Re: [core] OSCOAP: roll-out, recipient seqno, option number, sequence numbers
Jim Schaad <ietf@augustcellars.com> Fri, 06 January 2017 02:56 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B2A0129BA2; Thu, 5 Jan 2017 18:56:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9NdFxrPkpRr; Thu, 5 Jan 2017 18:56:51 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FAB01296B9; Thu, 5 Jan 2017 18:56:50 -0800 (PST)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 5 Jan 2017 19:16:21 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Christian Amsüss' <c.amsuess@energyharvesting.at>, draft-ietf-core-object-security@ietf.org, core@ietf.org
References: <20170104091229.gx5zrcx7ahwt2mik@hephaistos.amsuess.com>
In-Reply-To: <20170104091229.gx5zrcx7ahwt2mik@hephaistos.amsuess.com>
Date: Thu, 05 Jan 2017 18:56:43 -0800
Message-ID: <004301d267c8$84443b70$8cccb250$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJG/i1ruZbl3sV3WEzkHYqMMmSQqKBBiMJA
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/rG1EH_qBy3s6NRxDP2-eoyDnjs0>
Subject: Re: [core] OSCOAP: roll-out, recipient seqno, option number, sequence numbers
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 02:56:53 -0000
Christian, While not an author on the drafts, I will take a stab at giving clarification to your points. See response below, Jim > -----Original Message----- > From: core [mailto:core-bounces@ietf.org] On Behalf Of Christian Amsüss > Sent: Wednesday, January 04, 2017 1:12 AM > To: draft-ietf-core-object-security@ietf.org; core@ietf.org > Subject: [core] OSCOAP: roll-out, recipient seqno, option number, sequence > numbers > > Hello OSCOAP authors, > > getting familiar enough with OSCOAP to start an implementation, there are > some areas which are not fully clear to me from reading the draft: > > * At least master secret and CID are preconfigured (that's assuming > default algorithm, sender/receiver ID). It's out of scope for this > spec, but are there any other drafts on how those should be rolled out > / rolled over? There are indeed a couple of drafts that are looking a this: Draft-ietf-ace-oath-authz provides an overview of how authentication and authorization is going to work. It uses draft-ietf-ace-cbor-web-token as a message format to carry the keys from the auth server back to the client and resource server. It can run over either DTLS with draft-gerdes-ace-dtls-authorize or OACAOP with draft-selander-ace-coap-profile. Additionally, draft-selnder-ace-cose-ecdhe provides for a way to get these secrets based on pre-configured asymmetric keys or symmetric secrets. > > * btw, why is algorithm a "SHALL" be pre-established (3.2) and the > role IDs a "MAY" be predefined, if (as I understand) absence of > pre-definition in both cases means fallback to defaults? SHALL == MUST so there is no fallback on the algorithm. I think that the default on AEAD should be an MTI statement. Yes the role IDs would default to the default values as would the KDF function. Given that there is no negotiation on the replay window size, I don't think that there is really a default here as an application can probably choose any size they want, it will just effect the ability to cleanly pickup messages outside of the replay window. > > * speaking of "role IDs" to subsume sender and recipient ID, it > strikes me as odd that sender and recipient contexts are qualitatively > different (the former has a sequence number, the latter a replay > window in 3.1), but the roles of Sender and Recipient in terms of used > IDs stay the same when roles flip mid-conversation. Does that mean > that once my server starts "asking back", it grows a recipient > sequence number, and the former client grows a sender replay window? In some sense, what you have stated above is correct. The sequence number is used for a nonce and thus needs to be unique for every message that I send. In another sense, what you have stated above is wrong in that for most cases a device will be both a sender and a recipient and thus it will have a sender context for all the messages it sends and a recipient context for all of the messages that it can receive. The same thing is true for DTLS where there is a sending stream and a receiving stream and they are handled differently. Part of the confusion that you might be having at this point is the fact that there is another draft running around draft-tiloca-core-multicast-oscoap where you end up with a single sender context, but potentially one recipient context for each of the multicast receivers which can reply. Since they did not want to make a clean separation between these documents about how the context structures are setup, I find that the section is a bit sloppy. > > * The option numbers are "to be done". Is there one that's already in > use in first implementations? Could we pick one now and hope that all > concurrent drafts become aware of its use so it stays stable, and if > not just change it when going from draft to RFC? Or agree on one to > use from the experimenal range until RFC release? I am using a dummy with mine, however I would not want to make it generally known. I would be willing to do one-on-one exchanges. My assumption is that a pre-assignment should be made something mid-month based on the F2F conversation in Seoul. > > * Replay protection: The sequence numbers follow DTLS' anti-replay > mechanisms, where DTLS sessions are (to my limited knowledge) more or > less ephemeral. > > When a device with a precommissioned context encounters a factory > reset condition, or any kind of mis-match happens between > > * the static context memory area of the keys, > * the frequently modified window position possibly kept in log flash > area, and > * the bitfield inside the window (which I'd very much prefer not to > commit to flash memory in embedded devices), > > is there any way to recover from such a situation, eg roughly by the > recipient saying "I've heard all that, start at N or I can't trust you > at all"? > > It might well be a bad idea to allow such a thing (at very least, that > information needs to be authenticated), so right now this is primarily > a question about whether there is a mechanism I missed, and whether > there should be guidance considering the embedded use cases. The reset of the nonce is going to be a problem under all circumstances if you go back to a clean factory state and you cannot store the appropriate nonce in non-volatile memory. Under these circumstances, the expectation that I have is that the key you are using is also going to be lost so you no longer have a key that can be used to encrypt messages and you will need to go through a key establishment protocol (see the above drafts) to create a new session encryption key. This is going to be the same as with DTLS either with a shared secret or an asymmetric key pair where a new session is established. > > Could you help clarify these issues? > > Thanks > Christian > > -- > To use raw power is to make yourself infinitely vulnerable to greater powers. > -- Bene Gesserit axiom
- Re: [core] OSCOAP: [...], sequence numbers Göran Selander
- [core] OSCOAP: roll-out, recipient seqno, option … Christian Amsüss
- Re: [core] OSCOAP: roll-out, recipient seqno, opt… Christian Amsüss
- Re: [core] OSCOAP: roll-out, recipient seqno, opt… Jim Schaad
- Re: [core] OSCOAP: roll-out, recipient seqno, opt… Jim Schaad
- Re: [core] OSCOAP: roll-out, recipient seqno, opt… Göran Selander
- Re: [core] OSCOAP: roll-out, recipient seqno, opt… Göran Selander
- Re: [core] OSCOAP: [...], sequence numbers Christian Amsüss
- Re: [core] OSCOAP: [...], sequence numbers chrysn
- Re: [core] OSCOAP: [...], sequence numbers Göran Selander
- Re: [core] OSCOAP: [...], sequence numbers Göran Selander
- Re: [core] OSCOAP: [...], sequence numbers Jim Schaad