[Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early review of draft-ietf-lwig-crypto-sensors-04
Rene Struik <rstruik.ext@gmail.com> Tue, 07 November 2017 14:59 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E07A13FED0; Tue, 7 Nov 2017 06:59:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zfaeXzuLaAXd; Tue, 7 Nov 2017 06:59:42 -0800 (PST)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B225513FEB5; Tue, 7 Nov 2017 06:52:39 -0800 (PST)
Received: by mail-it0-x230.google.com with SMTP id y15so2705878ita.4; Tue, 07 Nov 2017 06:52:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=2AfF2Md+Hxn3JLIUSIPE0v+nGy1DoU17XRfoknnia80=; b=DmTDICcR10vxVuiuHod5MPTbMbcqKjVdlmWllU7fkBAZBxqFrqnVNVbnmBWJU/9cjU JZ4UTR4gwciSEdAZ3xher/XKXoO4iMqdECjmFbXFF3BJoJooBIuUCyvA+zsFYbmzWLdD vbBYw22PWWJeIcrYn3p2JlqjWxcF5rGOLZTV/yxxojSXij2gAJ1JLKWox0gPg4EDpNSD UcZdJILD2xfmwi/3c8o9V9WpMkAMGW2onnrOh/oNgMvghSoQG/ByIuwXf0cUn9RTwnwZ XavqehI+Iv/oglKsRiVsKaMe5OJ+9bZ/x6ESzW77/Lcs1k5zVlxkZq3pBXQRq1c3EFVa Ktfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=2AfF2Md+Hxn3JLIUSIPE0v+nGy1DoU17XRfoknnia80=; b=MGx4KXKdKk92FOGxIEybORCrcWltwkvQEuvOM7U3J28Xz3cufybIJojLXs8C12Bqyr /tjFXfz7D5BiUJr79eQMpPqa9wEAeXHqEV6+0INDlR9f5YfZ3kYe/+gJnHxjup8zFweI iGd0rIzTClZsHU4ruO6tDNLbftxeWJWF9EQR01Qw5+93+hYDlC+6eoAPAFoP44j77/1A 6Q0STxMm2WjXpR/tdY4zamvbLnXjNErZsiji3nbKcLOelF3glBvlcsy5dG6HmzDpbTcy 6KqL6h1VqzOfCd8FsgMLFZxCnfSzXnmII1VGN0AU2LKGXZQMQAJPT6s8mYQFf00ULHB+ +6RA==
X-Gm-Message-State: AJaThX4RwvNq5XyohR17kLr38ktNhIulCJOzZj2GcLqiMZ6oDAkmX/cY MeTCN00l3+mjFDHO9z9kN97+ZA==
X-Google-Smtp-Source: ABhQp+TD0waSm/M36VvbnMBNjsbF6ukeiE2ELqnGC402lMXHjZTLxYjzVVIWjceuM45MoD8m+ZOVcg==
X-Received: by 10.36.112.143 with SMTP id f137mr2315902itc.84.1510066358713; Tue, 07 Nov 2017 06:52:38 -0800 (PST)
Received: from [192.168.0.14] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.230.209.238]) by smtp.gmail.com with ESMTPSA id q1sm906713itc.9.2017.11.07.06.52.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2017 06:52:37 -0800 (PST)
To: Samita Chakrabarti <samitac.ietf@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "lwip@ietf.org" <lwip@ietf.org>, "draft-ietf-lwig-crypto-sensors.all@ietf.org" <draft-ietf-lwig-crypto-sensors.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "Iot-dir@ietf.org" <Iot-dir@ietf.org>
References: <150996104393.8207.2811572203550087788@ietfa.amsl.com> <AM4PR0801MB270650AF0ED72FABD13EA028FA500@AM4PR0801MB2706.eurprd08.prod.outlook.com> <CAKmdBpeP9A8VNGB9tCE=wYyBvAMzvZs4vBJq3uS6QoTbVsa4zg@mail.gmail.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <a3ca29f7-e2ef-175e-0348-babd97d71ae1@gmail.com>
Date: Tue, 07 Nov 2017 09:52:33 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAKmdBpeP9A8VNGB9tCE=wYyBvAMzvZs4vBJq3uS6QoTbVsa4zg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0071639AD541C804D543813E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/BDxQd6EasjqPaZe5srE3mRtskUg>
Subject: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early review of draft-ietf-lwig-crypto-sensors-04
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Lightweight IP stack <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 14:59:44 -0000
Hi Samita, Hannes, et al: I gave a presentation on physically unclonable functions at NIST key management workshop 5 years ago (see [1]), which explains the main concepts. Please note that the "unique device property" is lost as soon as the PUF f or a deterministically-derived key K=H(f) is exposed (see Slide 6 -- hence, the color coding in "red", not to be exposed material). One needs to do extra tricks, i.e., design a challenge-response protocol that witnesses possession of f without revealing this, to use this for ongoing authentication. There are ways to do this, though. Best regards, Rene [1] R. Struik, “Secure Key Storage and True Random Number Generation,” presented at/NIST-KMW: NIST Cryptographic Key Management Workshop/, Gaithersburg, MD, September 10-11, 2012 Available from https://csrc.nist.gov/csrc/media/events/cryptographic-key-management-workshop-2012/documents/struik_nist_kmw_2012.pdf On 11/6/2017 11:21 PM, Samita Chakrabarti wrote: > Hi Hannes, > I have not done comparison with other technologies. But as I mentioned > that it exists. I like the fact it can generate unique 'intrinsic-id' > based on the physical properties of the chip-set. If IOT-DIR folks > like to know more, perhaps I can find out if there is a remote > presentation and Q&A session possible from the Intrinsic-id folks > sometime in the near future. ( Disclaimer: I have no particular > interest other than knowing more about the feasibility of application > of that technology) I was thinking that this ID can be used in any > mutual authentication protocols ( especially generating the private > key). Do you have more information on them or think otherwise ? > > Regards, > -Samita > > On Mon, Nov 6, 2017 at 1:39 AM, Hannes Tschofenig > <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote: > > Hi Samita, > > Do you think PUFs are useful authentication technologies for IoT > devices? > > Ciao > Hannes > > -----Original Message----- > From: IoT-DIR [mailto:iot-dir-bounces@ietf.org > <mailto:iot-dir-bounces@ietf.org>] On Behalf Of Samita Chakrabarti > Sent: 06 November 2017 10:37 > To: Iot-dir@ietf.org <mailto:Iot-dir@ietf.org> > Cc: lwip@ietf.org <mailto:lwip@ietf.org>; ietf@ietf.org > <mailto:ietf@ietf.org>; > draft-ietf-lwig-crypto-sensors.all@ietf.org > <mailto:draft-ietf-lwig-crypto-sensors.all@ietf.org> > Subject: [IoT-DIR] Iotdir early review of > draft-ietf-lwig-crypto-sensors-04 > > Reviewer: Samita Chakrabarti > Review result: Ready with Nits > > I have reviewed draft-ietf-lwig-crypto-sensors-04 document for > IOT-Directorate review. The following are my comments: > > General : The document is easy reading and informative about > current and previous work. It is ready to publish with minor > changes based on review comments. > > Other comments: > Introduction: > It might be useful to discuss/clarify that multi-level security > may be important for IOT devices all the way from 'bootstrapping > and management' to application security. That perhaps can include > obtaining IP-addresses securely, mutual authentication between > server and devices , etc. ( see > https://tools.ietf.org/html/draft-ietf-6lo-ap-nd-03 > <https://tools.ietf.org/html/draft-ietf-6lo-ap-nd-03>) in those > cases where each device has an IP address. > > Section 2: > Regarding problems of provisioning and management of networks for > the IOT devices there may be additional issues – 1) different > types of IOT devices and the lack of standards way to provision > them as they might be talking different RF technologies and > running L2 protocols only. 2) The iot nodes may be moving > individually or collectively and change networks; identifying the > movement of the iot nodes or identifying a particular node at any > point of time uniquely requires an intrinsic identification which > might be useful to set during bootstrapping of the node > > Regarding related work – does it consider IETF IOT security work > only? There have been some work and thought process going on > regarding blockchain IOT security in the industry. Perhaps that is > out-of-scope of this document, but I wanted to mention for > authors’ considerations. > > Section 5: > Authors of the document may also want to browse a SRAM PUF based > technology which provides unique ID based authentication mechanism. > https://www.intrinsic-id.com/intrinsic-id-joins-wi-sun-alliance/ > <https://www.intrinsic-id.com/intrinsic-id-joins-wi-sun-alliance/> > > Section 9: > Does the example simulate any particular deployment model or > research experiments ? It might be good to clarify that. Section > 10 and 11: Looks like section 11 is closely related to section 10. > Should they be combined together ? > Else some more text is needed in section 10 on design trade-offs. > > Section 13: > Does this document recommend one layer of security to IOT devices > ? There are different types of IOT devices – some of them are very > tiny and some are more capable. Some definitely benefit for > multi-level security than single layer of security. L2 security > is generally recommended for for all IOT networks. Does data > object protection only protect the application data (payload) or > more ? > > Thanks for the initiative in documenting the valuable work in IOT > security implementation and crypto comparison. -Samita > > > _______________________________________________ > IoT-DIR mailing list > IoT-DIR@ietf.org <mailto:IoT-DIR@ietf.org> > https://www.ietf.org/mailman/listinfo/iot-dir > <https://www.ietf.org/mailman/listinfo/iot-dir> > IMPORTANT NOTICE: The contents of this email and any attachments > are confidential and may also be privileged. If you are not the > intended recipient, please notify the sender immediately and do > not disclose the contents to any other person, use it for any > purpose, or store or copy the information in any medium. Thank you. > > > > > _______________________________________________ > Lwip mailing list > Lwip@ietf.org > https://www.ietf.org/mailman/listinfo/lwip -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Lwip] Iotdir early review of draft-ietf-lwig-cry… Samita Chakrabarti
- Re: [Lwip] [IoT-DIR] Iotdir early review of draft… Hannes Tschofenig
- Re: [Lwip] [IoT-DIR] Iotdir early review of draft… Samita Chakrabarti
- [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early revie… Rene Struik
- Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early r… Hannes Tschofenig
- Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early r… Rene Struik
- Re: [Lwip] Iotdir early review of draft-ietf-lwig… Mohit Sethi