IETF Logo Mail Archive

Re: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt

Michael StJohns <msj@nthpermutation.com> Tue, 08 July 2014 19:03 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CE851A04A7 for <dtls-iot@ietfa.amsl.com>; Tue, 8 Jul 2014 12:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pB6zNAbb5to for <dtls-iot@ietfa.amsl.com>; Tue, 8 Jul 2014 12:03:13 -0700 (PDT)
Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6087E1A02D8 for <dtls-iot@ietf.org>; Tue, 8 Jul 2014 12:03:13 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id i17so1443334qcy.14 for <dtls-iot@ietf.org>; Tue, 08 Jul 2014 12:03:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=+6xX8R+SPdayId+VN3FZDVZ7oHyvx3eqgYtcuZrpzx0=; b=dzSV3vtpUXjP69h3K2EJdt1qHacq9AASK/PvO1dx90K8qZ1a8v5fgqWjkuhdDzofoB OEVrTX36Z8bcNpEKXvkBnxEmeMK8VCCSDqwQ+7pJc64gcd7CxoLtx0xZZWuNpfgv1raq zuCfVaZvmWrGXIClrEnRg61KCPvQR1K61wDo/otBwuaYHY13uDoV+OKc+8oQdtWRifAe rexujr22jhs/Vopdr11oVVGOqwmfmcdzikzDdxvLeuYwDgZxc7stzmdGqfYfsk726KmG Nt48YSacihYpeHIgaJbVQW4mhwlT5zjO9+qPbKkm64Yo+4/ilvuI33iRs2P3yOk80mAq zEDA==
X-Gm-Message-State: ALoCoQk6wLHQWbKRC477prt2RYDyXnr1ar3odT6V3XRv5xNCr7b7mZU4D1yP0+i0KmtoXCHPPIZE
X-Received: by 10.140.80.49 with SMTP id b46mr56794352qgd.102.1404846192595; Tue, 08 Jul 2014 12:03:12 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:390:712e:cb82:d532:4307? ([2601:a:2a00:390:712e:cb82:d532:4307]) by mx.google.com with ESMTPSA id z11sm5473933qaz.45.2014.07.08.12.03.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 08 Jul 2014 12:03:12 -0700 (PDT)
Message-ID: <53BC4076.9020409@nthpermutation.com>
Date: Tue, 08 Jul 2014 15:03:18 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Carsten Bormann <cabo@tzi.org>
References: <20140703125443.15822.61762.idtracker@ietfa.amsl.com> <BE6D13F6A4554947952B39008B0DC0153E7CB29C@DBXPRD9003MB059.MGDPHG.emi.philips.com> <53BAC656.7010008@nthpermutation.com> <BE6D13F6A4554947952B39008B0DC0153E7CF9CC@DBXPRD9003MB059.MGDPHG.emi.philips.com> <53BC051D.9000907@nthpermutation.com> <0D0BF288-244F-46A8-9BD3-53A79C7B9525@tzi.org> <53BC12A1.7070602@nthpermutation.com> <79DC6CBB-9738-4197-8983-39DEB83C737C@tzi.org>
In-Reply-To: <79DC6CBB-9738-4197-8983-39DEB83C737C@tzi.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/FBlWkBQGhLGMRKT8zlQWyrgkQ5M
Cc: "Kumar, Sandeep" <sandeep.kumar@philips.com>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Subject: Re: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 19:03:15 -0000

Hi Carsten - inline.

On 7/8/2014 12:04 PM, Carsten Bormann wrote:
> I consider a definition of (integrity) protection more useful that figures in the attacker.
> If an attacker can steal a lamp out of my home and tamper with it, I probably have larger issues than whether they can do some morse code on my lights.  (If they can “hack” it, they already can do the morse code thing.)
> So, yes, I consider group keying to provide integrity protection — against attackers outside the group.

If I can hack an individual light to turn it on and off, I can hack it 
to hand over the key material.  I can then turn on and off all of the 
lights in the group.

The attacker may start outside the group - its just that the security of 
the group is that of the least secure device making it trivial for the 
attacker to be "inside" the group as far as key material.

Also, unless I'm mistaken,  the usage case for lighting isn't limited to 
personal residences (nor can that limitation be enforced in the 
protocol), but also (and probably more commonly) to commercial 
buildings.  Even 1 mesh controlled light in a public access space makes 
you vulnerable to someone walking off with the light.

>
>> application-based group keying is still significant progress for those cases where the attack model doesn’t rule out group keying.
>>
>> The use cases where this works all seem to involve a secure processing element and that's not exactly within the DICE charter.
> Tamper-proofing is not required for the above use case.

If the key is not kept in storage not available to the general purpose 
processor running the node, then hacking the node allows the hacker to 
extract the key.

The hack can be physical (e.g. unscrew the lightbulb and take it with 
you and then plug it into a flash reader), or OTA (smash that stack!!).

I'm assuming you're using "tamper-proofing" where I used "secure 
processing element" - you don't necessarily need tamper-proofing (or 
even tamper detection), but you do need a way to keep the key from being 
extracted and that has to exist in each and every node, otherwise it's 
trivial to hack the mesh.

>
>> The most successful group keying system I'm aware of is pay TV (either satellite or cable).  Those systems - obviously - use a secure processing element (e.g. smart card or built in) to manage group keys and decryption based on credentials.
> This has a quite different attack model — here you hand over the entire environment (smart card, decoder) to any interested attacker.  This is not the case we are interested in.

In the pay tv environment, you've got millions of devices available to 
be hacked either remotely or physically.  In the lighting control case 
you've got 100s of lightbulbs (in one building, 100's of 1000's in many 
buildings) available to be hacked either remotely or physically.  Not 
sure I understand why the attack models are different.

The *threat* model for lightbulbs may generate less concern than the 
threat model for pay TV because the value of hacking lightbulbs may be 
less - but that is not a general property of all systems that might 
possibly use symmetric key multicast DTLS.  Even then, hacking a 
building's lighting control system is going to generate enough interest 
that it will be done and probably in a spectacular fashion.


Mike

>
>> I literally can't think of a use case without an SPE where the attack model doesn't rule out group keying for integrity protection and most attack models for most use cases rule it out for confidentiality.
> See above.
>
> Grüße, Carsten
>

v2.23.0 | Report a Bug | By Email