Re: [Iot-onboarding] BRSKI : proximity registrar cert and MITM question

"M. Ranganathan" <mranga@gmail.com> Thu, 20 February 2020 21:46 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A545A1201CE for <iot-onboarding@ietfa.amsl.com>; Thu, 20 Feb 2020 13:46:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L40ma-jYi13j for <iot-onboarding@ietfa.amsl.com>; Thu, 20 Feb 2020 13:46:35 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B465E12018B for <iot-onboarding@ietf.org>; Thu, 20 Feb 2020 13:46:35 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id t17so24917326ilm.13 for <iot-onboarding@ietf.org>; Thu, 20 Feb 2020 13:46:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jkJjE5YnKH+x/Hh4z1fIZSs4C144twOXaMX+EPQJglM=; b=VC3ePNzWRAOD5xDHW3vNGfa9AOB1qtRXn9YwmZv8f2U6r6+y/zrJ58Arai1albquJd pjhXsNCJlHbY+KELlKFYvkeA7Lu3W/Nf/DRwOJ4RuVxPKkHszoo2zUGE4BkdK5X6sLNX UCK8aaas2ZOwVx7vLDX9ECQTUO3OfVAZh8NCXwMIYfaVGh4IikzAmGwmqEf0Ui0lIsyW x6+eCQjWg8OE9nQAqb/301NaHdNFcAkCVMwvxoNx7pGUYYXRvrG/MwQF/NTpZRe7x9SI o7ao1Bl7w2HGVGMHRilmIZE6X2rJ+ImfRy2uZISQNBkiFjTqZPouyxTaR+Zqm+62dBRh NMXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jkJjE5YnKH+x/Hh4z1fIZSs4C144twOXaMX+EPQJglM=; b=AAdhh1BYG+peoQblUZ6qvzm417yyyfAThJuJPTfQElvk120IStqr3eGnaA6rhctu4U sz1SOPRGnk79NZXNkShL3zF0EvJam6jJV+bXjVMlJ4UrlzcNEBsH84eaN+b8IFir3txt wps88+ax4N7YU+67E0Fnxw075zsCdVhmqVTzTafOBcrPmlvwYZEwtC/g7ghbKgqiof5E O5V7DHxZj/doutrQ1XRHMrIYkrUqUfkTRWGaw1/51Lh3tVhta0hQAhI+KtBSnFCdzsoI w7BcOlSe9d7UGT+uTvEU41emrFEKX4hnGs9r6t0H1Q6KyCWfVMa3Xd9O62QNh/ZaoL5w uHAw==
X-Gm-Message-State: APjAAAWDrrC6Zsvv8fIYiWsiDqvvInRUQEoiYXEfa/o1+SrrTyEjFVIe V5Re6EMqRe2FUUuFlMt92DscgOuIgEZ+08pfLT7GO4lT
X-Google-Smtp-Source: APXvYqxCgpW4eAP3ddeC/hD9IcRc1J4e0/mPlPwsyiU7xwwOT7augsF7EgF8RWFeB6OrdY6WnxYETqeYAdTqSNWeW5M=
X-Received: by 2002:a92:8458:: with SMTP id l85mr32320059ild.296.1582235194864; Thu, 20 Feb 2020 13:46:34 -0800 (PST)
MIME-Version: 1.0
References: <CAHiu4JPRyNT=DmykHw6KaU+Q6X_o70Zc_+i0NosM-zU_iiRSZg@mail.gmail.com> <25486.1582103702@dooku> <CAHiu4JO2oBKeTypA+opUMOhCcWeuxJ-Vi8=qzji8dUMbQ6fP7A@mail.gmail.com> <12970.1582189476@dooku>
In-Reply-To: <12970.1582189476@dooku>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Thu, 20 Feb 2020 16:45:58 -0500
Message-ID: <CAHiu4JMKt_FwDa1rd=TfkU3eTZzom3pxfPbEthJ4Kcjvp7=fcw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: iot-onboarding@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/sdQmcafHb0ImvsRyKG9LsY1f7QU>
Subject: Re: [Iot-onboarding] BRSKI : proximity registrar cert and MITM question
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 21:46:38 -0000

On Thu, Feb 20, 2020 at 4:10 AM Michael Richardson
<mcr+ietf@sandelman.ca> wrote:
>
>\
>
> In thie case, ISP-A can see that the Voucher-Request pins a certificate which
> is not it's certificate.  It also can see that the TLS connection is from
> an entity other than that which signed the voucher-request, so it knows that
> there was a (failing) attempt to MITM the connection.

Thanks. I think I get the attack scenario although a picture would
help if you have the time (back of envelope sketch will do).

One thing I am unclear of - lets assume the MITM succeeds and attacker
gets an unauthorized voucher. What damage can it do with this voucher?
It still does not have the private key of the legitimate device that
issued the voucher request so it cannot enroll anyway. Is that a
correct statement? (I agree it is a good design to prevent the MITM in
the first place). I suppose that could screw up the MASA if it is
maintaining a log. Anything else?

>
>     >> A lot of situations turn out to be difficult to construct in a
>     >> convincing way because the device is authenticated by it's IDevID, and
>     >> so a MITM would have to have an acceptable IDevID as well.
>
>     > The device signs the request with it's private key and likewise accepts
>     > a Voucher signed by the MASA which it has the ability to verify. How
>     > can a MITM intervene?
>
> Yes, it's because of those signatures that a MITM attempt is defeated.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>


-- 
M. Ranganathan