[dnssd] shared public-key vs bi-directional shared public-key
Mohit Sethi M <mohit.m.sethi@ericsson.com> Sat, 03 November 2018 03:36 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 195EF130E09 for <dnssd@ietfa.amsl.com>; Fri, 2 Nov 2018 20:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.771
X-Spam-Level:
X-Spam-Status: No, score=-4.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=dpc76b7x; dkim=pass (1024-bit key) header.d=ericsson.com header.b=lajonTVi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0BlBB32D5pW for <dnssd@ietfa.amsl.com>; Fri, 2 Nov 2018 20:36:13 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1351277C8 for <dnssd@ietf.org>; Fri, 2 Nov 2018 20:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1541216171; x=1543808171; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MPWX4V9rLv0/ooonDoUBCouS+VhiH0ra4ct+wKrLgXU=; b=dpc76b7x2K8Ek9EZ+YHpt7CYMuFzvRPf3owrTlvDM71+tH0xF9890F2Ul06SKltx VDkzIdQTda1XTvpYEor/CQqVwfmlgxw+z+QJW1gNEbQFBLj+AkEoka2TfXAXhByE rMiH41k4qjk0BAacjRCzN8juwvKDpC5PMyeDi1RLxTE=;
X-AuditID: c1b4fb3a-9c3ff700000063b1-3c-5bdd17ab5757
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id B5.19.25521.BA71DDB5; Sat, 3 Nov 2018 04:36:11 +0100 (CET)
Received: from ESESSMR503.ericsson.se (153.88.183.112) by ESESBMB502.ericsson.se (153.88.183.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 3 Nov 2018 04:36:10 +0100
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESSMR503.ericsson.se (153.88.183.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sat, 3 Nov 2018 04:36:11 +0100
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sat, 3 Nov 2018 04:36:10 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MPWX4V9rLv0/ooonDoUBCouS+VhiH0ra4ct+wKrLgXU=; b=lajonTViYADXXNMxCEzvpO3KgBw4mOr71PXheafNmVsgxKDSk+hCkVbJvWjyLJ0JIwtedczp3yojA/FmGIk7d1DvVmEiF4J2PxoZGaSHTyDwvWuEdBdM9AatpSykR9qqafQKrU+RMtNKwCBQ9TQyP1MccLdGpa4rv1RjVXri7FA=
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com (20.177.54.82) by VI1PR07MB4110.eurprd07.prod.outlook.com (52.134.21.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.15; Sat, 3 Nov 2018 03:36:09 +0000
Received: from VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f]) by VI1PR07MB4717.eurprd07.prod.outlook.com ([fe80::8412:d8ae:dfa0:c61f%4]) with mapi id 15.20.1294.027; Sat, 3 Nov 2018 03:36:09 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: "dnssd@ietf.org" <dnssd@ietf.org>
Thread-Topic: shared public-key vs bi-directional shared public-key
Thread-Index: AQHUcyZc9/bI6EZ0ekqJ/p2KETL/Mw==
Date: Sat, 03 Nov 2018 03:36:09 +0000
Message-ID: <9e7a0f41-9277-a0d7-a22a-144d10b145e8@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
x-originating-ip: [89.166.49.243]
x-clientproxiedby: AM6PR0202CA0064.eurprd02.prod.outlook.com (2603:10a6:20b:3a::41) To VI1PR07MB4717.eurprd07.prod.outlook.com (2603:10a6:803:69::18)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB4110; 6:jgg0WywkFCxPHBG5eCH0c+gDH4ezptg6WX1ifIYhglC1Ch7yyzxP1JoPdmRfvDrSdGko4jpg1FgOW/YfIx8eYz5jLOThZYreCi4YRKjxYbCo8qMFhNGUO/IozRUceWV6eKf/lQGkGBzS6M1sHa1dhnV6zb8Fm0+gNaou8ybo86P9KUeOgJbleAaPqhOWTvwlituX5lbcXtvp4NEp8m/DNsIaPHySHlXvHQBD1OQl9gyFL6J92On2p1cH7Q7GkCoTTa9wqompxjGWHbNbE97xQLLXOByEjh+TOQqd7Le4pkvBLkuEv6l6hOv4Cf5bPUBewW2t/Bs4ZxBb5EPo348oDy4rilFR25JJ4rcP0iDF6TH4hCUpZwQq1kkxQIx+k9RSiPmOt9kqLyRpU4ZCcPPTQM0Mb6+09E1mHy/LK/eQxdWgDiOLRznlFxslKMdtJ/mOOlAtSX+rzu3hKMLXW5xHQQ==; 5:Giif/F40ybRbNyMu0QohLx4XUHdNNzRBju4CbFNOsMCzdJF5NLKd9uH94l5Y63tNbkD9aA3qvTILsFwuaQ6xd/9r6dF33ruz7QL36HusLU2+euqCgVvdVJSblxsQxI/CnGBStdIu8BIQxV4/1FzWX7woYXoyO9UZsna8uPSxa40=; 7:VkYaCS2QZUfLP8MW4H8Pq3AntiUfCPwaSBXcy8UU/yukDzg9jDIA1wD+iJ9xDxkWqgt8clmRAZRQjOg4Uce6vOYmf0VRq+0umFIeuyzKZIZColGDjJTQ7QNKt75/GaoIoeRtv4QQfm0yZoLpZofpOg==
x-ms-office365-filtering-correlation-id: 5d01ffe5-0392-4f40-97a7-08d6413d7dcc
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB4110;
x-ms-traffictypediagnostic: VI1PR07MB4110:
x-microsoft-antispam-prvs: <VI1PR07MB41105461EA31646E6CFA9A68D0C80@VI1PR07MB4110.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231382)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:VI1PR07MB4110; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB4110;
x-forefront-prvs: 08457955C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(376002)(136003)(396003)(39860400002)(199004)(189003)(65956001)(36756003)(99286004)(7736002)(14454004)(256004)(14444005)(105586002)(3846002)(486006)(2616005)(6116002)(58126008)(476003)(106356001)(53936002)(2906002)(305945005)(5660300001)(1730700003)(81166006)(81156014)(2900100001)(52116002)(65806001)(65826007)(8936002)(8676002)(6486002)(64126003)(25786009)(71200400001)(2501003)(31696002)(316002)(478600001)(6916009)(386003)(6506007)(71190400001)(2351001)(97736004)(186003)(68736007)(31686004)(66066001)(5640700003)(86362001)(102836004)(26005)(6512007)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4110; H:VI1PR07MB4717.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: QoNAtXZEFlL8fC/xbRGoP0SX42iOcrZCEHAx80LKPArtvyMJC7KJwpNYvPOq4CBjfDtU4Us1U4kIU8zq4cLS7eRKPpbqDlL8IJhXPGjCOO0cd0MXkvSBLqZgaZ3RLymUTgUHUZsXj9zgIhiAJSYUD8x5Kcf0cTF/oPjSrUe+xlDar7cNTS8KnW8Rr8QCcEUFL6Wpn2iP07lqooMse1AHpK5QFVb7xdvPHWlvwnQOxxZYo/RpL9PasuH8kc98zRtGznnigQxzPuGchKzfOIe/2A5XP73yM9mkDJ5q5uVQf8pJqxQf4jzNq2Aj7WhpBbh22tpJQ0QNTNCFDuKwDahiO7/QnWKIw8RnKwa39u9nO/0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C22A7EC050EB60469A1B31778F56E676@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d01ffe5-0392-4f40-97a7-08d6413d7dcc
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2018 03:36:09.8508 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4110
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42KZGbG9WHe1+N1og85NIhbvl85idGD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxrFv25gLHklWPPv3kbGBsUeyi5GTQ0LARGLtxznMXYxcHEIC RxglJt57wAjhfGWU+HrhOTOcM3tpCxuEs5hJ4vjn1SwgDovABGaJM0veQfVMYJKY1vAIquch o8S73ZOZQdawCRhITJ6ygh3EFhFQleidc4oJxBYWsJO4/OgRI0TcWWJ6+0QmCFtP4sK3W2D1 LAIqEj27foDZvAL2EgcX/QGzGQXEJL6fWgNWzywgLnHryXwmiJcEJJbsOc8MYYtKvHz8jxXE FhWIkGg++ZcFIq4ocfbdQyaQQyUEZjJK/Gn9xwYxNFbiw/9+qEE6EmevP2GEsGUlLs3vhrKv sUmcOmoHYftKvO45xggx6DijxLeVc6A2a0l8e3mFHcLOlmjo2QM11Friwtc+qBo5iVW9D1km MBrNQvLELEYOIFtTYv0ufYiwh8Tqj5PZIGxFiSndD9lngcNCUOLkzCcsCxhZVzGKFqcWF+em GxnppRZlJhcX5+fp5aWWbGIEJpCDW35b7WA8+NzxEKMAB6MSD6+u6N1oIdbEsuLK3EOMEhzM SiK8X1rvRAvxpiRWVqUW5ccXleakFh9ilOZgURLndUqziBISSE8sSc1OTS1ILYLJMnFwSjUw sqUnOvjdm8i0v5rv0C/Bmg7jM6v+/tooorCQ72LetvAfr9N2LRQ+ox39lGnbNk+P0gumdheX 71zqNmNW6Ke74VOMT3o6ah19taAlVynDcvkF3o8vvJR/7TC6yFJuv/xFiNVVltsfv5T4HjmW vKbg3dTSjVx8awwdb+clcIh+eykcWBa+88ntTCWW4oxEQy3mouJEAEnemy4cAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/oXIxUweeo9_yKqwaGw_92OAGzYg>
Subject: [dnssd] shared public-key vs bi-directional shared public-key
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 03:36:15 -0000
Hi DNSSD, At the IETF 102 meeting, Stuart was presenting the various options for service discovery. One of the bullets on his slides was shared public-key. I was at the mike asking questions about what is meant by service discovery with shared public-key. I was explicitly interested to understand what this would mean in practice? I had understood the shared public-key mode for discovery as follows: a printer in a shared office will have a QR code containing its public-key (or possibly a hash of the public-key to reduce the amount of encoded information in the QR code). Anybody that wishes to discover the printer, would first scan the QR code to obtain the public-key of the printer. However, this would not prevent a rogue invasive attacker from creating a database of public-key mappings to actual devices (and services offered by the device). This is analogous to war-driving for free Wi-Fi networks. A database containing the long-term public-key of the printer would allow an invasive person to monitor the network for messages containing the printers long-term public-key (or messages signed with the corresponding private-key). Whenever an innocent user tries to use the device (and its services), the invasive attacker would be able to observe this behavior. This might be acceptable in some cases (admittedly not all). But someone responded at the mike line that I was incorrect and that you can indeed derive a Diffie-Hellman shared secret (to secretly discover a service) without ever sending any of the long-term public keys on the network. I believe they were referring to the ideas presented in draft-bradley-dnssd-private-discovery-00. But this draft does not follow "shared public-key" model. It follows what would correctly be called as "bi-directional shared public-keys". The draft assumes that both the communicating parties have each others long term public-key. This would limit some use-cases. I can easily find the printers long-term public key by scanning a QR code. But how do I tell the printer long term public keys of my laptop or phone? It would be nice if each draft presenting a solution could give a concrete example on how would you use the solution in the real-world. I will send a more technical review of draft-bradley-dnssd-private-discovery-00 in a separate email. --Mohit
- [dnssd] shared public-key vs bi-directional share… Mohit Sethi M