Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 08 March 2018 17:06 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62FA312711B for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 09:06:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxyCifdRuoFp for <core@ietfa.amsl.com>; Thu, 8 Mar 2018 09:06:44 -0800 (PST)
Received: from mail-qk0-f179.google.com (mail-qk0-f179.google.com [209.85.220.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43A2D12751F for <core@ietf.org>; Thu, 8 Mar 2018 09:06:40 -0800 (PST)
Received: by mail-qk0-f179.google.com with SMTP id s198so460098qke.5 for <core@ietf.org>; Thu, 08 Mar 2018 09:06:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Nd5hPQ+VLN93eKG8Ttm1RYr//VVoLVyvFIrSowSdjX0=; b=wMpBlGnTR1O3hoE16SiopVUuutGan9nQIiC8FRxedrZLg6AsGGXy3EO3P24UpLT8z/ o6cWBKu0QfOwgdtsX7FNX4ThDxRrlsjngHThIAB7W0snxZD+RLyUTyZfofWnkzGwO7IQ Ubtze0KhWtDlcGJ38135rPDAhQsyVo/NPu0eNCeB283HmkUVzrcQSvY6opRGhALv3VDD QVhbxW/xEWXmLqTrIQ3/U3Kp5WkSln7+VzIulSk0MMAnLxDvpKJrVo9kzQwBhenUUFSt pnyp3KYKDSZLWfNuGGxaqPfkf8USliZTFlUf3ItXJ8slGmsI8hsQgw+CzIDDKrLcmqZ1 q2+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Nd5hPQ+VLN93eKG8Ttm1RYr//VVoLVyvFIrSowSdjX0=; b=oz95p+O79n6PUm/GRbbIASwS97z17w499YV3On06H2QPXaQbxhRFdeAIyZ6F8m2AGM 5sW/IWGd7/3A69hwZSbZ2GXN0HbmABJRIPL39cumpbkhW9oAyspIs1k/PUv562JrsGBU cRR0z9GstziPmQ8niq+sSjqB0hPxcMfgbcPrlW0YOvl4GYB2OS0CQLCpsBWVQwbpErSE YYC9w4uk7ZbUOFsKp4TYxuVWtpeoWi+nZqHTmtjQppvJOeTJakDS5AcfZrltuokh9f5I N1F8gi6VmOZtDj3sAUSfHa5Fqs1s0fNQepuiYINVahORY/cRy6kySchxInLiHqafu+FI mRZg==
X-Gm-Message-State: AElRT7EGdn90jRpOVkQte3TJIZekjJiJYaw8CtHUnG5MRutTQJgirXJ3 8nw7fA7N/4+uj9FYXfnWSlzydqJklL0Tq4bqumMeHw==
X-Google-Smtp-Source: AG47ELsdTAAxMCQD2+tt+bfr5eLY8qdEp+V5725lKTbnCLw8ViBaqFCO74FfpeZWQMHnfs7D6Nc8GbVwvnUu+AW3UQo=
X-Received: by 10.55.221.198 with SMTP id u67mr40477434qku.91.1520528798956; Thu, 08 Mar 2018 09:06:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Thu, 8 Mar 2018 09:05:58 -0800 (PST)
In-Reply-To: <D6C71CA5.A15F7%goran.selander@ericsson.com>
References: <152047792293.21279.6463990470584540244.idtracker@ietfa.amsl.com> <D6C70BE1.A15AA%goran.selander@ericsson.com> <CABcZeBP2oTYTMzp-6Fdb=engmwxZBjQ5r7mDcufS0dC4oAgJ=g@mail.gmail.com> <D6C710F5.A15D5%goran.selander@ericsson.com> <CABcZeBPpHWGua074aFDruvZHrGN3cmVmSpjR0D7CgT9uMbfw9A@mail.gmail.com> <D6C71CA5.A15F7%goran.selander@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Mar 2018 09:05:58 -0800
Message-ID: <CABcZeBNyA=WuhKKUs1njM-P36Cj_LCk0E=Wgc61iKefwT5A72Q@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" <draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" <core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org>
Content-Type: multipart/alternative; boundary="001a114992e0eeeadd0566e9b2a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/o1FzxPN-UCnj8iP6OlvhMACStrk>
Subject: Re: [core] Eric Rescorla's Discuss on draft-ietf-core-object-security-09: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 17:06:47 -0000
On Thu, Mar 8, 2018 at 8:24 AM, Göran Selander <goran.selander@ericsson.com> wrote: > > > From: Eric Rescorla <ekr@rtfm.com> > Date: Thursday 8 March 2018 at 16:39 > To: Göran Selander <goran.selander@ericsson.com> > Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" < > draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, > Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" < > core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org> > Subject: Re: Eric Rescorla's Discuss on draft-ietf-core-object-security-09: > (with DISCUSS and COMMENT) > > > > On Thu, Mar 8, 2018 at 7:23 AM, Göran Selander < > goran.selander@ericsson.com> wrote: > >> >> >> From: Eric Rescorla <ekr@rtfm.com> >> Date: Thursday 8 March 2018 at 16:06 >> To: Göran Selander <goran.selander@ericsson.com> >> Cc: The IESG <iesg@ietf.org>, "draft-ietf-core-object-security@ietf.org" >> <draft-ietf-core-object-security@ietf.org>, Carsten Bormann <cabo@tzi.org>, >> Jaime Jiménez <jaime.jimenez@ericsson.com>, "core-chairs@ietf.org" < >> core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org> >> Subject: Re: Eric Rescorla's Discuss on draft-ietf-core-object-security-09: >> (with DISCUSS and COMMENT) >> >> >> >> On Thu, Mar 8, 2018 at 6:59 AM, Göran Selander < >> goran.selander@ericsson.com> wrote: >> >>> Another recurring comment is the impact of a proxy changing certain CoAP >>> message fields like e.g. Message ID, Token or Uri-Host. Since CoAP >>> defines >>> legitimate proxy operations, these message fields cannot be integrity >>> protected end-to-end. Current security solutions either does not allow >>> proxy operations or leave all message fields unprotected in the proxy. We >>> will try to make this more clear. >>> >> >> The question is what the security impact of these is. >> >> >> Yes, and we will try to address this. But it is a general property of >> CoAP when proxies are used. >> > > Yes, but the whole point of this design is to protect to some extent > against malicious proxies. > > > Yes, but not against proxy operations which are defined as legitimate by > CoAP and/or where there are other means to verify the operation. > Whether these operations are in fact safe is the question at hand. I will wait for your detailed analysis. -Ekr > > A third thing in Eric’s review is the construction of the nonce where the >>> ID is included. The reason for this is to handle endpoints switching >>> roles >>> (CoAP client <-> CoAP server) which is supported by CoAP, and in >>> particular >>> group communications with one sender and multiple recipients >> >> >> I don't see how that is relevant, given that you already have key >> separation >> for the sender key, what separate information is there in the nonce? >> >> >> The sender key is used both in the role of client making a request (with >> own partial IV) and in the role of server responding to a request (with the >> other endpoint’s partial IV). >> > > This seems extremely hard to analyze. You should just use separate keys. > > > That is an alternative solution which is less optimised e.g. in terms of > size of group communication security context. Let us come back on that. > > Göran > > > -Ekr > > >> Göran >> >> >> -Ekr >> >> >> >>> . While the >>> latter is the topic of a separate draft >>> (draft-tiloca-core-multicast-oscoap) and the properties in that setting >>> is >>> out of scope of this draft, we will add more explanation to the security >>> design and the unicast security properties in general to this draft. >>> >>> >>> More later. >>> >>> Göran >>> >>> >>> >>> >>> On 2018-03-08 03:58, "Eric Rescorla" <ekr@rtfm.com> wrote: >>> >>> >Eric Rescorla has entered the following ballot position for >>> >draft-ietf-core-object-security-09: Discuss >>> > >>> >When responding, please keep the subject line intact and reply to all >>> >email addresses included in the To and CC lines. (Feel free to cut this >>> >introductory paragraph, however.) >>> > >>> > >>> >Please refer to https://www.ietf.org/iesg/stat >>> ement/discuss-criteria.html >>> >for more information about IESG DISCUSS and COMMENT positions. >>> > >>> > >>> >The document, along with other ballot positions, can be found here: >>> >https://datatracker.ietf.org/doc/draft-ietf-core-object-security/ >>> > >>> > >>> > >>> >---------------------------------------------------------------------- >>> >DISCUSS: >>> >---------------------------------------------------------------------- >>> > >>> >https://mozphab-ietf.devsvcdev.mozaws.net/D3075 >>> > >>> >DISCUSS >>> >My overall concern with this document is that I am unable to evaluate >>> >the security properties of the system. I have described a number of >>> >issues below, but the basic problem is that this sort of partial >>> >protection is extremely hard to reason about and the security >>> >considerations do not do an adequate job of evaluating the impact of >>> >proxies modifying these values. I am similarly concerned about the >>> >HTTP mapping and link section which seems extremely sketchy and has >>> >essentially no security analysis, and yet potentially have a lot >>> >of landmines. >>> > >>> >At minimum, this document needs to walk through the implications >>> >of modifications by the proxy to every unprotected field in >>> >the pure CoAP context as well as the HTTP context (if you want >>> >to retain that binding). >>> > >>> > are given in Appendix A. OSCORE does not depend on underlying >>> > layers, and can be used anywhere where CoAP or HTTP can be used, >>> > including non-IP transports (e.g., [I-D.bormann-6lo-coap-802-15-i >>> e]). >>> > >>> >IMPORTANT: This document claims to be applicable to protocols other >>> >than COAP, in particular HTTP. Has this been reviewed by the HTTP >>> >working group? Martin Thomson's review suggests that this is out of >>> >step with HTTP practice. >>> > >>> > IDs MUST be long uniformly random distributed byte strings such that >>> > the probability of collisions is negligible. >>> > >>> >IMPORTANT: I don't understand how this paragraph and the previous >>> >paragraph interact. You say that the maximum length is 7 octets in the >>> >previous paragraph, which I don't think qualifies as "long". >>> > >>> > | 1 | If-Match | x | | >>> > | 3 | Uri-Host | | x | >>> > | 4 | ETag | x | | >>> >IMPORTANT: Why do you think that it's not important to have integrity >>> >protection for Uri-Host and Uri-port? >>> > >>> > Outer option message fields (Class U or I) are used to support proxy >>> > operations. >>> >IMPORTANT: This seems problematic because the proxy cannot verify class >>> I >>> >fields. >>> > >>> > layer only, and not the Messaging Layer (Section 2 of [RFC7252]), so >>> > fields such as Type and Message ID are not protected with OSCORE. >>> > >>> >IMPORTANT: This seems extremely hard to reason about. What are the >>> >implications of the proxy being able to change these? >>> > >>> > o request_piv: contains the value of the 'Partial IV' in the COSE >>> > object of the request (see Section 5). >>> > >>> >IMPORTANT: I think what I am getting here is that the request_piv is >>> >used to verify that the request and response match. However, I do not >>> >see this explicitly stated anywhere, and it's not clear to me how the >>> >client is supposed to recover the request_piv and the text is pretty >>> >unclear here? Is the external_aad carried somewhere in the message? Am >>> >I supposed to reconstruct it from the message id? >>> > >>> > For responses, the message binding guarantees that a response is not >>> > older than its request. For responses without Observe, this gives >>> > >>> >IMPORTANT: I am not sure that this is true. What happens of the >>> >counterparty lies? What is your threat model? >>> > >>> > An extension of OSCORE may also be used to protect group >>> > communication for CoAP [I-D.tiloca-core-multicast-oscoap]. The use >>> > of OSCORE does not affect the URI scheme and OSCORE can therefore be >>> > used with any URI scheme defined for CoAP or HTTP. The application >>> > decides the conditions for which OSCORE is required. >>> > >>> >This is pretty surprising to just drop in here. Multicast has totally >>> >different >>> >security properties from non-multicast. >>> > >>> > >>> >---------------------------------------------------------------------- >>> >COMMENT: >>> >---------------------------------------------------------------------- >>> > >>> > >>> > >>> > but is also able to eavesdrop on, or manipulate any part of the >>> > message payload and metadata, in transit between the endpoints. The >>> > proxy can also inject, delete, or reorder packets since they are no >>> >Nit: you want >>> >"eavesdrop on, or manipulate any part of, the message payload and >>> >metadata in >>> >transit" >>> > >>> >I.e., move the second comma >>> > >>> > the endpoints, and those are therefore processed as defined in >>> > [RFC7252]. Additionally, since the message formats for CoAP over >>> > unreliable transport [RFC7252] and for CoAP over reliable transport >>> >Nit: "OSCORE protects neither .... nor...." >>> > >>> > Salt. Length is determined by the AEAD Algorithm. Its value is >>> >> immutable once the security context is established. >>> >Nit: you might just say above or below this list that all the values are >>> >immutable, >>> > >>> > different operations. One mechanism enabling this is specified in >>> > [I-D.ietf-core-echo-request-tag]. >>> >Is this a security condition? >>> > >>> > of [RFC7252], where the delta is the difference to the previously >>> > included class I option. >>> >Is the delta here the previously included Class I option or the >>> previously >>> >included instance of the same option, as it appears to say in S 3.1. >>> > >>> > compressed COSE object. The values n = 6 and n = 7 are >>> > reserved. >>> >How can Partial IV not be present? it's the sequence number. Is the >>> >answer that >>> >it is the 0 value? >>> > >>> > response. The server therefore needs to store the kid and Partial IV >>> > of the request until all responses have been sent. >>> >It was my understanding that the kid was needed to look up the key. Why >>> >are kid >>> >substitution attacks an issue? >>> > >>> > The maximum Sender Sequence Number is algorithm dependent (see >>> > Section 11), and no greater than 2^40 - 1. If the Sender Sequence >>> > Number exceeds the maximum, the endpoint MUST NOT process any more >>> >If you take my suggestion about removing senderID from the nonce you >>> will >>> >be >>> >able to relax this. >>> > >>> > After boot, an endpoint MAY reject to use existing security contexts >>> > from before it booted and MAY establish a new security context with >>> >Nit: this is ungrammatical >>> > >>> > included in the message. If the AEAD nonce from the request was >>> > used, the Partial IV MUST NOT be included in the message. >>> >IMPORTANT: You are now violating the invariant of using the same nonce >>> >twice. >>> >That's fine in this case, because you have per-sender keys but it >>> >demonstrates >>> >that it is unnecessary to encode the sender_id in the nonce field. >>> > >>> > Security level here means that an attacker can recover one of the m >>> > keys with complexity 2^(k + n) / m. Protection against such attacks >>> > can be provided by increasing the size of the keys or the entropy of >>> >This paragraph is extremely hard to follow but I am not persuaded that >>> it >>> >is >>> >correct. Do you have a citation for the claim that you can add the key >>> >entropy >>> >and the nonce entropy like this. >>> > >>> > style of padding means that all values need to be padded. Similar >>> > arguments apply to other message fields such as resource names. >>> >The PKCS#7 padding scheme at minimum has potential timing channels >>> > >>> > The server verifies that the Partial IV has not been received before. >>> > The client verifies that the response is bound to the request. >>> >How does the client verify this >>> > >>> > Partial IV (in network byte order) with zeroes to exactly nonce >>> > length - 6 bytes, >>> > >>> >IMPORTANT: I don't understand the reason for this construction. You >>> >already require that the key be derived via HKDF from the |master key| >>> >and |sender ID| therefore, it is not necessarily to separately encode >>> >the sender ID in the nonce. This would ordinarily not be a large >>> >issue, but as it requires very extreme restrictions on the sender ID >>> >(and essentially precludes random sender IDs) I believe it is worth >>> >considering changing, but it's ultimately a WG decision, hence not >>> >in my discuss. >>> > >>> > >>> >>> >> >
- [core] Eric Rescorla's Discuss on draft-ietf-core… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander
- Re: [core] Eric Rescorla's Discuss on draft-ietf-… Göran Selander