[Iotops] Error categories in constrained IoT authentication

Göran Selander <goran.selander@ericsson.com> Mon, 15 February 2021 16:54 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFD5B3A0D86 for <iotops@ietfa.amsl.com>; Mon, 15 Feb 2021 08:54:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.77
X-Spam-Level:
X-Spam-Status: No, score=-0.77 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GG7Zi0J7d86I for <iotops@ietfa.amsl.com>; Mon, 15 Feb 2021 08:53:58 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2074.outbound.protection.outlook.com [40.107.20.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713D13A0D7D for <iotops@ietf.org>; Mon, 15 Feb 2021 08:53:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BJpMJ/g22YZa6l7mYiW4KJuhSHMXg+zf291pjo7//n/Sfby1CAijO9mk6MiziP1t+DL3TDUW4LMU0jjMp+SWh5mK17YH9Pwz4/egh2nlF3PqJ5re/0YJI6P1gREvr5W+VdTjJKHJ1XB7YvBH3VZF6pHaqC1bcqQ5eVVaiVL9Fxonw0UOCfxBzjOH2utJbjgBv19zOy4CNr/pfVCQVbtymv5PNcEPwlWIgMib6DI/Qffgprjhp56cJFRXf320BryT71xoLjIl6OrmhsmloVeMkPxPAHNO2hgkxRKnbk8zJ6YVAp8CaI6WMghm2reps1rxiDlwwdRmFNeNDkklAcnEiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cjr67YLiBHvH7X8xwkgqGNBJZ7/PLnj9uvVIN9W2VwE=; b=FUzTGQtVDKt5en/UUMyvG2cJrP0zYzmeuv8zxoPXQaFXJEnovwWgL3B4uHMTT+Ip2JiX824x0zJD8H0tPilUycXRqH/0loBmUgqueOIPWUU6AK0YHVeZ/s+3ruqvVb9y58MOHI8HNGp+59L1siKhttKFVAvsuFRTHz+E6RotfufP7ZVWAEthRikRhoi8l9n43Uk8emnwpwlSUsc4qu/OpmqCirTkfBBbYQZjwIJygtJT7n2Mky1P4Z0F7OTOijoyf5mXSXmZKj//0YeeF6/2pJzwrOiNWq28XmaX0nHN3AWoL9/AmC4Rj1tbhKH8bLlUzE/ZFwBjQkfvXvk6MQxCtw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cjr67YLiBHvH7X8xwkgqGNBJZ7/PLnj9uvVIN9W2VwE=; b=YSflTtmvrA4PBB6GSMhazmAT1YLceDoaguk/UpLBrbXvUFQIH+hFr6c+EaCqenbWPN9RLAs5sAyY2ndzzMBRukceUzYa/9I0+VIpExiKrY9vRPBU94aWwzh6tiFSSgvXHYu9SLZUdY663HC/EAP9ObIaps19ufHf+hM4CkfM6gs=
Received: from AM0PR0702MB3665.eurprd07.prod.outlook.com (2603:10a6:208:1e::21) by AM9PR07MB7186.eurprd07.prod.outlook.com (2603:10a6:20b:2ce::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.11; Mon, 15 Feb 2021 16:53:44 +0000
Received: from AM0PR0702MB3665.eurprd07.prod.outlook.com ([fe80::9d0a:69ef:da66:51c7]) by AM0PR0702MB3665.eurprd07.prod.outlook.com ([fe80::9d0a:69ef:da66:51c7%4]) with mapi id 15.20.3805.026; Mon, 15 Feb 2021 16:53:44 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: Error categories in constrained IoT authentication
Thread-Index: AQHXA7sevPYsVE9D80KdsgQDTgiUsg==
Date: Mon, 15 Feb 2021 16:53:44 +0000
Message-ID: <49569FF2-938B-4584-B290-F16558F352F5@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21021100
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a18d3c7d-626c-428c-4740-08d8d1d24167
x-ms-traffictypediagnostic: AM9PR07MB7186:
x-microsoft-antispam-prvs: <AM9PR07MB718625B52B5C5934A3655230F4889@AM9PR07MB7186.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ayRc9/yOV2+Mk6QrxAfFZ6pjZGWwF8srJrO92848stez11i43IoChVkwWfAUiJCrJiRWcKtfVzXx7lckWJE8BpnsElKoMEyURz3KI9Lpo+NeAm6vXRIPr3b+kziIF75+bKl5LgpDNSoD3Q8+vwsTgcPuNGmWJtiJJVaIgFoDYurBW8iF2yUokaStXVzKShsGKprblONwICaSkOyBl6/hvWLvvjiZQ3n3saNDsL0HP5NJz/SFwHqn6QteWHlVIcVmm16tzPAS8NB3v1UYfSjvirtNfZApouvvRq317hZpm7Vne4a5APUfPsLTDkHLTTpgGxz+jWHX62MJWSYY2wKUTnZu+J99GxOlgscHK2cdPIXMCrBMXRgu1mNeAmEWzMG5+u6mJhAICeRMkk865xawLt6VzgfyEHDWqlNGslMzUCHnIDIgTp8qkCTMWdI/ngaZIrJEmd5o9pKy6Fi5SHiYJlkeF0DFSoNmjgM7KaIbYABlIiUUG7CzdkXKHrFwfRx5lpMSQ0vrJORFLbv4bvG+9zMsdaklNTsnfkidN+hmvr1SVrHB/WDTgzuUPmL5ztj9D1Ad7YcU8x9XqtfhnXyeGLD0m26s1ROmNoZQftGL/FEcoQZM4w06zY5n6D6td4x8f9f0pqqr+MqFVki6Xs+6UA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3665.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(376002)(396003)(346002)(91956017)(478600001)(64756008)(66446008)(66556008)(66476007)(316002)(86362001)(66946007)(76116006)(71200400001)(8936002)(36756003)(8676002)(85202003)(6486002)(26005)(6512007)(186003)(2906002)(66574015)(6916009)(6506007)(966005)(5660300002)(85182001)(83380400001)(2616005)(4743002)(33656002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?RWpCUWRjWmw2QUhQV2ZHbjZFMlQraXU5eUwrOTFkTDVhV29qZCt3akwyd2ll?= =?utf-8?B?Y0xSWnNuelFQT3RKZmJnUmlHbUVHUXo3bFQ3eHdSQjhBY20zUmVKOUwzQnIw?= =?utf-8?B?VTdZOVR3dFoza2lQejVnSjdiUVoxSUJFSUN0TzFFdFBUTktQdEVnUjlFNnhZ?= =?utf-8?B?d1pmQjZWSkhJUXV3QTdKNzZId29wWDk5UEpsZHkreUtHdEFFQVY1a1ArdlVZ?= =?utf-8?B?NlZyZlBwSy9mQjhPTUhVY2pnajk1U25vQU8rdFYrZVlZYUlZOWhjK3hFL3Iw?= =?utf-8?B?ME1maTBZbVRybEcva2xCeE85cGpLbUJFL1NvZ2did1JyaXdrOHNMZzVwSFE0?= =?utf-8?B?RS9vMkNjOTNWbWNXUnNxd3NnUUZSZWh2NVFDM21lMXVwdERiM2dHQmZxY2Q4?= =?utf-8?B?NTB5VTFnL0FyNS9WTmhBT09hQ3ZqVWlSb3QrTkFqM1RYTStsMFExcGZXVTha?= =?utf-8?B?WDY5Z2RCZDdZbGNXcG5qN25EMW9ZelVWd3BlalJwTWMwMXJkWDEvK3huOWVG?= =?utf-8?B?K2xJVG5nNk0wN3BYR1lKMEdIZVhRcEZKZzExSFNuSTRRODIxNXpSL05RdEZp?= =?utf-8?B?cVQ3NzhiR01zMkNqUnJKeURzUEVwZ20yc0QvQklnNGZ3WERGeTRRMXdmc29I?= =?utf-8?B?c2ZSQnFVSm1EakRTNTU5WEVqaVAzRFZDaTVPZzRDeVVpdFZXT05nZ0x4V2Jw?= =?utf-8?B?Ykc5ZTluZVdIVndHVTdnTDJNWDZWRHN2RGxZMjhMM1c5SEpCbk1ZQzdCY1JP?= =?utf-8?B?MkIvVVdFRGV6NkJKK0JZdWY2Vzk0c1VsVitGWFpmVHVZRUpWdlYxYUFyWlFl?= =?utf-8?B?MktIMXNsYS9jQjd2TE5CU3puYWdCeVhpTTM4MHVNWlhWcy91WlY5UmIwazZu?= =?utf-8?B?R0pUODJ6THF5UU1zYUlQNm1PM3RNbXRjZW5rODRmU2hLUGwyZHpwT2FYWjNH?= =?utf-8?B?NlM5RjJSZ2lxdTJLeXpXNUhOTHNiTGJjYU5uVVpKL1FSdGgyOS9hOHE4SjVE?= =?utf-8?B?aE9RanlNcW16QUZ3bjFkTmhiTmp3OGJFdVgyUmFoVEU5cnQvbXBMODZPdEtC?= =?utf-8?B?bzFqSkNOSWxhTnVQTmt6cCtndlczWFRZRVdmNll4OGIxL0hhUWpDNzRTbC9X?= =?utf-8?B?bHljZCt6bTJza3NtVHlxeThuSStDNjRzT2VYVWpyT0crZkNtTlJhRENIWW9w?= =?utf-8?B?MHhBcnNxdUUxNkI0V3BDNWtycnZ1THpVRUFreUNWMHFUS2pkdGJwZnRkRU5U?= =?utf-8?B?Uk10RU9GVWhwSmJualNxWXBzbHhTYjZsZHIxY1lhYWMrQmxnZG9vdHV4MDJs?= =?utf-8?B?WTM4QVFUQ1NFdG0wcjJhRU5aSFJ3K2lqdnhyVGFtekc5cUtvWkUya042aC9s?= =?utf-8?B?cDBPNDhLMXViZyt0RndBbUhTNE9pUk1UWG9xL2xYUXc0Tk9GejZ5b1NCcWVW?= =?utf-8?B?bCttU2ZDU09OYWMzVWtZVlMyajdyRjh0N01BUGpwS0d3Y1dla0xLK1lGK3BX?= =?utf-8?B?SzVKUDA4cE9wbkJqMDFIVTVFbjRKbnVFZUdvWTU2eHBOT3dkWFhVNkZtTE1l?= =?utf-8?B?NlM3V2NWT1hxZ3BDN1dBTElQR01NanAxTGVpbVg3cGxRYWFZVjlGc1VqaTBp?= =?utf-8?B?UkRWTlZ5TWg2ZVprVE0rUlRWR2prWFl5blFHUWl3VW1oc2VkMUw1TGhVd1VW?= =?utf-8?B?SHhxdHFBeEJKdTZ2UmptVUkzR21zUllUZFNHdTdMYXdEWEpMMkFnUlRkU2lO?= =?utf-8?Q?vx8JBkq1hDxfVAmLxGK4jqQ8WUAILSJVJCIU9WF?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C745EB13BADB6E41A5513BC92AD5A4EB@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3665.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a18d3c7d-626c-428c-4740-08d8d1d24167
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2021 16:53:44.2530 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KoG1X7Koj9L+Fs6WgnoMAoCZNMIlNgEuGoXs1rSmVJsKzyGX1iy3SQCMJR7n06XGhINdyNtRoG0UK9l6MrcHEwC0yasy7MHiWylV9sbNLUI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR07MB7186
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/KcWcK19kACOYnimRqFNJDBu_MAk>
Subject: [Iotops] Error categories in constrained IoT authentication
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 16:54:02 -0000

Hello IOTOPS,

There is a discussion in the LAKE WG regarding the potential need to standardize error messages appearing in a security handshake protocol targeting IoT devices. Is this something IOTOPS could contribute to and/or review?


Assuming this might be the case, here is a background and some draft error categories for discussion.

Background: 
---
LAKE is specifying a lightweight authenticated Diffie-Hellman exchange called EDHOC [1] similar to the TLS 1.3 handshake but targeting constrained IoT. The protocol consists of 3 messages and an error message which may be sent in response to any non-error message. The error message essentially consists of a diagnostic message field containing a text string targeting the peer administrator.

All errors are fatal and cause the protocol to discontinue. The intent with the error message is to provide a hint about the error to the peer application, to enable logging of errors and appropriate management operations. (Note that since the protocol failed to establish security the error message is unprotected and needs to be treated accordingly.)

The question is what error messages need to be standardized, if any.

Detailed information can be provided by using the diagnostic text string. But standardizing detailed error information adds complexity to the specification and implementation, which would contradict one of the design objectives. But perhaps we can we identify a small set of error categories (codes) that require to be singled out, for example because how they impact operations. Such categories could potentially be complemented with text providing additional details.

Please find below a first sketch of error categories (inspired by error alerts from TLS 1.3 [2]).  

Two questions (going in opposite directions):

1. Do we need to make more distinctions/are there missing error categories? 
2. Are these distinctions necessary, or can we remove/group together some of them? 


Draft error categories:
---
A. message field error (syntax error or incorrect protocol field)

B. integrity error (unable to correctly verify a signature or a MAC)

C. credential error (error related to the attempt to use a certificate/raw public key as a basis for autentication, e.g., certificate expired, revoked, unsupported, corrupt, unknown CA etc.)

D. access denied (credential valid but peer not allowed access)

E. internal error (error not related to the protocol or the peer)

F. auxiliary data error (unsupported or missing extension)

G. cipher suite not supported (this particular error has already been specified with a special message field, see Section 6)


Any comments are welcome.

Thanks
Göran

[1] https://tools.ietf.org/html/draft-ietf-lake-edhoc
[2] https://tools.ietf.org/html/rfc8446#section-6.2