Re: [core] Question reg. draft-fossati-tls-iot-optimizations-00
"Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com> Wed, 02 November 2016 08:27 UTC
Return-Path: <Achim.Kraus@bosch-si.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE0C129490 for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 01:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zhIsavXV4Ii for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 01:27:11 -0700 (PDT)
Received: from smtp6-v.fe.bosch.de (smtp6-v.fe.bosch.de [IPv6:2a03:cc00:ff0:100::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA0E12947D for <core@ietf.org>; Wed, 2 Nov 2016 01:27:11 -0700 (PDT)
Received: from vsmta11.fe.internet.bosch.com (unknown [10.4.98.51]) by imta24.fe.bosch.de (Postfix) with ESMTP id 4F1D1D80141 for <core@ietf.org>; Wed, 2 Nov 2016 09:27:08 +0100 (CET)
Received: from IMBVW2EXC00.bosch-si.com (vsgw24.fe.internet.bosch.com [10.4.98.24]) by vsmta11.fe.internet.bosch.com (Postfix) with ESMTP id 3043B2380C38 for <core@ietf.org>; Wed, 2 Nov 2016 09:27:06 +0100 (CET)
Received: from IMBPW2EXD01.bosch-si.com ([fe80::d052:f355:928e:e5ba]) by IMBVW2EXC00 ([10.55.1.51]) with mapi id 14.03.0319.002; Wed, 2 Nov 2016 09:27:35 +0100
From: "Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com>
To: "core@ietf.org WG" <core@ietf.org>
Thread-Topic: Question reg. draft-fossati-tls-iot-optimizations-00
Thread-Index: AQHSNNrUQiFxM4jxF0uf7wXxo8NqTKDFWrQA
Date: Wed, 02 Nov 2016 08:27:34 +0000
Message-ID: <BC36447FF5C62E46BEF3F124D3C1E8925E1F5E2C@imbpw2exd01.bosch-si.com>
References: <1478071732.8543.7.camel@bosch-si.com>
In-Reply-To: <1478071732.8543.7.camel@bosch-si.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.144.83]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-22672.006
X-TMASE-MatchedRID: 3z7rH9YwHvXvXvInwhwK20K9qlwiTElfloP1dU1/5qOvloAnGr4qhj+z j3UoOhXMxjDxAMHu36bMUkPBkCEgxMbD4aZzngQU4nbwqqmOd2limi8LvNfmr3N4oJrDvdmB1xx lkjjIEL6C6m6j2cLF1OJlF/XBwGkWWCWxk51Kgn2db+Vq50kV4fmwbeWo3QuHCmZiYUUf05hqeZ +AzBMmzfnLgYpU4F/+4GwRH+lp7hqC1GdE5oylhARH1Nr7oERdBdebOqawiLtiZCTkFQiKcJY50 t4a+3g5FhWRAFBi/VVhjdPZ6iZcXJYH0xdtbvBRk3rl+MaNgxCSDmRgJT2o+XN5v6KtpQytWU4P VaxZEWP+cTYjc30iLS83Rst4LUB+mNrlAIQG7r/bNDWQseUeZSpMx3IbK4vmI2Nwy9MUiPchiFc gVFf3EL/nxCbgY4kQ0EoWQgt6rV8pz7oBrDd6eeor0PKDup1CIaLR+2xKRDLIvQIyugvKdfpGcU VZJmzPmuPiXafpzwvcnJHktq8LPVSd3xC25Fno+cKX6yCQ13tA5wWZjBcA8lwO3q59vT+EOlt91 MBw1ebi8zVgXoAltj2Xsf5MVCB1jaPj0W1qn0SQZS2ujCtcuA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ubhXG70q5Rj8bcnWMDWFBT9ui-Q>
Subject: Re: [core] Question reg. draft-fossati-tls-iot-optimizations-00
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 08:27:13 -0000
Hi Kai, I posted a related question also on the tls mailing list. https://www.ietf.org/mail-archive/web/tls/current/msg21737.html "Dear Authors, draft-fossati-tls-iot-optimizations-00 mentions in 4.2, page 5, a hash chain (Lampert, "Password Authentication with Insecure Communication"). Would it be possible, to get more details about that approach? In my opinion, DTLS needs a connection id, the record is usually secured by the MAC. So the hash chain providing a "password" seems for me to rely on a "identity", for which the "password" should be verified. But that identity is missing and the verification is done with the MAC. Use this in reverse, I could think of something as: connection hash := H ^ record.sequence_number (connection id) So with an incoming record {sequence_number, connection hash} you may look up, if "connection ids" hashed "sequence_number" times results in the provided "connection hash" and then you may verify, if one of the candidates will verify with the MAC. Even with defining a "sequence number window" to exclude "faraway" sessions, I'm not sure, how such an approach would scale for a large number of session. So could you please provide your ideas about that hash chain?" So hopefully we get some clarification on that issue, even if the main focus in tls right now seems to be tls 1.3. Mit freundlichen Grüßen / Best regards Achim Kraus Bosch Software Innovations GmbH Communications (INST/ESY1) Stuttgarter Straße 130 71332 Waiblingen GERMANY www.bosch-si.de www.blog.bosch-si.com Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B Executives: Dr.-Ing. Rainer Kallenbach; Michael Hahn -----Ursprüngliche Nachricht----- Von: core [mailto:core-bounces@ietf.org] Im Auftrag von Hudalla Kai (INST/ESY1) Gesendet: Mittwoch, 2. November 2016 08:29 An: core@ietf.org Betreff: [core] Question reg. draft-fossati-tls-iot-optimizations-00 Hi list, I have attended last week's meeting of the T2T RG in Ludwigsburg where we had a vivid discussion around the problems of DTLS on mobile and other NATed networks where the device's IP address and/or port are expected to change once in a while. We quickly came to the conclusion that the CoAP spec will need to be changed in a way that removes the transport's addressing information from the Request/Response matching criteria when using DTLS. However, what alternative mechanism could be used instead? Section 4.2 of draft-fossati-tls-iot-optimizations-00 proposes to use a connection ID as part of the DTLS record structure. While I understand the usefulness of using a "long term identifier" for associating the session with the client, I do not really understand, how a "hash chain" could be put to use in this context to provide an improved level of privacy. Could someone (of the authors) comment on that? -- Mit freundlichen Grüßen / Best regards Kai Hudalla Chief Software Architect Bosch Software Innovations GmbH Schöneberger Ufer 89-91 10785 Berlin GERMANY www.bosch-si.com Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B; Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn _______________________________________________ core mailing list core@ietf.org https://www.ietf.org/mailman/listinfo/core
- [core] Question reg. draft-fossati-tls-iot-optimi… Hudalla Kai (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Hudalla Kai (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Simon Bernard
- Re: [core] Question reg. draft-fossati-tls-iot-op… Hannes Tschofenig
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: [ALU] Re: Question… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Pascal Thubert (pthubert)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Carsten Bormann
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Carsten Bormann
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)