Re: [core] Question about AEAD nonce uniqueness
Jim Schaad <ietf@augustcellars.com> Thu, 13 April 2017 14:50 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F82129494; Thu, 13 Apr 2017 07:50:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffsugUZA0opS; Thu, 13 Apr 2017 07:49:57 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B34121294A2; Thu, 13 Apr 2017 07:49:55 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0071_01D2B429.1CCA1430"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1492094991; h=from:subject:to:date:message-id; bh=tGA52XXAJuoj/pTrVB6Z0SAqxZeW3+EwtZ7XnLqlkR8=; b=NS73xZo/rBzf2a93xFswFC9VQEw+ZqnmBLsJON24VL0kyXm8Y2SfeZv6GfWa12A/AvfKPWBTuaX bv/0L5phkd+IYMFSMKUZyJqeRzyUH+e5aZfkw19CxOICdcWdyvjLbVU/0u4fl9/NL1ZRbILP94oWR o1SLvfADVCteiezKD3Us4OAzBJGpmRDBp1OBI+2XeiBtmlVKrvjBm2TxGmO2G2l/vpyzHDILz7nXU mvmSo/7d7VDhBeF2v/Zh1udVOAYjUcFwM9GQXHqr/l1WBpZrr9g9ypV5xJCequRWznwMy3F74nZ9t RdkBWRMvtiuis52/pLQ9kDj5KgKDF4HOFH7A==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 13 Apr 2017 07:49:50 -0700
Received: from Hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 13 Apr 2017 07:49:44 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mohit Sethi' <mohit.m.sethi@ericsson.com>, 'Göran Selander' <goran.selander@ericsson.com>, 'Core' <core@ietf.org>, 6tisch@ietf.org
CC: 'Christian Amsüss' <c.amsuess@energyharvesting.at>
References: <c31694fe-43db-875d-496a-a9ab3fd3c40f@ericsson.com> <002101d2b21d$3ff5ba30$bfe12e90$@augustcellars.com> <D512297C.7B59D%goran.selander@ericsson.com> <1bc3ed76-245a-f8fe-ae72-a424102ba682@ericsson.com>
In-Reply-To: <1bc3ed76-245a-f8fe-ae72-a424102ba682@ericsson.com>
Date: Thu, 13 Apr 2017 07:39:38 -0700
Message-ID: <007001d2b463$c9243140$5b6c93c0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJv4xR+uLYuNuXVlU8kA8osT/0S9QKF7EItAvmXia8CDahmyqBMlrgQ
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/tzwSyn4-45z9YK0C4C8dJYGdXLg>
Subject: Re: [core] Question about AEAD nonce uniqueness
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 14:50:00 -0000
The selection of S_X is done by party X. This means that all they need to do is to generate – either randomly or deterministically – some identifier which is currently unique for them. The easiest way to do this is to have an array of N security contexts. Choose the first slot in the array which is empty and use that index as your identifier. If the array is full, then either grow the array or scavenge a security context which has not been used in a while and use that slot. This allows for identifiers that are unique to the party and still very small. The only time that one would need large random identifiers is when the keying material is generated by a third party such as the PSK version of EDHOC where the common PSK needs to be identified for both parties. I also do not have the same problems with collisions that Göran and others have. I am willing to try multiple keys in the event of a collision and only the correct one will work. This is not unusual in some cases already in other environments. Jim From: Mohit Sethi [mailto:mohit.m.sethi@ericsson.com] Sent: Thursday, April 13, 2017 2:46 AM To: Göran Selander <goran.selander@ericsson.com>; 'Core' <core@ietf.org>; 6tisch@ietf.org Cc: Jim Schaad <ietf@augustcellars.com>; Christian Amsüss <c.amsuess@energyharvesting.at> Subject: Re: [core] Question about AEAD nonce uniqueness Hi Göran, Jim and Christian Thanks for responding to my question. @Göran: both 1) use EDHOC or 2) generate large random identifiers, are the same thing. How are they any different? I went through EDHOC draft and it says that sender id is S_V which is variable length session identifier (= generate large random identifier). I am afraid simply waving off the problem as out of scope may lead to some (many) inter interoperability issues. If the Sender ID is variable length, different manufacturers may implement it very differently and could cause collision with just 2-3 devices. If they are generated in software at run time, you can still do something about it, but if it is burnt into the device, then there is no way to recover from . At the very least there could be better guidance. I also think it would make sense to have a minimum length specified and some recommendations/guidelines on how it is generated. I would also like to know what are the concrete affects of a collision? --Mohit On 04/11/2017 08:43 AM, Göran Selander wrote: Hello Mohit, Christian and Jim already provided answers, let me just provide pointers to the relevant sections. OSCOAP: — The requirements on the security context parameters are here: https://tools.ietf.org/html/draft-ietf-core-object-security-02#section-3.3 Two methods for establishing unique sender IDs are presented: 1) use EDHOC or 2) generate large random identifiers. The former allows for the use of short sender IDs. Multicast OSCOAP: — In Multicast OSCOAP (Secure group communication for CoAP) the requirements on the security context parameters are here: https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-01#section-2 It is the responsibility of the Group Manager to establish and manage the security context, which includes the sender IDs, but how the assignment is done is out of scope. The uniqueness of sender IDs in this draft follows from OSCOAP, but since you asked I think we should add a sentence to this draft stressing that. Göran From: core <core-bounces@ietf.org <mailto:core-bounces@ietf.org> > on behalf of Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > Date: Monday 10 April 2017 at 19:09 To: Mohit Sethi <mohit.m.sethi@ericsson.com <mailto:mohit.m.sethi@ericsson.com> >, 'Core' <core@ietf.org <mailto:core@ietf.org> >, "6tisch@ietf.org" <6tisch@ietf.org <mailto:6tisch@ietf.org> > Subject: Re: [core] Question about AEAD nonce uniqueness There is not a problem with dealing with nonce uniqueness in this draft because each entity is going to be assigned to a unique key for transmissions. The transport key is derived from the PSK and the sender ID. Sender IDs will be unique based on the enrollment protocol in the group as each entity will have a unique identifier. Jim From: core [mailto:core-bounces@ietf.org] On Behalf Of Mohit Sethi Sent: Monday, April 10, 2017 4:51 AM To: Core <core@ietf.org <mailto:core@ietf.org> >; 6tisch@ietf.org <mailto:6tisch@ietf.org> Subject: [core] Question about AEAD nonce uniqueness Hi OSCoAP authors I was trying to read the OSCoAP and 6tisch minimal security drafts. I have a question about the AEAD nonce uniqueness. RFC 5116 says that: When there are multiple devices performing encryption using a single key, those devices must coordinate to ensure that the nonces are unique. A simple way to do this is to use a nonce format that contains a field that is distinct for each one of the devices So my obvious question is how is the AEAD nonce uniqueness ensured. The PSK is known to at least two parties (more in case of some uses such as multicast OSCoAP https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-01)?? The draft currently says that AEAD Nonce uniqueness is ensured with sequence numbers and sender context which is essentially the sender ID. But how do you ensure that the two parties have different sender ID. Especially since sender ID is not fixed length. I guess there will be other problems in case of sender ID collisions? as Sender IDs are currently used, they are mutually agreed-upon like the rest of the security context (key, algorithm etc); in other words, they are explicitly given to a device by the mechanism that also distributes the key. Best regards Christian -- Christian Amsüss | Energy Harvesting Solutions GmbH founder, system architect | headquarter: mailto:c.amsuess@energyharvesting.at | Arbeitergasse 15, A-4400 Steyr tel:+43-664-97-90-6-39 | http://www.energyharvesting.at/ | ATU68476614
- Re: [core] Question about AEAD nonce uniqueness Christian Amsüss
- [core] Question about AEAD nonce uniqueness Mohit Sethi
- Re: [core] Question about AEAD nonce uniqueness Jim Schaad
- Re: [core] Question about AEAD nonce uniqueness Göran Selander
- Re: [core] Question about AEAD nonce uniqueness Göran Selander
- Re: [core] Question about AEAD nonce uniqueness Jim Schaad
- Re: [core] Question about AEAD nonce uniqueness Mohit Sethi