Comment inline
From: Somaraju Abhinav [mailto:[email protected]] Sent: Monday, February 6, 2017 12:01 PM To: Jim Schaad <[email protected]>; [email protected] Cc: 'ace' <[email protected]> Subject: Re: [Ace] draft-somaraju-ace-multicast Jim, All, please see a proposal for the Applicability statement that can be used as a starting point for the Webex. Abhinav [JLS] Did you actually change anything from the current document. At first glance it looks like a cut and paste with absolutely no response to any of the issues that have been raised on the list. [AS] We have changes from the current document. I have highlighted in red below the changes. 5.1 Applicability statement [JLS] This should have a description of the criteria which should be used to determine if any of the solutions here are needed. Without this information, it seems that the solution could be applied to anything. Is this really just a lighting solution or is it a more general solution? [AS] We are mainly interested in the lighting application. The only other field I am aware of is blinds but I do not know enough about their requirements. It will be interesting to hear from others if they have applications where this is interesting. This document describes two architectures based on symmetric group keys in Section 3 and asymmetric keys in Section 4. [JLS] Based on the mails we have exchanged; this statement is either wrong or insufficiently qualified. You have stated that even the messages in section 4 need to be encrypted and thus might have a group key. [AS] Fair point. This is the current status. Will have to fix this part. The symmetric key solution is based on a group key that is shared between all group members including senders and receivers. As all members of the group posses the same key, it is only possible to authenticate group membership for the source of a message. In particular, it is not possible to authenticate the unique source of a message and consequently it is not possible to authorize a single node to control a group. This implies in particular that any hacked receiver in a group could then be used to control all the receivers in the group. Moreover, because the group key is shared across multiple nodes, it may be easier for an attacker to determine the group key by attacking any member of the group (note that this group key is dynamically generated and is usually stored in volatile memory which offers some additional protection). The probability of a stolen key increases with the number of nodes that are in possession of the key. Moreover, subsequent to such an attack, it is also difficult to determine which of the group members was compromised and this makes it difficult to return the system to normal operation after an attack. [JLS] I have no idea why storing a key in volatile memory would offer additional protections. [AS] This prevents the case of removing a device from the physical location and figuring out the group key. Not sure if it helps too much. We can remove it if the group consensus is that it does not help. [JLS] Losing power is going to lead to potentially very long delays at power and missed processing of messages if every recipient needs to individually generate a new dynamic key and distribute it, not to mention the potential problems with the question of who has good randomness for the generation of new keys. [AS] Agree. See comment above. We can remove it if the group consensus is that it does not help. [JLS] Which group members are/were compromised. You don’t know that it has gone away. [JLS] This text does not address the questions of size and homogeneity of groups. One of the issues that has been brought up is about using the same key for multiple types of devices such as lights and doors. [AS] The specification does not allow the same key to be given out for multiple types of devices. All tokens are linked to a scope and an application group. You can not use the same key for two different applications. But you make a good point. We can add this to the applicability statement. The asymmetric key solution distinguishes between a sender in the group and the receivers. In particular, the sender is in possession of a private key and the receivers are in possession of the corresponding public key. This allows the unique source of any group message to be authenticated. Moreover, an attacker cannot compromise the system by breaking into any of the receiving nodes. However, for constrained devices, the asymmetric key solution comes at a processing cost with cryptographic computations taking rather long. [JLS] The last sentence does not belong here. The term “rather long” is extremely vague and is even worse than the term “low-latency” in terms of what has been defined. [AS] Will discuss this point during the call today. [JLS] Should also know that the sender that was compromised is immediately known and can be dealt with. [AS] Okay. Will add this point. Therefore, it is recommended that whenever possible, the architecture with source authentication SHOULD be used to secure all multicast communication. However, in less sensitive applications where low-latency group communication is important (e.g. controlling luminaires in non-emergency applications), the architecture without source authentication MAY be used. In sensitive applications such as health and safety, building security and emergency applications the symmetric key based solution SHOULD not be used. [JLS] Personally, I would not know how to test this, so I don’t believe that RFC 2119 language is appropriate. [AS] I agree that this is not testable. But I not sure how we should proceed here. Any suggestions would be great. One of the big objections has been "what if this solution is used for something else" and that guidance should be provided as to where this specification should be used and more importantly not used. [JLS] Why should emergency applications be different? Does this mean that all devices need to implement both solutions and need to figure out which of the solutions should be used at any given time? What defines a sensitive application? The ability to monitor a sensor even if the state of the lights is not? [AS] See comment above. When using the symmetric key solution two mitigating factors could improve system security. It is possible to achieve source authentication of messages at lower layers by requiring unique MAC layer keys for all devices within the network. The symmetric group keys are dynamically generated and therefore SHOULD be stored in volatile memory. [JLS] Given the fact that it is “easy” to impersonate MAC addresses I am not sure how this will mitigate the problem. This would be killed by either MAC impersonation or having a message re-transmitted by a proxy agent. [AS] This was an idea for Eliot Leer. The idea is to have pairwise MAC layer keys and this has nothing to do with MAC addresses. It is to do with traceability of messages after an attack is detected so that the source of the multicast message can be determined. Maybe Eliot can comment more about this. [JLS] As stated above, I am not sure how keeping keys in volatile memory will be a mitigating factor. The only think that I see is that I cannot physically steal the device and work on it later rather than having to do it “in place”. [AS] Yes, this is about physically stealing devices not helping. ________________________________ From: Jim Schaad <[email protected]<mailto:[email protected]>> Sent: Friday, February 3, 2017 7:02:42 PM To: Somaraju Abhinav; [email protected]<mailto:[email protected]> Cc: 'ace' Subject: RE: [Ace] draft-somaraju-ace-multicast See comments inline From: Ace [mailto:[email protected]] On Behalf Of Somaraju Abhinav Sent: 02 February 2017 03:48 To: Jim Schaad <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Cc: 'ace' <[email protected]<mailto:[email protected]>> Subject: Re: [Ace] draft-somaraju-ace-multicast Hi Jim, thank you for the review and I apologise for the delayed response - I was on sick leave due to a surgery. Please see comments inline from the authors. Why restriction on reading messages? It is not like an external observer is not going to be able to see the lights go on or off. [AS] There are several situations where lights are not visible but (multicast) network data is accessible. Moreover, sensors (e.g. presence detectors) are continuously talking to actuators and controllers without necessarily having a visible effect on the lights. For several customers privacy is a very important concern and is almost a given. The statement "anybody can listen to the traffic and tell when sensors detect presence in a building without even being in the building" is a very difficult sell. Having said that, it is true that simply encrypting the multicast traffic at the application layer is only a prerequisite to provide the privacy needed and additional work is required (e.g. generating random messages at different times). In that sense the symmetric solution is probably not much better than the asymmetric solution. But the demand for privacy from customers is very clear and the perception among them is that unencrypted data implies poor security. [JLS] I am sensing a problem here. You have stated that there is a requirement that encryption is a requirement that people are going to say must be me. However, below you have stated that if authentication is a requirement then encryption suddenly becomes a non-requirement? You appear to be stating that there are circumstances where it is fine not to have the data encrypted if one needs to know where it came from. Consider the following case I have a sensor in a room. When the sensor sees movement, it broadcasts a lights one command. The command is picked up by both the lightbulbs and by the security system. The security system must know which sensor provided the command and therefore no encryption is going be needed here? That just seems wrong. Additionally, the situation where things are “continuously” talking would seem to be a good place where one would want to install a controller and not have the sensor directly talking to the actuator. You don’t want to flood the actuators with trying to constantly turn on the lights. Also the use of actuators in this sense makes one think that this is a solution for things other than lighting systems which is what people are complaining about. The solution in section 4 does not seem to meet the following requirement "Only authorized members of the application group must be able to read and process messages." [AS] You are right, we cannot satisfy the privacy requirement in Section 4. We could extend the current solution to include a group wide encryption key to meet this requirement. However, this will add additional latency to the asymmetric solution. This document needs to have a solution for dealing with nonce space allocation for the cases where more than one sender is going be able to use the same key. This is going to be part of the problems with replay detection as well as security considerations. [AS] Okay. Will add some text in the next version of the draft for better clarification. The idea as written in 4.3 (Nonce value) is to use the Client ID along with the sender’s sequence number to create the complete nonce for replay and CCM processing. Should the algorithms be using high water detection of sequence numbers rather than the case of not yet used? Or is that an application specific type thing? [SK] This is tricky since it can create all kind of new issues. One way to handle if the sequence number of a sender is about to roll over is that the sender requests a new key issued for the group by the KDC. Tricky part is if there are multiple senders who are not reaching the roll over of their sequence number then have to be forced to use a new key or there needs to be some overlap between the old key and new key before every sender in the group starts using the new key. [JLS] Lots of spinning in graves from the idea of having a sequence number roll over given the harsh requirements that a nonce (built from the sequence number) must never be re-used twice for many of the algorithms that are going to be used here. I do not think that the current security requirements is sufficiently strident to reflect both the threat of breakage, cross-breakage and restrictions on where it should be used to pass muster. [AS] I thing this will be the main discussion item in the webex. We will make a proposal for the security guidelines section after the interim webex. [JLS] A proposal before the call is better because then we have a starting point for discussions as well as allowing people who will not make the call be able to have some initial input on where discussions points should be directed. _______________________________________________ Ace mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ace ________________________________________________________ The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments. ________________________________________________________ The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments. ________________________________________________________ The contents of this e-mail and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this e-mail is received in error, please immediately notify the sender and delete the e-mail and attached documents. Please note that neither the sender nor the sender's company accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments.
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
