IETF Logo Mail Archive

Re: [Secdispatch] DTLS - EDHOC <= 32

Mohit Sethi M <mohit.m.sethi@ericsson.com> Mon, 11 March 2019 18:34 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031BB12423B for <secdispatch@ietfa.amsl.com>; Mon, 11 Mar 2019 11:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=Yvbn67Vh; dkim=pass (1024-bit key) header.d=ericsson.com header.b=Iba4fCOA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mwTLcFDklmA for <secdispatch@ietfa.amsl.com>; Mon, 11 Mar 2019 11:34:50 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10B7012008A for <secdispatch@ietf.org>; Mon, 11 Mar 2019 11:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1552329288; x=1554921288; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FlPZXjYTL2l9RaR2yj2wAAyaUs5NdxI7HKdjWIualFk=; b=Yvbn67VhTwenUgUgAvv3o0azuzVbqe7S+Fy8NFjxpx8HmInH4uHuFuMhF3GZjrq7 r9UKi2a6DuwksIz1MeDw3lKsgXlPl09X7k2GXUKwhUldUezOx5fmxx+k7i3ELFo4 sok7TjiBvvzRHzEw7pBqbAVrZOYmc3q+iVpW3nCp0qc=;
X-AuditID: c1b4fb3a-167ff7000000672c-ea-5c86aa486019
Received: from ESESSMB505.ericsson.se (Unknown_Domain [153.88.183.123]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 7A.49.26412.84AA68C5; Mon, 11 Mar 2019 19:34:48 +0100 (CET)
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESSMB505.ericsson.se (153.88.183.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 11 Mar 2019 19:34:47 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB503.ericsson.se (153.88.183.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 11 Mar 2019 19:34:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FlPZXjYTL2l9RaR2yj2wAAyaUs5NdxI7HKdjWIualFk=; b=Iba4fCOAPzPJMOmZDnWy+IN4RhRxmCREEEmJqQNo881D4M/65pSeXYSrZINrzcGsHX7NElbv33TWZ+q9jYAnVqQJr2SKyf2Pn5LmdiQf7ZVqcqbou1lylyK+a13gUVBeQxEN7LqNyDEShMgHS6UEau7IevvIq5qj1sMTiHnla7s=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2636.eurprd07.prod.outlook.com (10.168.187.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.9; Mon, 11 Mar 2019 18:34:46 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::6877:aa58:3e6:6a4b]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::6877:aa58:3e6:6a4b%5]) with mapi id 15.20.1709.011; Mon, 11 Mar 2019 18:34:46 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Eric Rescorla' <ekr@rtfm.com>, 'Benjamin Kaduk' <kaduk@mit.edu>
CC: 'Richard Barnes' <rlb@ipv.sx>, Göran Selander <goran.selander@ericsson.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] DTLS - EDHOC <= 32
Thread-Index: AQHU2DkZeCtL2L2L+EWy9k3LLO/fvQ==
Date: Mon, 11 Mar 2019 18:34:45 +0000
Message-ID: <adc37f43-3faa-0cb2-64ee-f81c24e41a56@ericsson.com>
References: <CAL02cgRwgq0BG059N43Z_1OFL+X0K7HYscK2gVp1p3sR7FkcRw@mail.gmail.com> <003401d4d085$bfb03150$3f1093f0$@augustcellars.com> <CAL02cgSuEiwsCubjFZi3oGEyHn=nNSOWLSarz3=NBGfRZUSZOQ@mail.gmail.com> <000d01d4d0b7$911a9ce0$b34fd6a0$@augustcellars.com> <CAL02cgQxz-dszSsJea5pvH1Oketxs9JipmzFG9JpfuSDcdh3xg@mail.gmail.com> <EB52844A-2BAF-44B8-AB1A-A9300667F334@ericsson.com> <CAL02cgQeTh8UMLHA+yDqXrdnvD22JAW-LdY7+=HwrAt9c_LRmA@mail.gmail.com> <CABcZeBNLiSL3_yZ0fffhT3NuA+87J0-92P4ioESzQZ95rmCkrQ@mail.gmail.com> <20190305150931.GH31937@kduck.mit.edu> <CABcZeBPr6Lw7b4ycVT+t1P9-PO2Mu=xKNZsXjjs1fOpNKW_Vbw@mail.gmail.com> <015901d4d37d$3d6a5ae0$b83f10a0$@augustcellars.com>
In-Reply-To: <015901d4d37d$3d6a5ae0$b83f10a0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
x-originating-ip: [89.166.49.243]
x-clientproxiedby: HE1PR0802CA0007.eurprd08.prod.outlook.com (2603:10a6:3:bd::17) To HE1PR0701MB2905.eurprd07.prod.outlook.com (2603:10a6:3:57::18)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 77591ee3-4aae-4e68-c672-08d6a6503bf9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR0701MB2636;
x-ms-traffictypediagnostic: HE1PR0701MB2636:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <HE1PR0701MB26368C2F4E9C4B0B21D9F495D0480@HE1PR0701MB2636.eurprd07.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(396003)(366004)(136003)(39860400002)(51444003)(199004)(189003)(64126003)(110136005)(54906003)(229853002)(65956001)(65806001)(66574012)(36756003)(31686004)(58126008)(2906002)(6436002)(93886005)(4326008)(5660300002)(102836004)(8936002)(66066001)(76176011)(52116002)(386003)(6506007)(68736007)(53546011)(6486002)(99286004)(7736002)(966005)(6246003)(478600001)(2171002)(14454004)(316002)(81156014)(81166006)(256004)(14444005)(8676002)(486006)(790700001)(31696002)(2616005)(446003)(3846002)(6116002)(11346002)(86362001)(476003)(53936002)(54896002)(97736004)(71200400001)(236005)(6306002)(71190400001)(6512007)(65826007)(606006)(26005)(25786009)(105586002)(106356001)(186003)(360044002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2636; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: locEv6c4WQmZcatTeK1GV/lMOGV3LyKAxd4CJq8YoM/X4GCeoLqxt7TOCCEaKbgzkXaed+zg29Qt97W0wGOJNz88aOFGKv0Hrqa2Q7z1i887cvSvvrRLb+AhX11IIUS3GY53WObZD9gvMo1QfxPcUVbbf8D8psdP9Gus3gDqgBV2TK8dKS6wAXGodRQLJEu62oQ6n2qZkrvFmu55dt6PmH3KlZeqooO99Xzaba6KfvoChdtGUzfxEDd0Tc6J3LatLYWScwwME/jOksw//bxeJ+FQTbLxFAg1IHXtXq1Wduu5inAtS3JjviwworD2tKsLeGG056VvIkKR1u8RZHgknaNANHPozzLPTp9kCqhS2M+kHN7YYafVzynYQx7N2zvGw++WC4yV3TluEIrXljQBmIiq+KwNoRL2itr9/uYK5FU=
Content-Type: multipart/alternative; boundary="_000_adc37f433faa0cb264eef81c24e41a56ericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 77591ee3-4aae-4e68-c672-08d6a6503bf9
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 18:34:45.8637 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2636
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTYRTHed7L9jpaPC5Xh4WQiyjDWxdrVJp9KEZQ1KckzFz6oqZN3at2 g7KyWYk68rI2tia00lRcyrykoikKXbyAWVpKJVtIF7SynGJam+8Ev/3OOf9z/uc8PAwpeUPL mGR1JqtRq1LlAhFliG66HKys0saElSysVlR+6xcqqvUugaKizkAoSgsjFDVvh+koWlln0guU VuscoSyuM1LK6709pLLYoSWP0SdF+xLY1ORsVhMaGSdKatbW0OlGE7ow/1knyEE37qE7yIcB vBOK58xuFjES3I1gbNZO8cEMApNOL+ADKwGdkxMCTwuFdSR8NUbyBT0B0639JB84EXyqnqI8 KgEOg+KSSqGH/XAKuCpfCD0iEt9FkNs9sOS+BgdDveUB4kUh8CjnGrXM5tcOr90mGH7oWtKI 8X5odbzz7mSnYWFobknkg6OgJ/826WGE14LrZQ3hYRKvg/dOC8GfisHaNkDyLIUvjkXaw1Ic DUO2DiGfD4C+yXHCYwBYj+DLyCLih56CH/+KvIOCoG/Y6X0/fxi05LuZcfMRGJ0+yPeOImgv KEXL+gbdd4pnGUyO1Ho5DR53Fwl1KNS4Ylee4+Fj0SuBceloX3hhcFJGtwWJA8HW4pUHQEn+ uJDnLXDTZPayEsxtWmKlphwxVUjKsRx3LnH79hBWkxzPcWnqEDWbWY/cn63TPr+nGXVOHOhC mEHyVWJpmTZGQquyuYvnuhAwpNxPrL7kTokTVBcvsZq005qsVJbrQusZSr5O/FfiGyPBiapM NoVl01nNcpVgfGQ5yHDlED0Ykxcon3obMet8UiY9Yz0eOPMpsXyspdryJyc36Ojv9bp40a/g lGs/7jfG3toYdzbh5/PIrrYd5zc02WKbcsMTr76a/szQsZtdEYbdsl0ZZR1Dflkfaht7/B0h V8IPt+YZowpGnz7L+KVtTwuosA/37s3eZ5vpbdBmsycK8+QUl6TatpXUcKr/OBoNSmgDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Oke8yarep-JyLyosJg_oMu_VkOs>
Subject: Re: [Secdispatch] DTLS - EDHOC <= 32
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:34:53 -0000

Hi Jim,

We have just written a report on misbinding attacks in a slightly different context. It might be useful reading if you want to learn more about misbinding in general:

https://arxiv.org/abs/1902.07550

We will be discussing this during the SAAG session Prague.

--Mohit

On 3/5/19 7:59 PM, Jim Schaad wrote:
I don’t understand the attack below.  Are you missing some pieces or did things get misaligned?  What do you think the attacker is ending up with at the end?  g^xy?

Jim


From: Secdispatch <secdispatch-bounces@ietf.org><mailto:secdispatch-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Tuesday, March 5, 2019 7:41 AM
To: Benjamin Kaduk <kaduk@mit.edu><mailto:kaduk@mit.edu>
Cc: Richard Barnes <rlb@ipv.sx><mailto:rlb@ipv.sx>; Göran Selander <goran.selander@ericsson.com><mailto:goran.selander@ericsson.com>; secdispatch@ietf.org<mailto:secdispatch@ietf.org>
Subject: Re: [Secdispatch] DTLS - EDHOC <= 32

I've been thinking a bit about the use of a key_id as an optimization
to avoid carrying the key, and I think it might be a source of
identity misbinding attacks. Note that this is not an issue specifically
to EDHOC or cTLS or whatever, it can happen whenever you use
this optimization.

Consider the case where Alice has accounts with both Bob and the
Attacker. Alice uses a certificate for authentication both Bob and the
Attacker have registered key_ids with Alice.. Specifically, they have
both registered Key_ID=0 and Key=K_Bob. Obviously, the Attacker
doesn't have the private key for Bob, but this can still happen if
Alice doesn't check for PoP.

In this case, there's a trivial identity misbinding attack if the
attacker can get Alice to connect to it, namely:

Alice                     Attacker                       Bob

g^x ->
                          g^x ->
                              <- g^y, ID=0, Sign(K_b, .) ....
 <- g^y, ID=0, Sign(K_b, ..) ...

CERT, Sign(K_a, ..) ... ->
                                   CERT, Sign(K_a, .) ... ->


This is really just another flavor of the usual misbinding attack
based on someone claiming to have another person's public key
without PoP verification.

The classic defense in SIGMA is that the identities are folded into
the handshake transcript, but the problem is that if the identities
are self-asserted or public keys, you can get identity misbinding as
above (see also
https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-uks/ for
another example of how this can happen).

-Ekr



On Tue, Mar 5, 2019 at 7:09 AM Benjamin Kaduk <kaduk@mit.edu<mailto:kaduk@mit.edu>> wrote:
On Tue, Mar 05, 2019 at 06:10:02AM -0800, Eric Rescorla wrote:
> Hi folks,
>
> While I think Richard's characterization of fTLS is strictly correct,
> I agree you have to squint a bit to see that it's isomorphic to
> TLS 1.3. In the spirit of clarity, I've put together the following
> very rough draft:
>
>    https://github.com/ekr/draft-rescorla-tls-ctls

Thanks for thinking about this more.  I think that Richard's analysis (with
Jim's corrections) did get to the crux of the issue, which is that the
clever encoding games are easy to adjust, and the cryptographic content of
the messages is most important.

>[...]

> There are some obvious avenues to shave a few bytes here and there,
> mostly because I did a sort of straight translation of TLS 1.3, so for
> instance, there are empty EE and CR messages, and you could omit
> length fields for some fixed-length or deterministic HS messages. I
> didn't bother with this because it's more in the way of a POC and, as
> Richard noted, most of the size difference between this and EDHOC is
> the Randoms and the Finished.

In particular, while we may have to defer to the cryptographers about
proving whether using the AEAD tag to perform the role that TLS's distinct
Finished message does, there are some clear engineering tradeoffs in
whether or not to omit the Randoms, and I hope we can set ourselves up for
a productive discussion of that question.  (That is, I wouldn't worry too
much about tidying up cTLS right away.)

I'd also be interested in hearing more about what the EDHOC team's internal
success criteria were (i.e., how they decided it was "done" enough to bring
to the IETF).  Here in SECDISPATCH we'll in effect be coming up with a
new/rehashed problem statement and success criteria for the IETF
application, but having a solid starting point from the preexisting work
could help our efficiency a lot.

-Ben



_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email