[Lake] ace-ake-auth updates for latest EDHOC principles

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 12 October 2022 13:23 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41EFEC14F731; Wed, 12 Oct 2022 06:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQBKCsjhlsjl; Wed, 12 Oct 2022 06:23:18 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F4092C14F612; Wed, 12 Oct 2022 06:23:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id ED09C1800D; Wed, 12 Oct 2022 09:46:13 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id e4dsNOsSKoTj; Wed, 12 Oct 2022 09:46:13 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3BC231800C; Wed, 12 Oct 2022 09:46:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1665582373; bh=p0bFGroKu1KMJSjJwAHOoVFD0GQQeT3amFSKEQ9X4mw=; h=From:To:Reply-To:cc:Subject:Date:From; b=MFKr+z7pyRZEipOgxVQHoBuPccmANE+2FzRwrXaCEgTNmTsbpPpdl0Zd45RD7FKzV iQle6ZNI0h5tWR/Y7sJyvefRzh6IJvml3bvVgozLwkhAoPm0XFSFfxO12NgaOcsFe3 8ShWNiXxpzl8jfV0JDY0SW1mf6agD87BvIqqxRSPAxgIAEc649GeBxNNkIkL8R9Oag E/SZweMJKH0OAvks4EiRqg2IuRinrwCuOqFVPLCjMQPSTRhMjwhlCDGSOQHQ/CXgLH 1uQcj8ay71fhdoem+nmG9hnmyJDuKq9j20vsbPq/K7jEDtDpasROcoIeD719QDGfxf VWkkYn/l2s8rA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 172D62F9; Wed, 12 Oct 2022 09:23:10 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: lake@ietf.org
Reply-To: lake@ietf.org
cc: ace@ietf.org, anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 12 Oct 2022 09:23:10 -0400
Message-ID: <8787.1665580990@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/lRMrYspQ8fIoSaYmUIgvjK4-TwA>
Subject: [Lake] ace-ake-auth updates for latest EDHOC principles
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2022 13:23:22 -0000

The authors of draft-selander-ace-ake-auth have been discussing how to update
this draft to reflect some of the changes in EDHOC.  Specifically, there is a
concern that ace-ake-auth reveals too much in message_1, things which EDHOC
has worked hard to keep private.

For those that don't know ace-ake-auth, it fits into the "Ultra-constrained"
onboarding column for the diagram that was part of
https://datatracker.ietf.org/doc/html/draft-richardson-enrollment-roadmap-03
(and was in the IoT-Dir wiki, which needs to be resurrected.  The diagram is
also visible at:
https://github.com/anima-wg/enrollment-roadmap/blob/master/technology-components.svg )

The ACE connection is that the backend (aka "BRSKI-MASA" protocol equivalent)
was leveraged against the ACE mechanism.  There is now some reconsideration
here.  Fundamentally, it would be nice to know where the document adoption is
going so that we'd know where to have public discussions about the trade-offs.
(please note reply-to)

The location of the MASA (aka "W" in the document) is provided in the clear
during message_1, with the actual device serial number encrypted to W using a
static DH key that the pledge ("U") has been provisioned with.

It would be nice to move some of this from message_1 to message_3, which
would guard better against on-path attacks that impersonate V.   The URL
provided during message_1 is visible to any observers, and since this is
onboarding, any network privacy is not yet applicable.

OTH, the authorization step needs to complete before message_2 can properly
be formed, as it contains enough of the RFC8366 constrained-voucher semantics
that it allows the pledge (U) to authenticate V.

Knowing the identity of the MASA may tell you a lot about the device in
question.  This is a place where having many MASA outsourced to a big MASA
helps with privacy.  It's also a place where perhaps oblivious-HTTP might
help.

There is a question about what the security policy of W is.
Is it TOFU-ish, aka promiscious MASA, or does *it* know which device has been
sold to whom?

Also, the URL for the MASA is ideally very very short :-)

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide