Re: [core] Question about AEAD nonce uniqueness
Mohit Sethi <mohit.m.sethi@ericsson.com> Thu, 13 April 2017 09:45 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E70E13147E; Thu, 13 Apr 2017 02:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ndiHdTVuNzLL; Thu, 13 Apr 2017 02:45:52 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089D0131473; Thu, 13 Apr 2017 02:45:51 -0700 (PDT)
X-AuditID: c1b4fb2d-c616898000004c5d-73-58ef48ce6d4e
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.183.54]) by (Symantec Mail Security) with SMTP id 53.67.19549.EC84FE85; Thu, 13 Apr 2017 11:45:50 +0200 (CEST)
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.56) with Microsoft SMTP Server id 14.3.339.0; Thu, 13 Apr 2017 11:45:49 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id B053C4EB0B; Thu, 13 Apr 2017 12:48:24 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 1E6B84E94F; Thu, 13 Apr 2017 12:48:24 +0300 (EEST)
To: Göran Selander <goran.selander@ericsson.com>, 'Core' <core@ietf.org>, "6tisch@ietf.org" <6tisch@ietf.org>
References: <c31694fe-43db-875d-496a-a9ab3fd3c40f@ericsson.com> <002101d2b21d$3ff5ba30$bfe12e90$@augustcellars.com> <D512297C.7B59D%goran.selander@ericsson.com>
CC: Jim Schaad <ietf@augustcellars.com>, Christian Amsüss <c.amsuess@energyharvesting.at>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <1bc3ed76-245a-f8fe-ae72-a424102ba682@ericsson.com>
Date: Thu, 13 Apr 2017 12:45:48 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <D512297C.7B59D%goran.selander@ericsson.com>
Content-Type: multipart/alternative; boundary="------------3688C8F35B5769A69DBEFCB9"
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmkeLIzCtJLcpLzFFi42KZGbHdTPecx/sIgxVTpCyW3e1jtlh+4TmL xb6365ktVk//zubA4rFxznQ2j6377zJ5LFnykymAOYrLJiU1J7MstUjfLoEro2f3BbaC1mmM Fc2rZzI2MF4v6GLk4JAQMJH49jm3i5GLQ0hgPaNE461tjBDODkaJJS03oZxNjBKfXy1jhXAW Mkr0Xz4E5HByCAtYSNzZc4AdxBYRaGCU2HcbatYSRokZV3rYQBLMAjkSz1feAStiE9CT6Dx3 nBnE5hWwl5hwsIkJxGYRUJXYcWoNC4gtKhAh8bBzFztEjaDEyZlPwOKcApYSnbPvM0LMDJOY uvElWFxCQE3i6rlNYDOFBNQltnYcYJzAKDQLSfssJC0QtoXEzPnnGSFsbYllC18zQ9gaEq1z 5rJD2PISzVtnMy9gZFvFKFqcWlycm25krJdalJlcXJyfp5eXWrKJERg1B7f81t3BuPq14yFG AQ5GJR7eB0bvIoRYE8uKK3MPMUpwMCuJ8F7QAgrxpiRWVqUW5ccXleakFh9ilOZgURLnddh3 IUJIID2xJDU7NbUgtQgmy8TBKdXAuOJp4XQvk+C/0i6ZddfKLvz8F2by63XxZq0lp7/dVlrt /oVhZ8nn9j3NF9q51vkcnDfl3JK+Fad6K6vVfymHfDvy+aqCE9OBPxMUBc7d3+i5jnf2lIaS wIW5S+zm7FLhWKudb7v/YAdHVHJlmu8Fo7IfO+vcvl84znRA59ORICfV76F+M8T5fZRYijMS DbWYi4oTAV0bcC2WAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/wVw6y0PNyyXWk91fs49aLQbXqiY>
Subject: Re: [core] Question about AEAD nonce uniqueness
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 09:45:56 -0000
Hi Göran, Jim and Christian Thanks for responding to my question. @Göran: both 1) use EDHOC or 2) generate large random identifiers, are the same thing. How are they any different? I went through EDHOC draft and it says that sender id is S_V which is variable length session identifier (= generate large random identifier). I am afraid simply waving off the problem as out of scope may lead to some (many) inter interoperability issues. If the Sender ID is variable length, different manufacturers may implement it very differently and could cause collision with just 2-3 devices. If they are generated in software at run time, you can still do something about it, but if it is burnt into the device, then there is no way to recover from . At the very least there could be better guidance. I also think it would make sense to have a minimum length specified and some recommendations/guidelines on how it is generated. I would also like to know what are the concrete affects of a collision? --Mohit On 04/11/2017 08:43 AM, Göran Selander wrote: > Hello Mohit, > > Christian and Jim already provided answers, let me just provide > pointers to the relevant sections. > > OSCOAP: > — > The requirements on the security context parameters are here: > https://tools.ietf.org/html/draft-ietf-core-object-security-02#section-3.3 > Two methods for establishing unique sender IDs are presented: 1) use > EDHOC or 2) generate large random identifiers. > The former allows for the use of short sender IDs. > > > Multicast OSCOAP: > — > In Multicast OSCOAP (Secure group communication for CoAP) the > requirements on the security context parameters are here: > https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-01#section-2 > It is the responsibility of the Group Manager to establish and manage > the security context, which includes the sender IDs, but how the > assignment is done is out of scope. The uniqueness of sender IDs in > this draft follows from OSCOAP, but since you asked I think we should > add a sentence to this draft stressing that. > > > Göran > > > From: core <core-bounces@ietf.org <mailto:core-bounces@ietf.org>> on > behalf of Jim Schaad <ietf@augustcellars.com > <mailto:ietf@augustcellars.com>> > Date: Monday 10 April 2017 at 19:09 > To: Mohit Sethi <mohit.m.sethi@ericsson.com > <mailto:mohit.m.sethi@ericsson.com>>, 'Core' <core@ietf.org > <mailto:core@ietf.org>>, "6tisch@ietf.org <mailto:6tisch@ietf.org>" > <6tisch@ietf.org <mailto:6tisch@ietf.org>> > Subject: Re: [core] Question about AEAD nonce uniqueness > > There is not a problem with dealing with nonce uniqueness in this > draft because each entity is going to be assigned to a unique key > for transmissions. The transport key is derived from the PSK and > the sender ID. Sender IDs will be unique based on the enrollment > protocol in the group as each entity will have a unique identifier. > > Jim > > *From:*core [mailto:core-bounces@ietf.org] *On Behalf Of *Mohit Sethi > *Sent:* Monday, April 10, 2017 4:51 AM > *To:* Core <core@ietf.org <mailto:core@ietf.org>>; 6tisch@ietf.org > <mailto:6tisch@ietf.org> > *Subject:* [core] Question about AEAD nonce uniqueness > > Hi OSCoAP authors > > I was trying to read the OSCoAP and 6tisch minimal security > drafts. I have a question about the AEAD nonce uniqueness. RFC > 5116 says that: > > When there are multiple devices performing encryption using a single > > key, those devices must coordinate to ensure that the nonces are > > unique. A simple way to do this is to use a nonce format that > > contains a field that is distinct for each one of the devices > > So my obvious question is how is the AEAD nonce uniqueness > ensured. The PSK is known to at least two parties (more in case of > some uses such as multicast OSCoAP > https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap-01)?? > > The draft currently says that AEAD Nonce uniqueness is ensured > with sequence numbers and sender context which is essentially the > sender ID. But how do you ensure that the two parties have > different sender ID. Especially since sender ID is not fixed > length. I guess there will be other problems in case of sender ID > collisions? > > as Sender IDs are currently used, they are mutually agreed-upon like the > rest of the security context (key, algorithm etc); in other words, they > are explicitly given to a device by the mechanism that also distributes > the key. > > Best regards > Christian > > -- > Christian Amsüss | Energy Harvesting Solutions GmbH > founder, system architect | headquarter: > mailto:c.amsuess@energyharvesting.at | Arbeitergasse 15, A-4400 Steyr > tel:+43-664-97-90-6-39 | http://www.energyharvesting.at/ > | ATU68476614 > >
- Re: [core] Question about AEAD nonce uniqueness Christian Amsüss
- [core] Question about AEAD nonce uniqueness Mohit Sethi
- Re: [core] Question about AEAD nonce uniqueness Jim Schaad
- Re: [core] Question about AEAD nonce uniqueness Göran Selander
- Re: [core] Question about AEAD nonce uniqueness Göran Selander
- Re: [core] Question about AEAD nonce uniqueness Jim Schaad
- Re: [core] Question about AEAD nonce uniqueness Mohit Sethi