[siesta] Welcome, problem, and my approach
Robert Moskowitz <rgm@labs.htt-consult.com> Mon, 18 November 2013 21:28 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: siesta@ietfa.amsl.com
Delivered-To: siesta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D40D91AE0E1 for <siesta@ietfa.amsl.com>; Mon, 18 Nov 2013 13:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.526
X-Spam-Level:
X-Spam-Status: No, score=-0.526 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RP_MATCHES_RCVD=-0.525] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpVOLi5c25uV for <siesta@ietfa.amsl.com>; Mon, 18 Nov 2013 13:28:30 -0800 (PST)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id 45CD41AC7F1 for <siesta@ietf.org>; Mon, 18 Nov 2013 13:28:27 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 7BCAD62A63 for <siesta@ietf.org>; Mon, 18 Nov 2013 21:28:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ebost6TCvOIq for <siesta@ietf.org>; Mon, 18 Nov 2013 16:28:09 -0500 (EST)
Received: from lx120e2.htt-consult.com (lx120e2.htt-consult.com [208.83.67.155]) (Authenticated sender: rgm@labs.htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPA id 52E5162A5B for <siesta@ietf.org>; Mon, 18 Nov 2013 16:28:09 -0500 (EST)
Message-ID: <528A8669.5030904@labs.htt-consult.com>
Date: Mon, 18 Nov 2013 16:28:09 -0500
From: Robert Moskowitz <rgm@labs.htt-consult.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
To: siesta@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: [siesta] Welcome, problem, and my approach
X-BeenThere: siesta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "SessIon layEr SecuriTy Approach discussion list." <siesta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/siesta>, <mailto:siesta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/siesta/>
List-Post: <mailto:siesta@ietf.org>
List-Help: <mailto:siesta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/siesta>, <mailto:siesta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 21:28:33 -0000
I want to welcome you all to the SIESTA list. I hope to get that siesta in when we finish this little project. Since I can use my naps these days, this means I got to focus for a bit to get the job done. I ask you to give me a hand here so we can get this done and get down to other business. Like that nap. Please feel free to break this longesh post into pieces for your response(s). I wanted to get it all out at once... Now that the standard IETF irreverence is out of the way, here is the problem statement that a few friends here have helped me work out: PROBLEM STATEMENT The present end-to-end application security context is tightly coupled with the underlying communication context. This is problematic for at least three reasons. 1) Not flexible: when the underlying communication context changes, the application security context must change, too. 2) Overhead associated with such coupling is prohibitively expensive over constrained networks (such as sensor or cellular networks). 3) Probably most important: an attack on the communication context immediately effects the application security. I might add that because of 3, an attack that results in system restart, which restarts all communication context, also results in the need to restart security context. GOALS This work aims at a solution to the above problems, with the objective of providing security context and security message format(s) for an application, 1) which is fully decoupled from the underlying communication methodology and is thus resilient to attacks on the communication context. 2) With that, the security context may need to have basic understanding of the communication context to be efficient with datagram overhead and communication synchronization issues (such as sequence window management), and so it is desirable that solution supports the "hooks" into the underlying protocol DIGRESSION I have been in many sidebars comparing my concerns with tools we currently have created within the IETF. I contend that many of these tools fate share with the transport. TLS is strongly tied into the fate of the TCP state. Others are point solutions that, say IEEE 11073, cannot pick up and implement within 11073.20601. Finally, why here? IETF is about networking and a session layer (i.e. messaging) technology seems to be out of scope. To that I have two answers. IETF has many session protocols, starting with this one called SMTP. Here is where the security knowledgeable people congregate. Here is where we can do the job right and provide a tool for other organizations to run with. So now on to what I have seen as a way to accomplish this. MAILING LIST WORK ITEMS Define an envelope that will provide security protection for any message. As you will see, conflicting environments has led me to define 3 formats, and I see a forth lurking around the corner. Define how existing Key Management Protocols (e.g. IKE and HIP) will create the necessary security state and keys. And in fact, what is needed in terms of Security Associations at the session level and where does a Security Policy Database live in this context. I will add that it is up to the KMPs to create security context that will protect from MITM and other attacks, and to provide support for multi-player applications (e..g over multicast communications) as well as the more common two-party communications. Define the session security machine that will live within a proper security boundry where the well defined session security state machine lives, accessed by a well defined API. With all the North-bound and South-bound software interface models I have seen of late, one might see this as a set of east and west bound interfaces with the KMP machine on one side and the communicating application on the other. OTHER DISSCUSION POINTS I have been asked about exposed, but authenticated message header formats. For example a communicating application over HTTP. I see this as a research issue as to whether the Additional Authenticated Data approach can be applied, resulting in some more formats. Though what little I understand of HTTP, I don't see this working for HTTP imbedded applications. Rather only their messages can be protect in this model. What about mid-box awareness and exposed, but authenticated type information? First the Session Security Envelope (SSE, there I have named what I have been working on) format will be negotiated by the KMP just like they do for cipher suites and the like. So the participating communicating application know which format is used and thus how to process it. Any type information in a control byte(s) is for the benefit of outsiders. Since there is no protocol processing here, what for? I don't see it. I was given the case of extensiblity that ESP faced wrt WRAP. But with the 'ability' to define a new format and negotiate it within the KMP, I see this as a better approach than guessing what is needed for future extensibility. But I am open to being convinced. The state machine/SSE service is a critical component in that it has to be complete, and secure. So do I have all the states, and can we well define the information passed between the communicating application and the SSE service and the SSE service and the KMP service. So moving on. ENVELOPE FORMATS and CIPHERSUITES I have defined 3 SSE formats that vary based on the Envelope Length and the Sequence number sizes: SPI (32 bits, to be consistant with existing KMPs) Envelope Length (12 or 32 bits; 12 for constrained use) Sequence number (20, 32, or 64 bits; note: this is the explicit size, the implicit size is 64 or 128 bits.) Cryptotext (n bytes) ICV (8 or 16 bytes) The defined cipher suites are: AES with CCM, CMAC, GCM, or GMAC with either 8 or 16 byte ICV. I can see the free-for-all that has occured in general with KMPs of defining for every cipher that MAY be used by someone. Afterall, should we really trust AES and is it really the best (forget that it is built into MOST sensor hardware these days). And NIST may actually approve a stream cipher... There is a lurking fourth format to work with Dave McGrew's new AERO cipher or any other similar cipher for highly constrained communication channels. This is for future work. Unless there is already a recognized cipher of this sort. KMP NEGOTIATION I invision the KMPs negotiating SSE in a single parameter that has two values: format and cipher suite. The combined values into a single parameter is to save on message length for constrained environments. Again I am open on this point. The KMP authors will address this. What are the 'selectors' for the Security Policy Database (SPD). Does the SPD 'live' in the KMP or SSE service, or in the Communicating Application? I think the SA(s) are in the SSE service. What else is need here? SSE SERVICE/STATE MACHINE The states I have defined are: Start – call the KMP with the session identities and get the SPIs, key hierarchies, and ciphersuite Key refresh – on seq # consumption, call the KMP for fresh keys Secure – secure the message Reveal – decrypt and/or authenticate the message Teardown – tear down the security context State machine needs to handle responder Security setup and state loss recovery (e.g. after reboot) Some method is needed to connect a start or rekey with new SPIs to the SSE application that will use it. This could be internal to the KMP or KMP run over the eventual application port before any messages. SECURITY SURVIVABILITY This is important, but needs to be expressed carefully. Knocking over a server has to become uninteresting in a security sense. Time to restart or battery cost to restart are concerns. How best to achieve this? How to recommend best practice (eg how to use an HSM). Can hot standby work? Can security state be replicated across a group of servers? Securely? How tightly does seq# updates need to occur? Or is some form of multicast better? Definitely some intersting work here. THE PLAN Put together a writing team. I have a couple volunteers for writing an SSE draft. I will be contacting them tomorrow. If you are interested in helping with the writing, let me know. Also there needs to be specific KMP drafts and authors are needed for them. And of course discussion here is always welcomed and SHOULD help focus on what to include, or not, in the documents. Well this is a start. Thank you for joining.
- [siesta] Welcome, problem, and my approach Robert Moskowitz
- Re: [siesta] Welcome, problem, and my approach Eric Burger
- Re: [siesta] Welcome, problem, and my approach Robert Moskowitz