Re: [Iotops] Error categories in constrained IoT authentication

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 16 February 2021 08:32 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678263A106F for <iotops@ietfa.amsl.com>; Tue, 16 Feb 2021 00:32:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BqK_R8RoCcWa for <iotops@ietfa.amsl.com>; Tue, 16 Feb 2021 00:31:58 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2094.outbound.protection.outlook.com [40.107.21.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D16763A1067 for <iotops@ietf.org>; Tue, 16 Feb 2021 00:31:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BDSoMqKlXnN+fSsGIIbBRdCca6t5QrF0Q+PsmaGe897JFVpA8hHcU2pxZoxjDM6gR+SxHyZvs+Xfj8nAhvwCJz1L5OpZYTEeQqAGvBDYZCcms/8wBluw0mE2zI0Dfxd6J+nKGZLjiN8NmbM2dhNEokyTSAVLzgepszsz3aGgRJYWhJ+D0wKZBmYRU+yYMNJiCeI3wXrcfjc3qpyNqrUQq9XNNS5AFidupUtvXo4wnsGd88/Hwtvlga0eISJVNykhpiDgBT+aNpeqF97+xRF2vx3mOJDXBiNwNsp1saM7w7D5aH0MrNrRhxwv11JeU37Z03YOLQ7Mxn7XnRDZh4gNZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YssQWhcg8ju1gdRxc3PhqASMn+3G7/+VmBC1m0yffEM=; b=iWExU4G6xxpZIklos2fdATYPa05PZrquKTBoUKwQT+QSb/XZAVe6fumX8RhehDY0wlhTkwytm/inldo+cr8Nqjkaex9tvBkpMPboZHHsC+FFDzSQSx4y2T/a2wnmmuBJCYET2XkSW0Q3F6nkRY6+/zb5sOnIbB0fgy9hIRSV8FdkkasEh8Uaesx+hkVapdCAJJMka+B8490Zw+jYXbmkk8IirgJp58XazrjBbmUf/8qvT26U4ttqpRhM+N9Pu+NiopE1lUvQjwAsarzaJTa2QExP2+Fcr3AgnydAs1U3OVZzCCz0OGx8DgibAynDCaWQ2I8/hzKLENTwAUdyRAF/FQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YssQWhcg8ju1gdRxc3PhqASMn+3G7/+VmBC1m0yffEM=; b=ub1tqa3armBEid4EltvwNTS4R0F5WVqMmzLx1R2AmF6ZVZFM++Ssjp5RFZVuFBFwTycv9QQxQiWofUUFJUGWDE94c4gEEHMlBm0U0gLjmbU01Ti5smnkJd+2Eavpvf51VPfKGsx7xN6cB/rMuQyBaMr8iE5sE/Upn2syB6DcjaM=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM4P190MB0065.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:62::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.42; Tue, 16 Feb 2021 08:31:53 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::2d7c:4545:d83e:3b5d]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::2d7c:4545:d83e:3b5d%4]) with mapi id 15.20.3825.020; Tue, 16 Feb 2021 08:31:53 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander=40ericsson.com@dmarc.ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Iotops] Error categories in constrained IoT authentication
Thread-Index: AQHXA7sevPYsVE9D80KdsgQDTgiUsqpZdgoAgAEA24D///fKEA==
Date: Tue, 16 Feb 2021 08:31:53 +0000
Message-ID: <AM8P190MB0979BF8094F05FDD52B491ADFD879@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <49569FF2-938B-4584-B290-F16558F352F5@ericsson.com> <27125.1613409584@localhost> <7FFB63D7-801D-4E8B-8257-BE9BCF7BA6BF@ericsson.com>
In-Reply-To: <7FFB63D7-801D-4E8B-8257-BE9BCF7BA6BF@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3104:5700:a55b:2db8:d682:cc0e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 65cb01e2-c61c-4c7f-e367-08d8d2555081
x-ms-traffictypediagnostic: AM4P190MB0065:
x-microsoft-antispam-prvs: <AM4P190MB006586C792BC95E02C0A8882FD879@AM4P190MB0065.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dY7pYoqgBjZq439XDWurHWlvhAdbzAskpvbHsQee2TZnuZpDADBhLb26DrMsRe2WxiIpgVNRBF+I68LvNWDPTlNtIv5Oift6A1/qde5uksIKQlO7cART9NiyJPW4O52v9fOhvkgc8NDonHMIG50AjdswRd4V+h7evAWutQmodPmyEHdYt/XFPviTpa5sMzWLBeqeNxoHv9q7GPwStRjTsuyI/XvcjftdsDUN+e2SVs96bkSWeXzFSQnzZ80OeI1YJ4qsgIuMfZAL3TP4u5zbOelzqwLAltysK8/CNHJaiU3qIIQAUN3O3mma6pb2/WRbSUeBI9mo0RqZUFliwkcTsPRt4nBZ98phOge58qqjjRCy2VxQF6w0MDUEVtPMiVi2DKDP0Q9ZX6yppaTPjM/sWwscBOmK+Apk2O7OiacnEBjm0nYqDa+qvtWfKdY8Kj+cV04w2WBtJ2uVBZrzghonc2tjo2Geb7BMLQsVodtCE2jNgLe3XlUcl5d85zKzSUhE5xvEVBJ2mxTYonQ0W4oUSxnW7gez0KZ/EsR8uNQqZiufKJhhEgU/fff2UzlIjGjgGZwrz73PNi5jTejWiAgjyFiBBMALHYfKAIbuvZtfI40=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(376002)(136003)(39830400003)(346002)(366004)(5660300002)(2906002)(8936002)(55016002)(52536014)(44832011)(186003)(83380400001)(8676002)(66574015)(9686003)(110136005)(86362001)(316002)(71200400001)(53546011)(6506007)(966005)(7696005)(478600001)(33656002)(66946007)(66446008)(76116006)(66556008)(64756008)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?M2tHVnI0Y2FiWXRSR0pzaWdKVDl6SWdGeHRjcG5VbTF4Ymcxa2NyZWlWMFVv?= =?utf-8?B?VFZ3bUF4cjNBNXZHRjV2Tndaa1M0WWJiNHdMakh4SENpUUdsMHdCQldZRWtP?= =?utf-8?B?cXhEU0RRQ3JSeTNoMmNPUFhsWWdqOEtiQWUyekVPSENkcFZLVENVeUloRURD?= =?utf-8?B?blhSTVI1a24vNldaZ2ZUS3g1TlI1MldZanNDWlV0a1dpQWxueEFuYkhNdmtZ?= =?utf-8?B?aHhHVG9tZHBubVlGcFhGNjcrRHoydTRweEhTT0wwVHVYM0ZoUFpIRGs2L0d5?= =?utf-8?B?d3g4VzlOMm1LWGdhNEF2cUtFK3h6TGxzbEczT0RYZUhveU92RE9BamRZUWd5?= =?utf-8?B?V2ZxNFR2RXh5Nm1BMzYrMUJ3L1VHbGtrUXBKTzVaamZoOCtXZE95eHAzNWhM?= =?utf-8?B?QzdFdmYyTTBnRkV1S3pIZnBid1B4K2t3TjhCQVRTL3h6ZmNpeVVRZmNMcU9m?= =?utf-8?B?d0w5NWJqbUl2Sy9UcVEyK0xSdk83cTJkQ3NjZisvY0VjVktXWTlYU09sWFJt?= =?utf-8?B?QlM2THhuRmtOUHExSHVFWGtTbE42TXhnZHUxdEdXRjE0OFAwTzZESmtOYUhz?= =?utf-8?B?bzI0bWk2SzFsV2o0OFdFM3Q4eHNIQ1ZoMDNoTDcrelY4MGNxRE5pWnJNZzFl?= =?utf-8?B?dUIvN3JsNzg5RzlIVGxMVDFwSndzbGVuYndFYzdxNkVVOEJKZmpIcUkyeDJ1?= =?utf-8?B?dkppbTRFRkk5enBRaWJXZFFXYjJMdFpjK2FrNVg5Qk5wV2ltc3hYTk1FMEpP?= =?utf-8?B?M20zbU5MSnhwNFFoMUdHVmRtYXZHSnUyUkFYcFBVL1gxKzR3YTdLMHk1MmRp?= =?utf-8?B?akRjKzlKbkNpSXIvVzZhTjRLRzZ1eFJGSytPeDdlNmVtUzI3RllWTnhCTVhq?= =?utf-8?B?RGdlNUFNSENBTGRPeTdhbDg3N1JQYnJ0ZGNDdFdYbGZ0U2xlSDUyUEswQllj?= =?utf-8?B?U2I3YXU0eVpxTkpKdXFkVFVRRUcrelI2TWZJbzd2ZFV3S09GbmYwR3Y5Nmxy?= =?utf-8?B?RGVya0kyVEFuYjFWSGQxZ01XWVFsL2VhZElwWktVdWpwYnFFTkJFTTlGUDU0?= =?utf-8?B?bytieUg1bTRvQTVZSHRDSVM0SWNTcjNvbGtJaGowYTBKWG5TaW80Tmx2cHhx?= =?utf-8?B?T01SYTJidnlCb2t0NGsza0R4SDJ1VmdnY2lpbVVBVTRya25Xd1ZYdWo0bHRh?= =?utf-8?B?RThaY1MzSVpIcDRvRlJsOWVCb1BnWGozaWp0dGkraGllUitsdGZoMldpblBx?= =?utf-8?B?bXQ3c0l4UFBBbUd4V3ppK0tKWUdWRFZKZkwrckN0MWVpa1NUOWxwRWZMOWRS?= =?utf-8?B?N2tHOHdrZGNVMXF6RVRXNFlFTzVOMjNWaHZvZG9ZMmpMUjdRTUViUHlqRlZw?= =?utf-8?B?elg1WVQraUdDbktGbWI5aDNtLzU2bUZONDkxL3EwV2Z6Z2laZFZNZGpENjRR?= =?utf-8?B?VDN1TS9pVm9kS01VNDU2aS92Zi9LN1dBNVpJbVhydDhPbmJReTdJbzNKV0F3?= =?utf-8?B?OUxlY29wa3dlUjNBUm1NT0xIQUFiVTlaeEprWDMwWDRVbFJsbWhwaFV0NHFW?= =?utf-8?B?UWErakdVK0dhWnp4NDllR3MzQmZTSjhBWXN3Yjh2OHZNRE1kNCtOMkpSSUpl?= =?utf-8?B?SGtKY2ZiaFFlYXhkdFZDcytwaVdxTkFNTTNFUTR1cnZGaVgxUjFPOSt2bE9P?= =?utf-8?B?WCtCdXVQRU1DQlFiYnZONzdLcVhCOGZJcHU4YVZFOGVUUVVHSDRCSS9xWFNP?= =?utf-8?B?Z3lIenVrUWhKcTA0anlaUnlBa3UwVVlSNmtINzNsY2xNckh1dmU4UFh3MnlS?= =?utf-8?B?UUc4bG1JeFdRa2pHeFQ4TTNhSVhWL2VNZU9jRmdvY2w0UTJ1Y2hjVFdPRG45?= =?utf-8?Q?r+VpcrrVNJB3b?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 65cb01e2-c61c-4c7f-e367-08d8d2555081
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2021 08:31:53.6821 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jnHOEX3DfYSk2DKcXU85k8MLTVVGJ0NOmv4eWjLB4CKjNPg7d95ycaETjPYnWnDZAgL1iVg+jA9yJOSdnmDdHw7z9sV2s5TZXzTqXWO7mg4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0065
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/AGva1IOA1uem2VPyQRnxwvd5veA>
Subject: Re: [Iotops] Error categories in constrained IoT authentication
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 08:32:00 -0000

Hi Göran,

Thanks; this demonstrates the added value of Iotops :-)   Without your message I wouldn't even have known that LAKE is doing this! The error codes would be very useful for other bootstrap protocols as well, like BRSKI and constrained BRSKI also being developed now (ANIMA WG). The current status reporting uses a JSON resp. CBOR message with a machine-readable Boolean 'success' essentially, which could be easily augmented with a standardized error code field. Note that in this case the status report is sent within a secure DTLS session. 
I don't have detailed feedback yet on the categories but these things are to be considered:

1.  the error code needs to be encoded as an unsigned integer value - it should get a symbolic label also like in (D)TLS, linked to an integer value, to make code and specs better readable.
2. reserve one of the status codes for success, so that the status reporting can also use the standard value in case of no error
3. to avoid complexity, allow implementations to use a high-level code with not too much detail. For those implementations that can afford to add more complex/detailed diagnostics, use sub-codes.  Then in the future potentially even a 3rd level of diagnostic info could be added. In CBOR this can be easily encoded e.g. as uint only for a single error code, or an array [code1, code2] for the more detailed information codes. Good thing is that the second-level etc. error codes could be standardized also later on, on a need basis.

And one security consideration just to keep in mind: too much detail in the error reporting is not good if it reveals information that an attacker can use to do a next, more targeted attack.
The HTTP/CoAP, Netconf, or (D)TLS error definitions could indeed provide some inspiration on what to include.
I found also an example of an error code registry here: https://www.iana.org/assignments/alto-protocol/alto-protocol.xhtml#error-codes  this kind of registry could be used to keep track of the codes and any extensions to it.

Best regards
Esko Dijk

IoTconsultancy.nl  |  Email/Teams: esko.dijk@iotconsultancy.nl 

-----Original Message-----
From: Iotops <iotops-bounces@ietf.org> On Behalf Of Göran Selander
Sent: Tuesday, February 16, 2021 08:39
To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; iotops@ietf.org
Subject: Re: [Iotops] Error categories in constrained IoT authentication

Hi Michael, and all,

On 2021-02-15, 18:20, "Iotops on behalf of Michael Richardson" <iotops-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:


    Göran Selander wrote:
        > Hello IOTOPS,

        > There is a discussion in the LAKE WG regarding the potential need to
        > standardize error messages appearing in a security handshake protocol
        > targeting IoT devices. Is this something IOTOPS could contribute to
        > and/or review?

    Maybe.

[GS] Thanks for the consideration. I now realize this sounded like a formal request to the WG, but it was intended to just probe if anyone has an opinion and wanted to share some thoughts.

        > Assuming this might be the case, here is a background and some draft
        > error categories for discussion.

        > Background:
        > ---
        > LAKE is specifying a lightweight authenticated Diffie-Hellman exchange
        > called EDHOC [1] similar to the TLS 1.3 handshake but targeting
        > constrained IoT. The protocol consists of 3 messages and an error
        > message which may be sent in response to any non-error message. The
        > error message essentially consists of a diagnostic message field
        > containing a text string targeting the peer administrator.

        > All errors are fatal and cause the protocol to discontinue. The intent
        > with the error message is to provide a hint about the error to the peer
        > application, to enable logging of errors and appropriate management
        > operations. (Note that since the protocol failed to establish security
        > the error message is unprotected and needs to be treated accordingly.)

        > The question is what error messages need to be standardized, if any.

        > Detailed information can be provided by using the diagnostic text
        > string. But standardizing detailed error information adds complexity to
        > the specification and implementation, which would contradict one of the
        > design objectives. But perhaps we can we identify a small set of error
        > categories (codes) that require to be singled out, for example because
        > how they impact operations. Such categories could potentially be
        > complemented with text providing additional details.

    I am imaging that the resulting error codes are not just sent to the peer,
    but might be link-local multicast. They *could* be object signed by the sending device!
    It is pretty clear how to do cheap multicast over wired and 802.11, but what
    multicast means over an route-over LLN-mesh remains to be determined: it's
    not free.

    Consider the situation of being able to plug a diagnostic device into the
    home LAN, and be able to find out what devices are failing in what way.

    Significant privacy risk, for sure.
    There could be some kind of blind applied so that the devices are not
    immediately recognizable.
    That could be as easy as just not including a strong identity.

    But, security which fails in ways nobody can diagnose, is security that gets turned off.

    I think that there is a sweet spot where we could get enough information to
    do further investigation, while not blasting useless information around.

[GS] Exactly this was the intent with the draft error categories A-G in my previous mail. Are they doing a good job?

Göran



-- 
Iotops mailing list
Iotops@ietf.org
https://www.ietf.org/mailman/listinfo/iotops