IETF Logo Mail Archive

Re: [Lake] Protocol runs

Göran Selander <goran.selander@ericsson.com> Wed, 08 February 2023 09:06 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0AEC1575C1 for <lake@ietfa.amsl.com>; Wed, 8 Feb 2023 01:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WS9gFfW8AE4O for <lake@ietfa.amsl.com>; Wed, 8 Feb 2023 01:06:10 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F0D7C1575AD for <lake@ietf.org>; Wed, 8 Feb 2023 01:06:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GkdHZhDT2Gj9fCfMDnObFSalqUDJoY3Q/eUa5ugGVtd4DV+dqD42+IuzGLMG3eV+fSZQ/3fr5GqtVe6mJDklqCHyjrE5yFQOjfaf6cODRz1naV+6K2/UpEE4ViokCbyw/8AtnPrRqg2JsPdx6imJuP9PTUAnddjMRtRSp/JUfLj5q+xEF6qI+7nxfnjAMNOL2LpMOVnYxMc25YrEctHrS3yvf0XYqOmWspw5LE5kzQbIZKJ6Df5RNDu8B1M5m4i7/ieyjTNq2LjUUwyEGxn+eHeFoshxH2P482u1+UdIOkWPZAZygPW4QT5bj5VO46aeF0iwH56Pvcc2j7h5Xa5XAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=34H4K593gJ+PsU5oUsxxAQLextG/BKRc8gv7o3+cmRo=; b=jOnUAFECbsuuS8coN2uSC7JQNdejpmd/gseEwdP+FAeQbz+DAZm6nBzTudnQfW469nFMG0UFh6ydnL3C8Qe7AtMwj6eOQIW4bkawUHBn2D6NdMoUiq/oN5TyNzbvAAsb/rIXMVNAxytMWl+l5KhfKdwsa1xKOYmHnFYOmR2OpNYUNAPuXElmsdfA5zpgZYSRCVSzZ3z6RPCd7NiMPyDggh/GJf5XE1I4dOFM0ZflG5JqIiZgvxMyEY4pL7CdKgs3AzURbxOq/S7W6lJHZqzjzeyZrH/xy8BMqsF6Kl9qODbH3F4CFlaSH8FG+F7+mTKQ8qVcHXz9/erJPbaNda1SoA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=34H4K593gJ+PsU5oUsxxAQLextG/BKRc8gv7o3+cmRo=; b=UYpAz1fmIMp0XLldWCwWjQA5cGiTA56Ft7LNT5Hkj1MmrAXiUg62jrP0t+zPTMz5QK+QhBAjxQPPCNCCnqlQbeaTR25BAGuI6H9uWaZ1GFCNauLkftqDRetf9EZKixGUNDorR4Cy0sIp2G4RwnFCKWGQ62EErOgoipWhDtLW6AU=
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com (2603:10a6:102:24a::19) by AS8PR07MB8134.eurprd07.prod.outlook.com (2603:10a6:20b:371::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.17; Wed, 8 Feb 2023 09:06:05 +0000
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::90a2:f0a6:8edc:153b]) by PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::90a2:f0a6:8edc:153b%5]) with mapi id 15.20.6064.028; Wed, 8 Feb 2023 09:06:04 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Protocol runs
Thread-Index: AQHZOx2hfNxASvGvaEqKWw479nRZNa7DxwoA
Date: Wed, 08 Feb 2023 09:06:04 +0000
Message-ID: <PAXPR07MB884478AA2A540044A7CF3BAAF4DB9@PAXPR07MB8844.eurprd07.prod.outlook.com>
References: <2540B21E-82C6-49CD-B853-5DC76E11FEA1@tzi.org>
In-Reply-To: <2540B21E-82C6-49CD-B853-5DC76E11FEA1@tzi.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PAXPR07MB8844:EE_|AS8PR07MB8134:EE_
x-ms-office365-filtering-correlation-id: 985895cd-f308-4444-d24a-08db09b3b556
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4+HxQl2QsmibwMSHG6UBzCUUaR2U1QN0g+2uctJKDiDSHzYnvWyV4C5hSFVspDmmwwxCkbsJy2XtUe1mSB+DFVt9xs3IPbpu7AE9IdtpdOYdhvxnd5/msgWrQG1u5CmOFGOVZa/9hjfh9wP14dkv5EP8n74N+6QJAymwr0M0EYV5OVo/Zdr4V8y65XZIVhWCGyXvdEOFY7K02hmXFf8Y1PXIrZru3tDvl9PGYs14g+W2Icti7iuMYEocAkcScknXYKvCsV/KPeyyEXbBqNhvwu1cl5mXLX4USAK9tqXnmFz9TbJJXITFf+Fi8mwRihcoMDqCYyeeV+TjkGXFqJdWO9fl+5NIJeScc3199KAkmU9qAGxiyaMIDS14qr8QjjzvcmCZbi5S+XnfHkpvmsUBC4qsuOvZrb21vzfDQgHBo1+36TFc1kE9CxxCeVlz/2Y0acxXjmRlgDkC33SaTVBmvZG3lHlbOrXt9w/+kma1IuL7haLdoPv5fMyeK4MDTJZNKaBXbB50cwO9YAZkP7iqSx5bAxpo29e1bCNa/JEhs3Ti+5g3FGoBxwXnu2ulLVeduGPO9qXn/oDSrMiADFrtEMCqHKp/PFXf45E63z/aPiHCqC9swjToR5T1UYSHYI1pKTHigiEN/S+1Y0j5PJyhzW/k3YeEgJVsNxho7oxM2zSKDzCNTwT1EjZ59oTYjV4Rhw+zfMQE9nA3PxBgACGYDEf5OU5i/m48T9/ywnYkQL/SGuRtn1S8Tu7TF53FrGifD6VuZq8K4OdjicnULUzCbQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR07MB8844.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(396003)(376002)(136003)(346002)(39860400002)(451199018)(41300700001)(76116006)(91956017)(66946007)(66556008)(66446008)(64756008)(8676002)(66476007)(55016003)(122000001)(2906002)(38070700005)(33656002)(86362001)(38100700002)(82960400001)(166002)(5660300002)(52536014)(8936002)(7696005)(71200400001)(966005)(9686003)(66574015)(26005)(186003)(478600001)(53546011)(6506007)(110136005)(66899018)(316002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jzopA3ZwX3RVcQajEXlClSXF6v8SWsfrDg4QJKVf/WepXPAm1pM8p5XH405LMX6WdVEgzOvnQUph5G1zDJ4K0YZI/2jJ5kovSQCM7Ic3ZxhROpYR92FevpKDSGgF4+wpuoVyaV+M+u7JZSu8qRQNUpbuSaV3TfDKxAArMH50tyz+BEzQjuUjVwrRfGXeFz+iiRXNMMpKkveGFFeRePFkgUXdWiRPn6CD88aryra2eJpiAwi/jiKZmW2w5L0f1eg3VG+cSydntJvuoeGoESJC/LKIB9JM6beUgZRc9baF/bvbSgxrk4JoJ7Q/LDI3aBnjIb6UO3/iTMG50LcTwOV4l14JpPTHWIZcO8Eb3GkVl8uyGfZAC3IJpqokABrAIOF4zjJv+0TPL0qBZiNG5PhLE9zqar/tqzsQzVnwcI2wGnmry/W76kgO59Rxb7mxql4KXvxv6XUu4qZ52r2d2E6eP90x9YizaRDKe7IfDL7udmL7jE858tvDtXENVw1MmwWVCytU1Lc/r8FBm1aU1nS61UFNXMVke3Sv8Hbcm08iZMDtGKIquOOpu2nA4pUg5RlX53oxq5uVZo70M6yKEIN8RoX5WbK8n2LqRmHcXsIXNsoTVdNr0iHaL3GZGSzYRrqLgpR7lTv2HONL1XmIIfUsYImvdj9HAYQeIwcmQPPzfPNYzVcAcZ3hZYapqHRK7B8o+u5kJ/iKKezncEcMfrzFRWWUgF/SE8xyfrcwwMqcxwN/Zu58Y45KYhvcm1UvK/++HMBCAWUsFTSlGbsMI08cNz/JeGREVuAAEhgQxHYq0nREnBPXFeduGRSpJy2NALBaz/wZULLdrg9UxQ6YI5pteJ9ojUo5fM4cfMQBuO7VI9TTBtuEyMFjTwsCSdNam5QxlhKmM3XtepHP2wOXJnmeN13M7cBV7pmF7R8Pv54tZCw+v0pOmO1Jh9a9yWxEot2RxDMZekljADxUDeOGOog7Qt2L3ZPxGC1eWHBSHZKejkCkkKOVS6zBjaIZ9WzqzqkADhe/HTpY9zu4iFZSTyyD0BOA7mW7WXJNJilAKUhDpDIwoBfsruuJ1s6mYcwhgbrR6c5XxRinj/T8ibMVOTq8c+KiEJAIu7NPnE5KNQ0xiBr34DPyqUuXItCHwIkLErmXU7okt9ijnT7mQ8f+yesktTNXMN8Nf5fvhGnkF9i7CqAX4HqxGBhBQ2lC37iUQUe5BusDN5fgTUdjtU8LCxvHWnKhryrP1mEEJOQeeBNigtrE53JcmIZSLBZ2BhzrU+leuLnue2mYQZnfi5NfutHO4TkCN5Hvp5MXzeTADT81pdvt+B0cNo7JEjYPFw1iBHbYM7IwpMIedfdM0dmS25eS2INfzJtLimoccDwDLYMBbWSwlhXtdrOv327PPGvnzRSCF/VzezuoX2HEQZufOO+8bDDlCGkCGHKpPGfutQhdVWOnL1V9+gm19AeArnh3JJz8KyMEDOgfBNaeL0E5NB4qtlecOtqbXLX/cgMcsT7uSVxlBgkGBtOSiWNHRClCWQ7Nd09m96i+H7fCYubgRe6ilRCE4uH/KdA+KiIyFpzQ83WoYAHk1ebUMItadE3eGTypTN5J56Z3a5s5IVdKtowgpt5YYnxjR8DJ0tpphPy0SN8=
Content-Type: multipart/alternative; boundary="_000_PAXPR07MB884478AA2A540044A7CF3BAAF4DB9PAXPR07MB8844eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR07MB8844.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 985895cd-f308-4444-d24a-08db09b3b556
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2023 09:06:04.8906 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: prbp8WsqPu2z/a3YvN30Kqx7teBEv975Gu0Qww1+FaqaxxsevOGMmsc6Kl4Y02VJORhAggPq9R8WLsj74JgW0aLoZtqhJHKiwk73BclooZY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB8134
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/G8Rsw1SNYBhBT4r1xyerIru0qlA>
Subject: Re: [Lake] Protocol runs
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 09:06:15 -0000

Hi Carsten,

I’ll start, others may want to fill in. There are several potential questions here.

The question about protocol security has as far as I understand been addressed by the different analysis efforts (people are welcome to confirm this). There are no issues with concurrent protocol runs. The attacker can cause the protocol to fail or not terminate, but if the protocol completes the security properties hold.

The question about an attacker manipulating a protocol message causing the protocol to fail, you use the term “vulnerable initial phase”, this phase extends throughout the protocol run. If message integrity fails then the protocol is discontinued. This is by design and has some good security properties, for example security guarantees even with short MACs.

The question how robust the exchange is depends mainly on properties of the underlying transport.

> How do packets know that they belong to a specific protocol run?

The underlying transport in the recipient endpoint knows, either by means of other data fields, e.g. the CoAP Token received by a CoAP client, or else with the use of an explicit identifier prepended to the EDHOC message, see section 3.4.1 about message correlation:

https://www.ietf.org/archive/id/draft-ietf-lake-edhoc-19.html#ci-edhoc

If the EDHOC message received is not a correct expected message this results in failure to verify the integrity and that the protocol is discontinued:

“EDHOC messages SHALL be processed according to the current protocol state.”

More details in Section 5.1:
https://www.ietf.org/archive/id/draft-ietf-lake-edhoc-19.html#name-message-processing-outline


> what is the instance out of potentially several protocol runs that is actually aborted?

The instance of the protocol run to which the transport associates the message, as described above.


> What does an attacker need to know to find and abort a vulnerable in-progress instance?

Any EDHOC exchange that has not completed is susceptible to manipulations, but underlying layers may provide some robustness.


> How could two concurrent protocol runs inadvertently (or deliberately) interfere with each other?

For example, by manipulating the prepended connection identifiers, which would lead to an EDHOC message being associated to the wrong protocol state, failed integrity verification and discontinued protocol.

>  Where are the transitions from a vulnerable initial phase to more robust phases where it is harder to disturb the protocol?

After EDHOC is completed, when the keying material can be persistently stored, as described in the message processing (after message_3 for the Responder, and when message_4 or an application message has been verified by the Initiator, see sections 5.4 and 8.1).

Would be interesting to learn if things can be handled in a different way and still preserve the desirable security properties.  Authentication, like baseball, “ain’t over till it’s over”.

Hope that helps,
Göran

From: Lake <lake-bounces@ietf.org> on behalf of Carsten Bormann <cabo@tzi.org>
Date: Tuesday, 7 February 2023 at 18:57
To: lake@ietf.org <lake@ietf.org>
Subject: [Lake] Protocol runs
Today’s brief discussion of the state machine diagrams brought up an observation in my mind that is excellent to demonstrate my ignorance:

The state machine only shows one (essentially linear) protocol run.
How do packets know that they belong to a specific protocol run?
(This is a genuine question; the answer may be trivial.)

When a bad packet shows up and EDHOC reacts by aborting, what is the instance out of potentially several protocol runs that is actually aborted?
What does an attacker need to know to find and abort a vulnerable in-progress instance?
How could two concurrent protocol runs inadvertently (or deliberately) interfere with each other?

A related question is how protected a protocol run is at any point in time.
Where are the transitions from a vulnerable initial phase to more robust phases where it is harder to disturb the protocol?
(Göran: “You need to transition into the persistent state”.)

Stephen pointed out that these questions are quite relevant to security analyses of the protocol, so if you can point out how a security analysis addressed this, that would be interesting.

Grüße, Carsten

--
Lake mailing list
Lake@ietf.org
https://www.ietf.org/mailman/listinfo/lake

v2.23.0 | Report a Bug | By Email