[core] OSCOAP -02: sequence number reuse?
Christian Amsüss <c.amsuess@energyharvesting.at> Tue, 21 March 2017 19:56 UTC
Return-Path: <c.amsuess@energyharvesting.at>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9819E128D69; Tue, 21 Mar 2017 12:56:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j13YDz2RJQEY; Tue, 21 Mar 2017 12:56:29 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42740128E19; Tue, 21 Mar 2017 12:56:28 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by prometheus.amsuess.com (Postfix) with ESMTPS id 0FDC34697C; Tue, 21 Mar 2017 20:56:27 +0100 (CET)
Received: from poseidon-mailbox.amsuess.com (poseidon-mailbox.amsuess.com [10.13.13.231]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 144201CF; Tue, 21 Mar 2017 20:56:26 +0100 (CET)
Received: from hephaistos.amsuess.com (hephaistos.amsuess.com [10.13.13.129]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id CCBC5406; Tue, 21 Mar 2017 20:56:25 +0100 (CET)
Received: (nullmailer pid 17242 invoked by uid 1000); Tue, 21 Mar 2017 19:56:24 -0000
Date: Tue, 21 Mar 2017 20:56:24 +0100
From: Christian Amsüss <c.amsuess@energyharvesting.at>
To: draft-ietf-core-object-security@ietf.org
Cc: core@ietf.org
Message-ID: <20170321195624.evktq3olnpfugaw7@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="x4xwcuklzcv2a5us"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/jK-K9oUd3qJI21jEjAnO9eMjXWs>
Subject: [core] OSCOAP -02: sequence number reuse?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 19:56:31 -0000
Hello OSCOAP authors, implementing OSCOAP -02, I'm worried about possible reuse of sequence numbers. To make sure I understand things right, I'd like to outline first my understanding of IVs currently specified: * Assume the server has sender ID 01, and the client has sender ID 02. * The server's Sender IV is derived from 01, let's say it is 00010000000000; in analogy, the client's Sender IV is then 00020000000000. * The server's Recipient IV is then 00020000000000, the clients' Recipient IV is 00010000000000. (If I'm completely off by here, please let me know and skip the rest). When the client sends a request with seqno 1, the partial IV it sends is 01, and it uses IV 00020000000001. In the response, the server uses the same sequence number but as a response, and according to 7.3 #3, it uses the IV 80020000000001 (its recipient IV, first bit flipped and request seqno applied). In that process, the server never touches its sequence number counter. When then, much later, the client starts an observation, it might send a request with seqno 257 and IV 00020000000101. The server would, in its response, fall into the second case of 7.3 #3, have its sequence number at 1 and produce 80020000000001 (its recipient IV, first bit flipped, and its own sequence number), which is the very IV we've had before. (Again, if I'm completely off by here, ...). I suppose the whole idea behind using the top-most bit on responses is to partition the available IVs into a half that is self-determined and one that is peer-determined. The idea is valid IMO, provided we stick with "only one sender and one recipient" scenarios. Its execution would need modification, though, unless I got the above wrong. I'd suggest: * The first bit is flipped iff the sequence number of the request gets used (in which case neither server nor client do any checking of the sequence number, as it is as unique as the request's). Whenever a message is sent that carries its own sequence number (either because it is a request or because it is an observe response), its sender uses up a sequence number, its recipient checks the number, and the first bit stays as it is. Furthermore, the use of one's Recipient IV for sending a message worries me: This means that two different base IVs are used with the same key (as long as the server acts as a server, it uses x002000000nnnn, but when it asks back, it uses 0001000000nnnn). That means that the 10000000001(hex)st message the server uses in its role as a client IV-collides with the 1st it uses in an observation. IMO, everyone should still use their Sender IV for sending, and let the first-bit flipping do the partitioning. Hoping you didn't have to skip here from the first "If" Christian -- Christian Amsüss | Energy Harvesting Solutions GmbH founder, system architect | headquarter: mailto:c.amsuess@energyharvesting.at | Arbeitergasse 15, A-4400 Steyr tel:+43-664-97-90-6-39 | http://www.energyharvesting.at/ | ATU68476614
- [core] OSCOAP -02: sequence number reuse? Christian Amsüss
- Re: [core] OSCOAP -02: sequence number reuse? Göran Selander
- Re: [core] OSCOAP -02: sequence number reuse? Christian Amsüss