IETF Logo Mail Archive

[core] Review of draft-hartke-core-e2e-security-reqs-01

Jim Schaad <ietf@augustcellars.com> Tue, 02 August 2016 22:00 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9F012D8D9 for <core@ietfa.amsl.com>; Tue, 2 Aug 2016 15:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZbxZNQYbV_B for <core@ietfa.amsl.com>; Tue, 2 Aug 2016 15:00:52 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1F0D12D663 for <core@ietf.org>; Tue, 2 Aug 2016 15:00:51 -0700 (PDT)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 2 Aug 2016 15:12:16 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: draft-hartke-core-e2e-security-reqs@tools.ietf.org, core@ietf.org
Date: Tue, 02 Aug 2016 15:00:40 -0700
Message-ID: <036801d1ed09$507ef080$f17cd180$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0369_01D1ECCE.A424D370"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdHsNDP6Rd+0VoZ9RbOcD9Mip82KVw==
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/j1yoWn9gptGIIznba1FQEYRHzAI>
Subject: [core] Review of draft-hartke-core-e2e-security-reqs-01
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 22:00:54 -0000

Before anything else, let me re-iterate what I said at the F2F meeting.
This document is so much clearer and easier to read than was the -00 version
that it does not even appear to be the same document.   I want to really
thank you for the work you did in re-writing it.

 

That being said, I still do have some comments on draft that I would like to
you consider.

 

Jim

 

 

1.  Note that the title of the COSE document has changed you should pick
that up.

 

2. Section 2.1.1 - Should "client receives a response" include 

    * (Threat ?) The proxy returns a stale or outdated response based on
data it previously obtained from the origin server or some fourth party.

               I'm thinking of both out of date caches and poisoned caches.
Note that these are valid from a security point of view, but not 'fresh'

 

3.  Section 2.1.1.3 - based on a brief look at mattsson-core-coap-actuators,
it appears to have some solutions to the Withholding attack as well as the
Delaying attack.  This should probably be noted.

 

4.  Section 2.1.1.5 - It is not clear to me that there is a requirement that
all messages be protected from eavesdropping.  It might just be the way
things are stated here, but there is a difference between the fact that the
solution must provide a method to deal with this and the fact that integrity
protection might be sufficient in some cases.  This would also influence the
analysis below in some cases.

 

5.  Section 2.1.1.5 - You need to have a better statement of what it means
to provide forward secrecy.  This requirement would appear to potentially
rule out the use of the same session content encryption key for multiple
messages.  I do not believe that is true, but given that we are looking a
message based security some people might think this is the case.  I would
expand this statement to define the conditions under which PFS must be
provided.

 

6. Section 2.1.2 - Do you consider a proxy re-ordering requests to be a
threat?

 

7.  Section 2.1.2.1 - Next to last para.  I am not sure that 'involve' is
the correct word in this sentence.  Perhaps you meant 'include'

 

8.  Section 3 - when I look at figure 10, I keep feeling that it is not a
complete picture of what you need to be looking at 

 

 

                   Security Assn         Security Assn

               +-----------------+     +---------------+

               |                 |     |               |

           ____________        __________         ___________

           |            |      |          |       |           |

           |            |----->|          |<------|           |

           | Subscriber |      |  Broker  |       | Publisher |

           |            |<-----|          |------>|           |

           |____________|      |__________|       |___________|

                 :                                      :

                 '--------------------------------------'

                           Security Association

 

There needs to be a discussion of all of the different potential security
associations in this diagram.  Some of these can be reduced to simple
client-server associations, but some of the implications of this diagram are
potentially used for the entirety of the picture.

 

Examples of things that can be looked at:

a)      The broker is the one that will do enforcement of access control.
If this is not true then all subscription requests would really need to be
passed onto the publisher to ensure that the subscriber is to have access.
And we now have  new thread of the broker granting access to a subscription
stream when it should not.

b)     The broker may validate that messages from the publisher are in fact
from the publisher, but be unable to look at the content of the message.

c)      The broker may need to have some details of the SA between the
subscriber and the publisher.   For example, what happens if the key used to
encrypt/protect the message gets updated or if the publisher is generating
the same stream but using two different group keys.  In the first, is this
an issue for the client or for the broker.  In the second case there are
effectively two different streams with the same name that need to be
identified by the broker and the correct responses sent to the client.

 

These are examples of what I meant in the F2F when I said that you have a
semi-trusted broker.  It is trusted with information about the subscription
stream and allowed to enforce it.  But it is not allowed to have access to
the actual content of the stream.

 

9.  Threats in section 3 also include 

  * out of order delivery of items.   

  * Issues about a broker either granting or denying access to a stream.

  * Subscriber does not receive a response because the broker pre-maturely
unsubscribes the subscriber

v2.23.0 | Report a Bug | By Email