IETF Logo Mail Archive

Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

ladler2@bellatlantic.net Wed, 13 March 2024 18:32 UTC

Return-Path: <ladler2@bellatlantic.net>
X-Original-To: sat@ietfa.amsl.com
Delivered-To: sat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39D33C15154F for <sat@ietfa.amsl.com>; Wed, 13 Mar 2024 11:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.024
X-Spam-Level:
X-Spam-Status: No, score=-1.024 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bymSSkPb-VWV for <sat@ietfa.amsl.com>; Wed, 13 Mar 2024 11:32:40 -0700 (PDT)
Received: from sonic308-9.consmr.mail.ne1.yahoo.com (sonic308-9.consmr.mail.ne1.yahoo.com [66.163.187.32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D1BC15154D for <sat@ietf.org>; Wed, 13 Mar 2024 11:32:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710354759; bh=ghaxG3gKEyvPaa02kLihXQ1Vac1mBlQFjFbLz2XQvvA=; h=From:To:References:In-Reply-To:Subject:Date:From:Subject:Reply-To; b=U0/deerhl7Xx/8LX4UI0g5UVUT9MGf2JgbdkEeP3RLf5ne+ZD/WgQNKc/pcltKaxSs5l+rP0+0nE62+Fl0i91orSMpY5MD+PldshAIasTVJOETaHDiKWHEoCnpgG/YfGmtB68diwKGnVNMSWhGNHVtK4MPp5C9cd08JBU115K5dSGWOC7VOnkikCOEZXaNDUVDj2EEMj2eOtbSMW2QiQto1pikEg+6nIzDvqX6/kYygq+OYystoh7TycJIKWbiHZqhSYMqUX4dATliSLa6fFj98b5LU65pXWO6W/PlLrEGR7NyPsGetG2gpZ/jSecUYc6RYX8qLqniN2vhmeT3JVHg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710354759; bh=2Hp9bnrGg0AsqDUw7XUx07sAgTlJ3poose721M0Fzee=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=sjlovEKZ/kz/K2zVZSzxgrtkY8lcJLr93b8NwrGqa0S4Ip9I7OXw5ni9l+hEvzZghU2kKgbx1vCL8T3dgw2Szd33ffBhs9CFXhMpQvUUbBNVJenVX9AIRiEutdKlnVolqatZQMbyG5ERiz1f47E4e45TIWjUd+kFS/MROdeOLDaiQoon83D9dPzglsfeJnaqm0CMk9tAGn0G3mjcF3v11MvPMDUZU9FN3jU+2xFqFpm4r6Lt8TxeazHLldoKzIrIWKXbTa5MHI/eMqeJNJ/c2oLUMNaAdBlkM7hR3yCwEPZxlED/HhCFJNsUbJqWMTCFWHHSzMVaBNaUJU6n2YedWg==
X-YMail-OSG: USmwrYgVM1ni.oz888rOARU.hl7f6o74qHwqN0oadgjmMW_UB3D_G0BEIyoSaP4 CDQqX6RwOHrHCLjWFw5tPr9onlyXACEfkHKSIogDDu3FP.OlwSTWgKSRLUrhBy.SJPQMQGRaAsFz 0Y3EJ4pEFsvaQKwHvsxvtxHGPRvFjHdt5tHomTQddSuNOkNXA7N4A9hMqD.CkRnYucR3KV1JlGFC qtl2XefEsbLK4ImsNFflaTngNsrJfRDmiaRbk9Ri2mzozhvI9n5W2wR.9EC6pxVC1vbsUS4hkjUV juaOUCRJTbZVM4TDW_k_e0fU1jJHBqwIrNazgrtY.0bQWHYze9U4Dmpknqd6CfOjADR3Ej8UI3Hr BW9VLhCXOUbkuRjvL6e8jyY_08Qnmo2d9lcRck8vx6g_OJv1CvJoWdHVXAnurkHdKaxaN9xNUltN 0UfqV1aOOJo0jmANaRst2EGbOXbtlRofEt2xo02huSPFkX44YTRFuzxvHaCDutqMixACs2iIkdmo LwSjxge02cJ6avuUUNYCbG_Uixu31gcsdiub2xiEz2LKdi9m73cpsafm8h.yc_sGQPg_UJnJT8SV hvotF88yjIWHvwE6aNHFk0XUQam8TtaNlQwaCMMNauQuKnyq2Cmwrf1AaavV.5CsPBAPXGz2X4jH pZJR.E.kxYi_cHiBzyDWZHa3OMRwGJTndDyO4Nh183FIe0KUuVn.XFjiXGmhHZ73phu4cdTkqMQ8 TgPU3wdom3Eb.uTRL9cW1x5Dh1Zg0mY845gCM2JPfbGWARAy5m0NGHwMtFTVcP9BFgF7CZ9wXr8n 5lkAtGa.K6q9xl9qrTO8d1eJcSWV.tjSCXX5.baDIGmMFXtQ0E6alRhgAdkfSPi0bEbUsPq5Oqhh MomwPUAO2YfG4_5Ur_W6092JqOIrTfahgYOHAEFZ69zsl0YiexLfYw1r74ddgxS4x3WD_uNaEGdO WGeaYSqaLvNU1d3G14TjoO9tHZqa91SYlWj2Y96n1H3aIYPpJf_ms0ipgK_Y5M2BDRgZNfEqBb9h sxJuHdtLpTxbt8uAcxtmN9KnLKr1R_d3U.Xjv4eNdEMtBHbvrU6yOdiUK8YpockZdsMOdiq5Lg7l 7_g.ZmroEIDxTbPamHblnDoh4OCKES0jaZIP9sgY_NtmHhGDUktZf4xcPPn9PD.FhB.wNb4wZ47G 7YaFqcBmda_GOzeUlCkRcT0gEA3PfzflFcoA1_2bCwe84Y0dCStrz8uf8nL.rCVVFwjGFx8tfyQu wmnwQuZzJ5IFW0r5F5ZfOLrzYNU30.170XpDmRm_0sBYrYWpSNWHP8zNjHc_7VMlOtr4X_2uyUzU DeRIDqSRSfZzyWSFng_lbrNrS0tKe0Mc9fyp6SKhVshYaGnLhJa1pSBL5ze.WY4DKmc14CJrt1AA eR31DO6VISPEPpFULYFM0yG8hI.3.1gXQpoUfjFe1tmpjJ68TLvO3C1GfUvI3L.bDWZTAhCVv8PI PSlK7NVzrLIrBdm7_Ks_vkAob4HpEllKxyjRWxcGx9Jyt1LXlOMtIu18zs1aFhiPWVVfHFBVWO_t kJQ5pjUUGfvmC6EM2NdJZHWg7twqzEYpmhqvgqu43ihD_Q1wEcQE1KvwV_.Xo8kgt__qI0z2Y0ah ALcbqBFFAJb1GaQCWC.Yc2RnvmSfZDQ_cfgd1zpOBHTlwlyllE13HbX8jFP.C3Uo58D99P7.2UYt dNa1jE1aQHHOg5HuIIA0ZZFdJaSGM2RZro0fOftLi5NzAFqDjUNRhcCn5btiU2gEFzkxmA7nR6w9 5vXFv86fCfyTZJWHjEUsDiMTVm5xXZWHW62ZLcIKP09e.sUS4a16aB30YSPIFegbu1LvoEM_ddQR P27fLkX7y5bwpOUMr96ZkO3L4Q2Z5X.aSVFjzqau1jlZds8QPDgfXROBG4w7meXjwvj_ybfdeb65 lXSHuaO.nQrBq_viX.WJ908kAMItaHG_5bL5a6XI203yoBk10TdFyVxOmEgsHFnrDlwyf.urtxwJ JEJIXUYiT1E4Mg5R.nv1bNUj7jML6EZjym3vVUUJfm2EMl3HESxB1tBwuIVCbH7JpnpVMd05tJa8 wd1EzoY4c3ktRxfsXUtSh5syPMOEXWSoU_BZWmorlSN6yxm.L1hu_lHgTRVBMutrCC6mie8qjbyd 18RMs0RcshmzmOpXyZ85iUQeEaeTB3HrKRObsrb6yUvOKbi1A66GzO4MoJYRoTV_4e0Rb0v21oJc pwWOnfm9fWio.iUrAw5rduMa4mqAlznb7k28UQSqDTcaRAQ--
X-Sonic-MF: <ladler2@bellatlantic.net>
X-Sonic-ID: 8d0c3156-78c2-46ad-899f-e6347ebe38f4
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Wed, 13 Mar 2024 18:32:39 +0000
Received: by hermes--production-bf1-7d6dbd57c9-hwf7b (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 70ac40c16a50685795c34c6c9f4f2c06; Wed, 13 Mar 2024 18:32:34 +0000 (UTC)
From: ladler2@bellatlantic.net
To: sat@ietf.org
References: <yblbk7nh517.fsf@wx.hardakers.net> <017d01da7498$6c7d8f70$4578ae50$@bellatlantic.net> <SJ0PR15MB513247E0DC4DBCC3EA3AB0DAB82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB439526AD9219E9F0D2806936CB2B2@DM6PR01MB4395.prod.exchangelabs.com> <SJ0PR15MB513284153249CD8875399553B82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB43950A5955A657343A6D4FF9CB2B2@DM6PR01MB4395.prod.exchangelabs.com>
In-Reply-To: <DM6PR01MB43950A5955A657343A6D4FF9CB2B2@DM6PR01MB4395.prod.exchangelabs.com>
Date: Wed, 13 Mar 2024 14:32:31 -0400
Message-ID: <009201da7574$d016eb30$7044c190$@bellatlantic.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0093_01DA7553.49080A50"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKX9BOR6dajiV40yIdhhHdCc40eowG1wtPhAqd/c6wBpXh8fQGkiPdrAazDMUKvcEP7MA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/sat/EJmfJiEUZxbRBy8oC0jPwsXCw3g>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
X-BeenThere: sat@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "The purpose of this mailing-list is to discuss the secure asset transfer \(SAT\) protocol and related aspects." <sat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sat>, <mailto:sat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sat/>
List-Post: <mailto:sat@ietf.org>
List-Help: <mailto:sat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sat>, <mailto:sat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 18:32:44 -0000

Hi:

   I think the appendix Thomas has suggested below  belongs in a threat model document.

I don’t think RFC 5246 (TLS 1.2) is a good model.  TLS is essentially a transport protocol not an application protocol.

 

I think the architecture document should contain additional systems features such as:

 

1.	Is a query facility necessary for one gateway to verify that the other gateway has really performed critical functions?

Example:  Did Gateway 1 really extinguish the asset when it was supposed to?

 

2.	Is a facility needed so that each Gateway can  do its own authentication of  the user signed on to the other Gateway?

 

I am sure there are other facilities necessary to provide security to this process.

 

David Millman

   

From: sat <sat-bounces@ietf.org> On Behalf Of Thomas Hardjono
Sent: Tuesday, March 12, 2024 5:32 PM
To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com>; ladler2@bellatlantic.net; sat@ietf.org; Thomas Hardjono <hardjono@mit.edu>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

 

Folks, 

 

How’s about this text for an Appendix in the SATP-Architecture.  I’m thinking we should make each paragraph short, kind of like Appendix F in RFC5246.

 

Please feel free to suggest additional bullet points on attack points in the SATP protocol run. 

 

--- --- --- --- 

Appendix A: Security Analysis

 

The SAT protocol utilizes a TLS1.2 (TLS1.3) secure channel that must be establishes between the sender gateway (G1) and the receiver gateway (G2). The two gateways must first establish this secure channel in Stage-0 before they can proceed to execute the SAT protocol. This includes both gateways verifying all the relevant parameters required for their TLS1.2 session (e.g. correct TLS endpoints, certificate validation, identity validation, etc.).

 

Assuming the two gateways have established the secure channel and have proceeded to commence the SAT protocol, there are a number of possible attacks points within the SAT protocol run that may occur if one (or both) of the gateways are dishonest. Alternatively, an attacker may target one (or both) gateways by disrupting the message exchange between gateways G1 and G2. 

 

(a) Multiple intentional aborts by the sender gateway G1:

 

A dishonest sender gateway G1 may purposely fail to continue the protocol run at certain crucial points.  One such crucial point is in Stage-3, where the gateway G1 is expected to transmit the Commit-Final Assertion message (3.5). If the gateway G1 intentionally fails to transmit this message, gateway G2 may conclude that the message has been lost and may proceed to reverse the temporary hold it has previously created (temporary asset mint in message 3.2).  Although this dishonest behavior by G1 does not cause asset damage to G2, it may exhaust computing resources at gateway G2. If network NW2 incurs transaction fees, such a reversal may be costly for gateway G2.

 

 

(b) Multiple intentional aborts by the receiver gateway G2:

 

In a similar manner, a receiver gateway G2 may also purposely fail to continue the protocol run at certain crucial points. One such point is in the Commit-Ready message (3.3) that it should transmit to G1 after receiving the commit prepare message (3.1) from G1. In this case, gateway G1 may conclude that the message is lost and simply abort the protocol run.

 

 

(c) Failure to transmit ACK-Final Receipt:

 

Another possible point of attack by a dishonest gateway G2 may occur by the gateway intentionally failing to transmit the ACK-Final-Receipt (3.7) in response to a the Commit-Final Assertion message (3.5) from gateway G1. Here, the senser gateway G1 may conclude that the message is lost and will assume that the transaction has reach finality in network NW2. The sender gateway G1 has retained the previous Lock-Assertion Receipt (2.4) in Stage-2 that was signed by G2, indicating that the gateway G2 has accepted the responsibility of ensuring that the asset-assignment (3.6) by G2 will be correctly executed. Failure by G2 to complete this task becomes a financial and legal liability for the owner of gateway G2.

 

 

(d) Other?

 

--- --- --- --- 

 

 

 

--thomas

 

 

 

 

From: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com <mailto:vramakr2@in.ibm.com> >
Date: Tuesday, March 12, 2024 at 2:59 PM
To: Thomas Hardjono <hardjono@mit.edu <mailto:hardjono@mit.edu> >, ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net>  <ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net> >, sat@ietf.org <mailto:sat@ietf.org>  <sat@ietf.org <mailto:sat@ietf.org> >
Subject: RE: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

FYI, we did discuss security threats a couple of months ago on this mailing list: https://mailarchive.ietf.org/arch/msg/sat/CPTQfYeEH0acV_5ryeBdCEPAD0c/. The outcome was that “12. Threat Model Considerations” was added to the architecture draft.

 

Rama

 

From: Thomas Hardjono <hardjono@mit.edu <mailto:hardjono@mit.edu> > 
Sent: Wednesday, March 13, 2024 12:13 AM
To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com <mailto:vramakr2@in.ibm.com> >; ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net> ; sat@ietf.org <mailto:sat@ietf.org> 
Cc: Thomas Hardjono <hardjono@mit.edu <mailto:hardjono@mit.edu> >
Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

 

Thanks David and Rama, One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1. 2 protocol (RFC5246). The TLS1. 2 spec defines the behavior of the client/server to establish 

ZjQcmQRYFpfptBannerStart




This Message Is From an External Sender 


This message came from outside your organization. 


   <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-HFV_fb-Xk972ls5DoWgMWW79oH20YfNH8hjCg3JlqiuFsXT2NITBT7QRPylcK8cqNSq3CDVQ6pUL0xR8KH4JB2dmkL9SjtYZgBubMWLl0x9qJWTlFfUIpU1ph2Fp4CrUIPjIw$>   Report Suspicious    ‌ 

ZjQcmQRYFpfptBannerEnd

Thanks David and Rama,

 

One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1.2 protocol (RFC5246).

 

The TLS1.2 spec defines the behavior of the client/server to establish keys amd secure session etc., but the RFC does not say _how_ to implement a TLS Server.  The server could be a standalone box, a microservice in a private cloud, or on a public cloud.  In each of these cases, the actual implementation quality and attack-resistance will vary.

 

Similarly, the SATP-Architecture and SATP-Core defines the behavior of gateways (which we call Client/Server in SATP-Core). It does not say how to implement a Gateway in a relatively attack-resistant manner.

 

A useful part of RFC5246  is its Appendix F (Security Analysis), which discusses some of the possible attacks and some strategies to counter them.  Even there, the Appendix does not explain how to implement against these attacks.

 

Perhaps SATP-Architecture (or SATP-Core) could be improved by adding an Appendix discussing the Security Threats.

 

What do folks think?

 

 

Best

--thomas

 

 

 

From: sat <sat-bounces@ietf.org <mailto:sat-bounces@ietf.org> > on behalf of VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com <mailto:vramakr2@in.ibm.com> >
Date: Tuesday, March 12, 2024 at 1:33 PM
To: ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net>  <ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net> >, sat@ietf.org <mailto:sat@ietf.org>  <sat@ietf.org <mailto:sat@ietf.org> >
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

David,

In my opinion, SATP doesn't require "everybody" to be honest, but just requires that each counterparty network be "collectively honest", i.e., maintain internal consistency and have the capacity to thwart insider Byzantine failures.

Further, if a gateway acts dishonestly, "honest" counterparty networks will be able to find out through an audit (which is not as satisfactory as a prevention, but it may be the best we can get in a completely decentralized setting.)

Your point about SATP coming under intense threat (and scrutiny, if it handles large-valued assets) is very well taken though. We do need to make the security assumptions and caveats crystal clear. IMO the design principle of network opacity as mentioned in Section 3.1 covers the point about collective network honesty as it tells users that, from SATP's perspective, the network is a unitary entity that has delegated asset transfer privileges to a gateway.

Rama

-----Original Message-----
From: sat <sat-bounces@ietf.org <mailto:sat-bounces@ietf.org> > On Behalf Of ladler2@bellatlantic.net <mailto:ladler2@bellatlantic.net> 
Sent: Tuesday, March 12, 2024 9:45 PM
To: sat@ietf.org <mailto:sat@ietf.org> 
Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

Hi:
  I have a problem with the architecture document because it contains only small sections related to security.
The SAT process will come under intense threat from external theft and internal fraud.
The architecture document focuses on a clean asset exchange where everyone is honest and uses well tested software.

I am not an expert on blockchain or related technologies so the experts in the WG should add to the architecture document the features necessary to deal with the threats.

Question:  Do we want to revisit the architecture document when the threats to the SAT process are enumerated?

David Millman

-----Original Message-----
From: sat <sat-bounces@ietf.org <mailto:sat-bounces@ietf.org> > On Behalf Of Wes Hardaker
Sent: Saturday, March 9, 2024 9:08 AM
To: sat@ietf.org <mailto:sat@ietf.org> 
Subject: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02


Greetings all,

The authors have requested that draft-ietf-satp-architecture-02 be placed into WG last call and after a review by the chairs we agree it's ready to progress forward.  I have some personal comments that I'll submit during last call, but nothing substantive or process-problematic that should hold up it progressing.  Thus, we have changed the document's status to being in WG LC and have set a deadline of 4 weeks from now.  Thus, WG LC will end on April 6th, AOE (anywhere on earth).

We encourage all participants of the WG to read the document,  suggest any changes you feel are needed from simple editorial suggestions to calling out major issues you find with the document.  WG participants should also express their opinions about whether or not the document is ready to progress and you support it's publication.

All comments should be sent to the mailing list.

--
Wes Hardaker
USC/ISI

--
sat mailing list
sat@ietf.org <mailto:sat@ietf.org> 
https://www.ietf.org/mailman/listinfo/sat 

--
sat mailing list
sat@ietf.org <mailto:sat@ietf.org> 
https://www.ietf.org/mailman/listinfo/sat 

-- 
sat mailing list
sat@ietf.org <mailto:sat@ietf.org> 
https://www.ietf.org/mailman/listinfo/sat

v2.23.0 | Report a Bug | By Email