IETF Logo Mail Archive

Re: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt

"Kumar, Sandeep" <sandeep.kumar@philips.com> Thu, 10 July 2014 08:12 UTC

Return-Path: <sandeep.kumar@philips.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214EF1B27AD for <dtls-iot@ietfa.amsl.com>; Thu, 10 Jul 2014 01:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AEuWEMihJlnu for <dtls-iot@ietfa.amsl.com>; Thu, 10 Jul 2014 01:11:58 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0082.outbound.protection.outlook.com [213.199.154.82]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 672C81B27A8 for <dtls-iot@ietf.org>; Thu, 10 Jul 2014 01:11:57 -0700 (PDT)
Received: from DBXPR04CA001.eurprd04.prod.outlook.com (10.255.191.149) by AM2PR04MB0625.eurprd04.prod.outlook.com (25.160.32.151) with Microsoft SMTP Server (TLS) id 15.0.985.8; Thu, 10 Jul 2014 08:11:53 +0000
Received: from DB3FFO11FD041.protection.gbl (2a01:111:f400:7e04::189) by DBXPR04CA001.outlook.office365.com (2a01:111:e400:9800::21) with Microsoft SMTP Server (TLS) id 15.0.985.8 via Frontend Transport; Thu, 10 Jul 2014 08:11:53 +0000
Received: from mail.philips.com (206.191.240.52) by DB3FFO11FD041.mail.protection.outlook.com (10.47.217.72) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 10 Jul 2014 08:11:53 +0000
Received: from DBXPRD9003MB059.MGDPHG.emi.philips.com ([169.254.7.47]) by DBXPRD9003HT002.MGDPHG.emi.philips.com ([141.251.25.207]) with mapi id 14.16.0459.000; Thu, 10 Jul 2014 08:11:35 +0000
From: "Kumar, Sandeep" <sandeep.kumar@philips.com>
To: Michael StJohns <msj@nthpermutation.com>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Thread-Topic: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt
Thread-Index: Ac+bXmuNuSAgF/SmS0ikwh51CozPeA==
Date: Thu, 10 Jul 2014 08:11:34 +0000
Message-ID: <BE6D13F6A4554947952B39008B0DC0153E7D0EC0@DBXPRD9003MB059.MGDPHG.emi.philips.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [194.171.252.100]
Content-Type: multipart/alternative; boundary="_000_BE6D13F6A4554947952B39008B0DC0153E7D0EC0DBXPRD9003MB059_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:206.191.240.52; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(428002)(24454002)(199002)(189002)(479174003)(377454003)(13464003)(55904004)(374574003)(85714005)(51704005)(95666004)(92726001)(21056001)(92566001)(64706001)(106466001)(107886001)(20776003)(107046002)(74662001)(74502001)(31966008)(55846006)(80022001)(81156004)(66066001)(85306003)(77096002)(71186001)(81342001)(81542001)(104016003)(105586002)(83322001)(19580405001)(6806004)(83072002)(50986999)(86362001)(54356999)(33656002)(97736001)(85852003)(19580395003)(84676001)(87936001)(84326002)(2656002)(15975445006)(44976005)(69596002)(68736004)(15202345003)(99396002)(101416001)(46102001)(19300405004)(512954002)(4396001)(79102001)(16236675004)(77982001)(76482001)(19625215002)(567094001); DIR:OUT; SFP:; SCL:1; SRVR:AM2PR04MB0625; H:mail.philips.com; FPR:; MLV:sfv; PTR:ErrorRetry; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-Forefront-PRVS: 0268246AE7
Received-SPF: None (: philips.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is 206.191.240.52) smtp.mailfrom=sandeep.kumar@philips.com;
X-OriginatorOrg: philips.com
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/LReVL0tbGnbYs8pktYbf1ll4bec
Subject: Re: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2014 08:12:03 -0000

Hi Mike

See inline

From: Michael StJohns [mailto:msj@nthpermutation.com]
Sent: Tuesday, July 08, 2014 5:24 PM
To: Kumar, Sandeep; dtls-iot@ietf.org
Subject: Re: [Dtls-iot] FW: New Version Notification for draft-keoh-dice-multicast-security-08.txt

On 7/8/2014 8:26 AM, Kumar, Sandeep wrote:

Hi Mike



See inline



> -----Original Message-----

> From: dtls-iot [mailto:dtls-iot-bounces@ietf.org] On Behalf Of Michael

> StJohns

>

> In the interim,

> https://datatracker.ietf.org/doc/draft-kumar-dice-groupcomm-security/

> has been submitted.  That document shares a lot of the same boilerplate text

> as this document and I thought it was headed in the direction of defining

> public key mechanisms at the COAP layer rather than something at the DTLS

> layer, but it seems to have mostly restated this document with a few

> paragraphs on why public key is too expensive and *maybe* moving the

> symmetric key secure multicast problem to the COAP layer (but even that's

> unclear).

>

[SK] I do not understand what you are referring to but draft-kumar-dice-groupcomm-security

clearly includes the public key options. The SIG field in Figure 2 and Figure 3 are the

public key signatures. This is exactly what we had discussed offline in London on how such a solution would look like.

The symmetric key MAC was also mentioned at the mike in London as being useful for DoS protection.

Confidentiality does not even come into picture if you choose a ciphersuite which has no encryption

Hi Sandeep -

I probably was a bit too harsh on my comments, but I got there from:
[SK] Indeed I would prefer if there were concrete comments which are constructive

o Section 4.3 which is basically arguing that PK is too expensive and complex.
[SK] Section 4.3 says only this about PK "This draft use more computationally
   intensive operations based on PKC for each and every individual
   message.  This can be quite demanding on many cheap IoT devices which
   have strong memory and power constraints."
Do you find this statement wrong!?

o Section 4.2 which suggests that PK might be better done as part of DTLS (shim layer).

[SK]I don't see where I suggest the shim layer to be a better solution here.
I just want to make clear that if changes to CoAP are not feasible then the same operations can be performed in a shim layer.
It need not be the DTLS (but not because of a technical reason but because Ekr does not prefer it) and can be completely different (and also call it completely different )

o Section 3.2 which is mostly what you need to do symmetric key multicast only slightly modified for PK.
[SK] I really don't see where you are going here. This is a solution which needs PK to enable source authenticity.
The SK is for other reasons and we can debate what additional value it brings in constrained environments. As already explained in the draft, the SK based MAC would enable a first level of basic checking if the message originated within the group before starting the more expensive PK verification. Yes the key may be stolen easily, but then the receivers see a strange MAC verification success and a PK verification fail to raise an alarm and get the MAC key changed. Does it provide additional value if there was no MAC? Yes since receivers would always perform a DoS PK verification compared to a smaller time window (from MAC key compromise and then getting changed). This can mean a lot for devices that need to run on batteries for years. Why not use link layer security, read below.

o Section 6. which is all about the issues with symmetric key confidentiality rather than discussing PK source and integrity.

[SK] Yes because SK has more issues and I still need to detail out PK design to make any concrete list of issues here. Note that this is a first straw-man draft for discussion as was indicated in IETF London.

Overall I think I saw this document somewhere before without any of the PK stuff in it, but I can't place it.  And this document really does share a lot in common with draft-keoh....
[SK] draft-keoh contains a lot of valuable feedback from others both within IETF and outside. Even things related to proxy and how responses are to be handled have similarities independent of the underlying security primitive. I would rather take those feedback than start from blank.

What I was hoping for based on our discussions was a draft that described only PK source auth  and integrity at the CoAP level without mixing in any of the symmetric key issues.    And that was actually an implementation spec or closer to one (e.g. here's the actual format for how you encapsulate signatures with CoAP and here's the backwards compatibility issues), and here's what gets signed.  And here's how it gets verified.  And here's how it gets placed in a groupcomm message.
[SK] I am afraid but my recollection of the discussion was that PK needs to performed on the appropriate fields and added at the appropriate location to enable source authenticity. And in any case this is an individual contribution to the discussion, it will be up to the WG to decide if SK is needed. I will strongly support keeping it in.

Finally, a PK signed CoAP message shouldn't have any special handling considerations - it gets sent either unicast or multicast like any other CoAP message.  The receiving node makes a decision on whether to act on the contents of the message based on the identity of the sender and whether the message verifies.
[SK]Yes sounds straightforward on paper, but I prefer that the more experienced CoAP folks look at it and help detail the solution. This is of course depending on how the WG wants to proceed.

With respect to the symmetric key multicast stuff - it continues to be a red herring.  If you provide link layer security for your IOT mesh, (which can be done as a two-party symmetric key system), you get as much or more privacy protection that you get if you try and do symmetric key at the multicast level.  The DOS protection you mention is subject to the exact same set of attacks mentioned before - ANYONE that has the multicast key can send verified traffic, which means that even one weak link (e.g. your lightbulb being hacked - and it will) makes that DOS protection moot.
[SK] I had shown the use case in more detail in IETF London where I clearly said that the solution was meant to work with group members distributed in different link layers (wireless or wired) but running IP. In that case DoS protection at a higher layer is required unless changing in-between router's behavior to start joining every group and doing all kinds of verification.

Regards
Sandeep




________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

v2.23.0 | Report a Bug | By Email