IETF Logo Mail Archive

Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00

"Hudalla Kai (INST/ESY1)" <Kai.Hudalla@bosch-si.com> Thu, 03 November 2016 08:21 UTC

Return-Path: <Kai.Hudalla@bosch-si.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5AF5129455 for <core@ietfa.amsl.com>; Thu, 3 Nov 2016 01:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELH5Qq6dQKDV for <core@ietfa.amsl.com>; Thu, 3 Nov 2016 01:21:06 -0700 (PDT)
Received: from smtp6-v.fe.bosch.de (smtp6-v.fe.bosch.de [IPv6:2a03:cc00:ff0:100::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14BC2129478 for <core@ietf.org>; Thu, 3 Nov 2016 01:21:05 -0700 (PDT)
Received: from vsmta11.fe.internet.bosch.com (unknown [10.4.98.51]) by imta23.fe.bosch.de (Postfix) with ESMTP id 2380D15800BA for <core@ietf.org>; Thu, 3 Nov 2016 09:21:04 +0100 (CET)
Received: from be6vw2exc01.bosch-si.com (vsgw22.fe.internet.bosch.com [10.4.98.11]) by vsmta11.fe.internet.bosch.com (Postfix) with ESMTP id C785B2380E49 for <core@ietf.org>; Thu, 3 Nov 2016 09:21:03 +0100 (CET)
Received: from BE6PW2EXD00.bosch-si.com ([fe80::4027:bf9e:f016:559a]) by be6vw2exc01.bosch-si.com ([::1]) with mapi id 14.03.0319.002; Thu, 3 Nov 2016 09:21:32 +0100
From: "Hudalla Kai (INST/ESY1)" <Kai.Hudalla@bosch-si.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00
Thread-Index: AQHSNRLsxw+ZhmUfhkiE76fll++38qDFxkwAgAAWXYCAAP7aAA==
Date: Thu, 03 Nov 2016 08:21:32 +0000
Message-ID: <1478161262.24033.17.camel@bosch-si.com>
References: <D43F9ABE.74B48%thomas.fossati@alcatel-lucent.com> <1478101730.3603.9.camel@bosch-si.com> <D43FCAE6.74BCD%thomas.fossati@alcatel-lucent.com>
In-Reply-To: <D43FCAE6.74BCD%thomas.fossati@alcatel-lucent.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.56.65.50]
Content-Type: text/plain; charset="utf-8"
Content-ID: <770377283F2B1644AEE734A0176CF66D@bosch-si.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-22674.005
X-TMASE-MatchedRID: u6ojmU07PKynykMun0J1wgPZZctd3P4ByZnHhh2CJcENcckEPxfz2CU7 43HF3fJ1twGfkbxj4J/lmVvpnPwXxRRg8BxQrgE0MEK/6tg6I3F1IdjjHRSNCX8sSIZ4yzEpQ0U kLoLY8eZGRpMTw05NY2szRQ7dIgPPfglcCxeYbJMdxBAG5/hkW4/8SyGg0rIRN2d3n0B/sI84p7 Klky94IArDMcL7e9Zu2tWzt6NwSujtZl4cEh8nuK3GlV8ATaXv0i/hFXziUdMZnbM1DCQfDe8fa d4FArWrt/IWUnuUeAjUNhUXX7CXB/wyrzOpgW8A4HBpYyeQJ2d3b0cPSGvsdoVzrPhrur/FM+p+ NpswZmquBO/LdDafPEyDIoVbDElJ9BfBMFJpTLBIOSHptb5txyGZtiDVlw6eb45886yjdr/5FJs tWNYx/Gx2hzqiCsJgmg8n0rIhOWTCn+Yz1AZqrby5hnFzVM+XfkuZtv/FS5osfFlFugSGUEp0Vz fTA7tqD/gYyqVMntk1HRkuBx+E0iZfM6MRjqJVf01qcJQDhV5Vyg4Yz2U7pKvM+zzl/BST2PiJv USMSRNBdM8eNUKnmMSm8UHG6MRatPyViaiKKqaPQVakDkJU+VtP+ljwL9Cf1TKQ8rVEUCitEaJo VjyWkL/pBBhsppO2dBqI0AQ3SxxccQ8eam5EfdIFVVzYGjNKWQy9YC5qGvz6APa9i04WGCq2rl3 dzGQ1MShsdO9q4tqksqWegtRGVJ4uDMAVemXUQl+tvE9XdP5yCY1avHWczA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/hDPwaJXpZXdg8kXoHf7AdOA4rPU>
Subject: Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 08:21:09 -0000

Thomas, thanks for explaining. Further comments below ...

On Mi, 2016-11-02 at 17:08 +0000, Fossati, Thomas (Nokia - GB) wrote:
> Hi Kai,
> 
> On 02/11/2016 15:49, "core on behalf of Hudalla Kai (INST/ESY1)"
> <core-bounces@ietf.org on behalf of Kai.Hudalla@bosch-si.com> wrote:
> > 
> > Assuming that "shared_secret" is derived from the pre-master or master
> > secret and
> > "string(i)" means "get the ASCII representation of integer i's digits",
> > then
> > this function would have the additional advantage of not requiring both
> > sides to
> > "pre-compute" the whole list of CIDs in advance but instead being able to
> > compute
> > the next CID ad-hoc when it is needed, wouldn't it? The client and server
> > would
> > only need to keep track of counter i in this case.
> Yes, but then the receiver would have to do a bit of acrobatics to compute
> all the future CIDs of the active sessions if the received CID is not
> found in the hash table.  I think pre computation has its advantages in
> this case -- the server controls the CIDs chain length and could adapt the
> proposed value based on both its overall capacity and current load.
> 
You are absolutely right, I missed out on that problem.

> > 
> > > 
> > > > 
> > > > I see following issues with the hash chain:
> > > > The scaling/performance depends on the "hash chain window" used to
> > > > related the record to the dtls connection.
> > > > As larger the window, the more I'm in doubt, if that scales.
> > > I agree.  That's why I think "client proposes, server chooses" is the
> > > right way to negotiate it.
> > > 
> > > > 
> > > > 
> > > > The robustness for clients, when we lose more packets then we assume
> > > in
> > > > 
> > > > the window.
> > > > As smaller the window, the more I'm in doubt, if it's robust enough.
> > > I'm not sure I understand your concern here.
> > > 
> > > The idea is that the client has it's own "CID shift" policy (e.g., based
> > > on time, or number of packets exchanged, NAT rebinding awareness, etc.)
> > > and will decide unilaterally when to move to the next CID in chain,
> > > until
> > > the chain is exhausted.  The server will mirror the last CID received.
> > > In
> > > this scheme, packet loss has no impact as long as client keeps alive
> > > CIDs
> > > that have been shifted but not yet "acknowledged" by the server on the
> > > back channel.  (This is true if both sides keep the chain in place for
> > > as
> > > long as the security association is active.)
> > > 
> > My only concern would be that not using the full HMAC values as the CIDs
> > but
> > instead only using the, say, first 6 bytes would actually make the CIDs
> > vulnerable again. However, I am not a security expert and have no clue
> > whether
> > this is a problem or not.
> I think the hash should be truncated to avoid adding too much overhead on
> the (possibly constrained) channel. Could you please elaborate a bit more
> on the security issue you are seeing here?  (I can see potential issues
> with lookup collisions (i.e. functional) if the CID is chosen from a small
> space, but the security impact is not very clear to me.)
> 
I agree that the "uniqueness" property of the hashes will probably be reduced
very significantly and this will probably cause a much greater problem (from a
functional perspective). Using only truncated hashes might, however, make the
hash function itself less secure, i.e. it might be easier for an attacker to
determine the next hash if he only needs to make sure that the first six bytes
are correct. Again, I am not a security expert but I can imagine that the
guarantees an HMAC function makes regarding distribution and irreversibility are
somewhat dependent on the length as well ...


> > 
> > In any case, I like the idea very much :-) What do we need to do in order
> > to
> > bring this forward?
> If there is interest (as it seems) we could try and draft it in a slightly
> less concise way :-)
> 
> The original plan with Hannes was to also prototype it in his (1.3)
> implementation (mbedtls).  If you have another TLS stack that would be
> really great.
> 
Yes, I would like to incorporate such a mechanism into the Californium Java CoAP
stack.

v2.23.0 | Report a Bug | By Email