Re: [T2TRG] RESTful Design & Security
Göran Selander <goran.selander@ericsson.com> Wed, 08 March 2017 08:30 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F6AA129570 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 00:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lj9mUvO3MpH for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 00:30:36 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CF6127071 for <T2TRG@irtf.org>; Wed, 8 Mar 2017 00:30:35 -0800 (PST)
X-AuditID: c1b4fb2d-effff7000000290a-29-58bfc128f2bd
Received: from ESESSHC008.ericsson.se (Unknown_Domain [153.88.183.42]) by (Symantec Mail Security) with SMTP id 61.1B.10506.821CFB85; Wed, 8 Mar 2017 09:30:33 +0100 (CET)
Received: from ESESSMB107.ericsson.se ([169.254.7.76]) by ESESSHC008.ericsson.se ([153.88.183.42]) with mapi id 14.03.0319.002; Wed, 8 Mar 2017 09:30:32 +0100
From: Göran Selander <goran.selander@ericsson.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [T2TRG] RESTful Design & Security
Thread-Index: AQHSlpsnFV1UjpOgG0yLh2UXCglOtqGJlY0AgAAQwQCAAPj4gA==
Date: Wed, 08 Mar 2017 08:30:30 +0000
Message-ID: <D4E5582E.78797%goran.selander@ericsson.com>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net>
In-Reply-To: <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="utf-8"
Content-ID: <88BE9FDD52D2A54BB92F3F1D2A182626@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOIsWRmVeSWpSXmKPExsUyM2K7lq7mwf0RBv/uSFks3XmP1aLnUD+7 xfsHPSwOzB6LN+1n85i88TCbR8ucPcwBzFFcNimpOZllqUX6dglcGY+/bWEt+OVYMWmSdQPj AocuRk4OCQETiWubNrB0MXJxCAmsY5S49nAGO4SziFHi2J0WNpAqNgEXiQcNj5hAbBGBeIkp f0+xgNjMAqoSUw/dA7OFBfQktszYywpRoy9x8lQPG4TtJDHhB0Qvi4CKxIeJL8BqeAUsJH5f g7CFBKYwSkx5rdrFyMHBKWAtcfxHFkiYUUBM4vupNUwQq8Qlbj2ZzwRxtIDEkj3nmSFsUYmX j/+BjREFOmH58zVQcSWJtYe3s4CMZBbQlFi/Sx9ijLXExkO97BC2osSU7ofsENcISpyc+YRl AqP4LCTbZiF0z0LSPQtJ9ywk3QsYWVcxihanFhfnphsZ66UWZSYXF+fn6eWllmxiBEbfwS2/ dXcwrn7teIhRgINRiYf3w6l9EUKsiWXFlbmHGCU4mJVEeCUW7o8Q4k1JrKxKLcqPLyrNSS0+ xCjNwaIkzmu28n64kEB6YklqdmpqQWoRTJaJg1OqgbE5JuTid2MhNeNN586fnLn12vZ9j5Yn Pn386qJxyKSuiOu7Xu19O7/hg67IjPbPs9SECl7G5SWm7fM7HfknYLn2hZdbvq4OfZTAcMts x4VHTbZrW1dcze9aWi+/13jPHpdF754EntBe+khQTCQue8NiRy1RlbjyY5zXlgjy3FmUl2bG Ozmw7mepEktxRqKhFnNRcSIAJM8F3boCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/rqOVjO1nPRTogO6o-xaIlUqgqLg>
Cc: "t2trg@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 08:30:37 -0000
Hi Hannes, and all, Since Hannes is so eager to state what he thinks OSCOAP doesn’t work for (which we all understand is the reason for starting this thread in the first place J), allow me to balance this by outlining the end-to-end security settings where people plan to use OSCOAP so far. But first the story about application layer security, REST and intermediary nodes (which was the question asked): If the intermediary is required to perform operations on encrypted data (such as data aggregation by non-trusted intermediary), there are techniques such as homomorphic encryption, but the application in the cloud would in this case anyway have to trust the intermediary to perform the required operation since the integrity of the message would not be preserved. Clearly, this is not a limitation specifically of OSCOAP. The type of operations you can expect an intermediary to perform and still preserve integrity end-to-end is more like the support for RESTful operations performed by a CoAP proxy - the proxy reads CoAP meta-data and performs various message-related operations. If you apply security on transport layer or below (DTLS, IPsec etc.) then the CoAP meta-data is only visible to the trusted endpoint for the secure channel, which either makes it useless for the intermediary or makes the intermediary a trusted endpoint. If you apply security on application layer then it is possible for an intermediary to perform these operations while preserving integrity. There are two options: 1. Apply security above the web transfer layer, i.e. to CoAP/HTTP payload, e.g. by wrapping the payload in the COSE format. In this case the secure COSE object is independent of web transfer mechanism so you can switch between e.g. HTTP and CoAP. However, the web transfer metadata, including e.g. the RESTful method, resource etc. is not protected. This is anyway useful if the method/resource etc. is implicit or the application provides the context, e.g. CoAP pub/sub. 2. Apply security to the web transfer layer, i.e. protect not only CoAP payload but also CoAP meta data (headers and options) in such a way that certain CoAP proxy operations can still be performed (e.g. only integrity protecting the RESTful method allowing the proxy to read but not change). This is what OSCOAP does. The reasons why people are interested in OSCOAP, besides end-to-end security and support for CoAP proxy operations which is e.g. used in 6tisch secure join, include: - OSCOAP works essentially wherever CoAP works (UDP, TCP, SMS, BLE, 802.15.4 IE, . . .) and provides end-to-end security independently of how the underlying layers are being switched along the path. - OSCOAP is possible to extended to secure CoAP over multicast IP (or CoAP group communication in general RFC7390): https://tools.ietf.org/html/draft-tiloca-core-multicast-oscoap - OSCOAP is very lightweight. Recent optimisations to be published by the IETF submission cutoff shrink the message overhead down to 13 bytes in the CoAP request and 9 bytes in the OSCOAP response. This includes the 8 bytes MAC. With existing CoAP and COSE implementation, OSCOAP is a minor addition in terms of code. Now for the statements made about OSCOAP: > OSCOAP does not work when > * you mix protocols, for general web transfer protocols this either requires protection on a lower layer, which prevents an intermediary from reading the metadata as we have seen, or you can restrict protection to CoAP/HTTP payload as in 1. above. But if you consider specific protocols with similar semantics such as HTTP and CoAP, it is possible to define a mapping for a subset of the metadata for which OSCOAP would preserve integrity and confidentiality along the lines elaborated by Matthias in this thread. We started sketching on this during IETF94 (with some of the authors of RFC8075) but have not had time to continue the work. We are happy to pursue this work if people think this is interesting. > * use a middlebox for some processing interactions (such as data > aggregation), and > This is not a limitation specifically of OSCOAP as motivated above. > * when one of the protocols is a non-RESTful protocol, such as BLE or >MQTT. > I thought the question was how to protect the RESTful operations, which clearly isn’t relevant when one of the protocols is non-RESTful J. Anyway, OSCOAP works where CoAP does, e.g. over BLE. Plain COSE works anywhere (but does not protect the REST semantics). We were considering to start implementing OSCOAP in mbed right after the upcoming IETF, but maybe we should go for some other OS since ARM is so negative. If anyone is considering implementating OSCOAP or has a preference for a particular OS, please let us know. (Existing implementations I know of are Contiki OS (Martin Gunnarsson), C-sharp (Jim Schaad), Python (Christian Amsüss), Java (Joakim Brorsson/Ludwig Seitz) and Mališa Vučinić has announced to implement in OpenWSN before the summer.) Göran On 2017-03-07 19:39, "T2TRG on behalf of Hannes Tschofenig" <t2trg-bounces@irtf.org on behalf of hannes.tschofenig@gmx.net> wrote: >OSCOAP does not work when > >* you mix protocols, >* use a middlebox for some processing interactions (such as data >aggregation), and >* when one of the protocols is a non-RESTful protocol, such as BLE or >MQTT. > >Unfortunately, these the use cases we are facing in current IoT >deployments. For similar reasons we cannot use RFC 8075 either. > >Maybe you are seeing different deployment environments. > >Ciao >Hannes > >On 03/07/2017 06:39 PM, Michael Richardson wrote: >> >> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> > Needless to say that these challenges have also been observed in >>other >> > protocols as well, such as HTTP and even SIP. >> >> > What is the story for providing application layer security? >> >> OSCOAP seems to be end-to-end to me. >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting =- >> >> >> >
- [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Ari Keränen
- Re: [T2TRG] RESTful Design & Security Michael Richardson
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Simpson, Robby (GE Energy Connections)
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- [T2TRG] The Many Headed Hydra Nightingale, J. Stephen (Fed)
- Re: [T2TRG] The Many Headed Hydra Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Mohit Sethi
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Hasan Derhamy
- Re: [T2TRG] RESTful Design & Security Eliot Lear