Closed rikard-sics closed 2 years ago
The original version of KUDOS ensures PFS. This requires that:
New concepts:
Bootstrap Master Secret and Bootstrap Master Salt
Latest Master Secret and Latest Master Salt
Note that:
The original version of KUDOS is problematic for some devices that can afford only a single writing in persistent memory when a Bootstrap Master Secret and a Bootstrap Master Salt are provided (e.g., at manufacturing), but no more after that. These devices cannot perform a stateful key update procedure which practically prevents ensuring PFS.
What follows enables an alternative execution of KUDOS, which sacrifices PFS but allows devices to perform a stateless key update, i.e., without writing on disk (like possible in OSCORE Appendix B.2).
CAPABLE = A device capable of writing to disk (non-volatile memory).
As a general rule, when generating a new Security Context, the corresponding Latest Master Secret and Latest Master Salt:
This is independent of how exactly such Master Secret and Master Salt have been obtained. An exception to the above is the temporary KUDOS context CTX_1 which must not be stored on disk.
This enables the following sequence of event in case of rebooting:
Check if you have a (Latest Master Secret, and Latest Master Salt) on disk
If yes:
If no, check if you have a (Bootstrap Master Secret, and Bootstrap Master Salt) on disk
If yes:
If no, use other ways to establish a first OSCORE context CTX_OLD
Proposed extensions:
If a device is non CAPABLE, it MUST NOT run KUDOS in PFS mode and MUST run KUDOS in non-PFS mode.
If a device is CAPABLE, it SHOULD run KUDOS in this PFS mode as initiator and SHOULD NOT run KUDOS in no-PFS mode as initiator. An exception to this is a follow-up with a responder peer that has made evident to not support this mode. Note that such a CAPABLE device is able to store also this piece of information, so that it can take following executions of KUDOS with this peer with the 'p' bit set to 1, including after a possible reboot.
Note: If a peer A has learned that the other peer B in fact does support running KUDOS in PFS-mode it should never run KUDOS with that peer B in non-PFS mode (meaning if the other peer B initiates KUDOS with p = 1 it should be rejected). If A is a capable device, it MUST store this information on disk, hence preventing malevolent downgrading to no-PFS mode is case of simultaneous rebooting where B is non capable.
Note: If both peers reboot simultanously, the client initated variant of KUDOS would end up being run.
If able to run KUDOS as specified in the 'p' flag by the initiator, the responder MUST comply and do so. Otherwise:
If the responder is the server,
If the responder is the client,
After receiving Response nr. , the client sends a Request nr. 2 protected with CTX_NEW as usual. The 'p' bit in the OSCORE option of this response MUST be set to 1. Then, the client can abort the current KUDOS execution, and deletes both CTX_1 and CTX_NEW.
After receiving the Request nr. 2 above (i.e, having the 'p' bit set to 1 as a follow-up to Response nr. having the 'p' bit set to 0), the server aborts the KUDOS execution, deletes both CTX_1 and CTX_NEW, and learns that the client can run only the no-PFS mode.
This has now been added in the latest version.
See
https://mailarchive.ietf.org/arch/msg/core/EL0yHxQrP2DQwHxo6ojnQedvFbY/