Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early review of draft-ietf-lwig-crypto-sensors-04
Rene Struik <rstruik.ext@gmail.com> Wed, 08 November 2017 16:07 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDCE128616; Wed, 8 Nov 2017 08:07:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bt81gHJtH0K9; Wed, 8 Nov 2017 08:07:34 -0800 (PST)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDD58127A91; Wed, 8 Nov 2017 08:07:33 -0800 (PST)
Received: by mail-io0-x22f.google.com with SMTP id 134so6487749ioo.0; Wed, 08 Nov 2017 08:07:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=rTLAb5XGwPSOYwGfB9dfp77hfIpV1reQJ3kaNs3/Xwo=; b=Q21Y1Je9bXGAajSBKb4WB40qfZHh5QOK2igUrok5ydl+6yFTq030GGo2R4IqcHp7Yi wu7cVgjEpMRkjFpJjE4C3VE6c8CwhG07kBnsHjUjCiLYmsakFL5Kx4KEc6+0Ld+zt1Nv 62ieboyJfrMGaDx50VJLjzG5woeJNoSveMqPHubI8a7Jg9IzXVY8CAacvBVkwMK9SN81 fllcxSP79g1vxNDimqUetFk/mR6Ax20EXao/XOmxMB2eSr/LC0Vbg6lEU69zVeNO1cEJ kkhm47FXtrREMamXBRA5J77vLtVZsrLWxl2AGk68s1+dFD9/0gkK3pip2tbtWpDHIlcx VL2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=rTLAb5XGwPSOYwGfB9dfp77hfIpV1reQJ3kaNs3/Xwo=; b=tzPRaznNokiQHP6tmU0Dz6JjmiKI4FQYe/Y+5CwzMyZpJpnN/sN6C1PQkhH8btxiZC mZ/KoUR86gqR/wOviJymUm89OYJa2SLNzm75aKVvzbBp5Nx//ylN9XorjaaEVZ675oWC OK5M1hBgodGLORAM5Fk+gfmuw6dOcuqcvJ9laFLZQq9WSthHSQgnEQVBlWKFIcR6cXBU Eob89SnHZsKASqIBK4YPlAcpcTQjp3ioGFmECPLK7qwc5WbXaUxWofilC1e1UV09oetp 0dw/4LlCz4gXR6aNhqc+HMXX4oZA3jQi+lTwwFACRQo9CrMfhLJ0Gke7g+PLCv7Z7dc/ mqCg==
X-Gm-Message-State: AJaThX5EAiHm6PjHE4qAlwhhvqJAB9QAkqmueHby8Lhd8FNIKtAoaHmt Sl1iGcsNuakdssWoyuEft/2xZA==
X-Google-Smtp-Source: AGs4zMYN/obFfYU901rrjgJHyBVv/EDxp/FxSvEkI2bVY//isG4xRBnIOEjX9GMK/aVvYAm2px+YBA==
X-Received: by 10.107.136.68 with SMTP id k65mr1273972iod.143.1510157252538; Wed, 08 Nov 2017 08:07:32 -0800 (PST)
Received: from [192.168.0.14] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.230.209.238]) by smtp.gmail.com with ESMTPSA id p84sm2401981itc.3.2017.11.08.08.07.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Nov 2017 08:07:31 -0800 (PST)
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Samita Chakrabarti <samitac.ietf@gmail.com>
Cc: "lwip@ietf.org" <lwip@ietf.org>, "draft-ietf-lwig-crypto-sensors.all@ietf.org" <draft-ietf-lwig-crypto-sensors.all@ietf.org>, "Iot-dir@ietf.org" <Iot-dir@ietf.org>
References: <150996104393.8207.2811572203550087788@ietfa.amsl.com> <AM4PR0801MB270650AF0ED72FABD13EA028FA500@AM4PR0801MB2706.eurprd08.prod.outlook.com> <CAKmdBpeP9A8VNGB9tCE=wYyBvAMzvZs4vBJq3uS6QoTbVsa4zg@mail.gmail.com> <a3ca29f7-e2ef-175e-0348-babd97d71ae1@gmail.com> <AM4PR0801MB2706EEB884B77C30C508E340FA560@AM4PR0801MB2706.eurprd08.prod.outlook.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <fe0eb123-a67c-3bdc-5e53-17ddfa2d0c7a@gmail.com>
Date: Wed, 08 Nov 2017 11:07:28 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <AM4PR0801MB2706EEB884B77C30C508E340FA560@AM4PR0801MB2706.eurprd08.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------316948554F68D649B4964E5E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/HtEZT46mM86QCtK7Lmbqm5h4R3E>
Subject: Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early review of draft-ietf-lwig-crypto-sensors-04
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Lightweight IP stack <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 16:07:36 -0000
Hi Hannes: It is hard to answer a generic "useful for" question. Question for me is which hard security lifecycle problem you are trying to solve and how (presumably) physically unclonable functions could be a potential fit in addressing this problem; another question is where IoT security lifecycle is different than any security lifecycle (i.e., without the IoT "prefix"). My slides show two main uses of PUFs: burying keys and generating noisy non-repeating values (see my slides). There are some technical challenges as well and ways to give the technology a further "booster shot" (challenges/booster shot could be discussed offline). Best regards, Rene On 11/8/2017 2:31 AM, Hannes Tschofenig wrote: > > Thanks for sharing your presentation, Rene. > > Do you consider PUFs useful for IoT security? That’s a point I > couldn’t really see from your slide deck. > > Ciao > > Hannes > > *From:*Rene Struik [mailto:rstruik.ext@gmail.com] > *Sent:* 07 November 2017 15:53 > *To:* Samita Chakrabarti; Hannes Tschofenig > *Cc:* lwip@ietf.org; draft-ietf-lwig-crypto-sensors.all@ietf.org; > ietf@ietf.org; Iot-dir@ietf.org > *Subject:* (on PUFs) Re: [Lwip] [IoT-DIR] Iotdir early review of > draft-ietf-lwig-crypto-sensors-04 > > Hi Samita, Hannes, et al: > > I gave a presentation on physically unclonable functions at NIST key > management workshop 5 years ago (see [1]), which explains the main > concepts. Please note that the "unique device property" is lost as > soon as the PUF f or a deterministically-derived key K=H(f) is exposed > (see Slide 6 -- hence, the color coding in "red", not to be exposed > material). One needs to do extra tricks, i.e., design a > challenge-response protocol that witnesses possession of f without > revealing this, to use this for ongoing authentication. There are ways > to do this, though. > > Best regards, Rene > > [1] R. Struik, “Secure Key Storage and True Random Number Generation,” > presented at/NIST-KMW: NIST Cryptographic Key Management Workshop/, > Gaithersburg, MD, September 10-11, 2012 > > Available from > https://csrc.nist.gov/csrc/media/events/cryptographic-key-management-workshop-2012/documents/struik_nist_kmw_2012.pdf > > > On 11/6/2017 11:21 PM, Samita Chakrabarti wrote: > > Hi Hannes, > > I have not done comparison with other technologies. But as I > mentioned that it exists. I like the fact it can generate unique > 'intrinsic-id' based on the physical properties of the chip-set. > If IOT-DIR folks like to know more, perhaps I can find out if > there is a remote presentation and Q&A session possible from the > Intrinsic-id folks sometime in the near future. ( Disclaimer: I > have no particular interest other than knowing more about the > feasibility of application of that technology) I was thinking > that this ID can be used in any mutual authentication protocols ( > especially generating the private key). Do you have more > information on them or think otherwise ? > > Regards, > > -Samita > > On Mon, Nov 6, 2017 at 1:39 AM, Hannes Tschofenig > <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote: > > Hi Samita, > > Do you think PUFs are useful authentication technologies for IoT > devices? > > Ciao > Hannes > > > -----Original Message----- > From: IoT-DIR [mailto:iot-dir-bounces@ietf.org > <mailto:iot-dir-bounces@ietf.org>] On Behalf Of Samita Chakrabarti > Sent: 06 November 2017 10:37 > To: Iot-dir@ietf.org <mailto:Iot-dir@ietf.org> > Cc: lwip@ietf.org <mailto:lwip@ietf.org>; ietf@ietf.org > <mailto:ietf@ietf.org>; > draft-ietf-lwig-crypto-sensors.all@ietf.org > <mailto:draft-ietf-lwig-crypto-sensors.all@ietf.org> > Subject: [IoT-DIR] Iotdir early review of > draft-ietf-lwig-crypto-sensors-04 > > Reviewer: Samita Chakrabarti > Review result: Ready with Nits > > I have reviewed draft-ietf-lwig-crypto-sensors-04 document for > IOT-Directorate review. The following are my comments: > > General : The document is easy reading and informative about > current and previous work. It is ready to publish with minor > changes based on review comments. > > Other comments: > Introduction: > It might be useful to discuss/clarify that multi-level security > may be important for IOT devices all the way from 'bootstrapping > and management' to application security. That perhaps can include > obtaining IP-addresses securely, mutual authentication between > server and devices , etc. ( see > https://tools.ietf.org/html/draft-ietf-6lo-ap-nd-03) in those > cases where each device has an IP address. > > Section 2: > Regarding problems of provisioning and management of networks for > the IOT devices there may be additional issues – 1) different > types of IOT devices and the lack of standards way to provision > them as they might be talking different RF technologies and > running L2 protocols only. 2) The iot nodes may be moving > individually or collectively and change networks; identifying the > movement of the iot nodes or identifying a particular node at any > point of time uniquely requires an intrinsic identification which > might be useful to set during bootstrapping of the node > > Regarding related work – does it consider IETF IOT security work > only? There have been some work and thought process going on > regarding blockchain IOT security in the industry. Perhaps that is > out-of-scope of this document, but I wanted to mention for > authors’ considerations. > > Section 5: > Authors of the document may also want to browse a SRAM PUF based > technology which provides unique ID based authentication mechanism. > https://www.intrinsic-id.com/intrinsic-id-joins-wi-sun-alliance/ > > Section 9: > Does the example simulate any particular deployment model or > research experiments ? It might be good to clarify that. Section > 10 and 11: Looks like section 11 is closely related to section 10. > Should they be combined together ? > Else some more text is needed in section 10 on design trade-offs. > > Section 13: > Does this document recommend one layer of security to IOT devices > ? There are different types of IOT devices – some of them are very > tiny and some are more capable. Some definitely benefit for > multi-level security than single layer of security. L2 security > is generally recommended for for all IOT networks. Does data > object protection only protect the application data (payload) or > more ? > > Thanks for the initiative in documenting the valuable work in IOT > security implementation and crypto comparison. -Samita > > > _______________________________________________ > IoT-DIR mailing list > IoT-DIR@ietf.org <mailto:IoT-DIR@ietf.org> > https://www.ietf.org/mailman/listinfo/iot-dir > > IMPORTANT NOTICE: The contents of this email and any attachments > are confidential and may also be privileged. If you are not the > intended recipient, please notify the sender immediately and do > not disclose the contents to any other person, use it for any > purpose, or store or copy the information in any medium. Thank you. > > > > > _______________________________________________ > > Lwip mailing list > > Lwip@ietf.org <mailto:Lwip@ietf.org> > > https://www.ietf.org/mailman/listinfo/lwip > > -- > email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Lwip] Iotdir early review of draft-ietf-lwig-cry… Samita Chakrabarti
- Re: [Lwip] [IoT-DIR] Iotdir early review of draft… Hannes Tschofenig
- Re: [Lwip] [IoT-DIR] Iotdir early review of draft… Samita Chakrabarti
- [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early revie… Rene Struik
- Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early r… Hannes Tschofenig
- Re: [Lwip] (on PUFs) Re: [IoT-DIR] Iotdir early r… Rene Struik
- Re: [Lwip] Iotdir early review of draft-ietf-lwig… Mohit Sethi