuss. > > > > > >
- [core] Eric Rescorla's Discuss on draft-ietf-core… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander