Some ideas about OSCORE Store #1212
Conversation
leshan-server-cf/src/main/java/org/eclipse/leshan/server/californium/LeshanServerBuilder.java
Show resolved
Hide resolved
...-cf/src/main/java/org/eclipse/leshan/core/californium/oscore/cf/InMemoryOscoreContextDB.java
Outdated
Show resolved
Hide resolved
sbernard31
force-pushed
the
oscore_store
branch
from
3c23f4b to
fa9c632
Compare
|
@rikard-sics I implemented ideas we talked about at (#1212 (comment)) So I'm now able to execute the test below successfully : I implement the get by uri at client side, easy as it's static. (See CaliforniumEndpointsManager changes) The test starts by a register request then the server send a read request. I guess in term of security this is not what we want. Any thoughts about that ? |
Sounds very nice, yes we can definitely consider modifications to Californium.
I see, yes as the get by uri is not implemented on the server side it cannot find an OSCORE context to use for protecting the request. But I see your point, basically if an outgoing request has the OSCORE option but a context cannot be found, this request should not be sent at all. I will add that to the list of changes to do in Californium. This should be a quick fix. One possibility for now is to utilize the information in an EndpointContext of an incoming request. See for instance: |
I didn't think about this but it makes sense. My point was more that the server send a ReadRequest without using OSCORE (this is the expected behavior because I didn't implement get by uri at server side) I was expected that the device doesn't answer to it. But maybe this behavior can not be done at californium side and so should be done at upper layer (so LWM2M in our case) 🤔 |
One possibility is using an OSCoreResource as opposed to a normal CoapResource. In such case the server will only accept requests using OSCORE to that resource. But perhaps that behaviour is too course-grained and relying on the EndpointContext is better. |
This will not work with Leshan Client use case, because we create the resource once for all server and some server use OSCORE and some other not. My last commit (48b1d60) use I just share an idea for californium API : (I will now try to implement get by uri at server side) |
|
I Implemented But I think returning an OscoreParameters is not the right way because we will re-derive a new context from those parameters where we rather want to reuse an existent one (the one from registration for example) So maybe we should rather get the recipientId by URI, then call I will create a commit about this (would be simple than this explanation ☝️) and you let me know if this make sense. |
...-cf/src/main/java/org/eclipse/leshan/core/californium/oscore/cf/InMemoryOscoreContextDB.java
Outdated
Show resolved
Hide resolved
|
@rikard-sics, see my last commit (a788103) about :
|
Hmm, maybe I don't get 100% in what situations a new context will be re-derived rather than using the existing one. But I agree that before trying to derive a context we should check the OSCORE DB to make sure a context with a matching RID doesn't already exist there. Edit: Thinking more about this. So this problem would be specific to getContext(String uri) as the context could exist in the DB, but not associated to the uri (yet)? |
Right, yes I believe that approach makes sense. Here I would add the context to the DB associated to the URI. As here the URI would be the "foreign peer address". |
Yes, I suspected that it would be too course-grained for this use case.
Right, very nice.
Okay I see. So instead of a resource that only accepts OSCORE requests it would be like an endpoint (or an OSCORE CoAP stack building endpoints) that would only accept incoming requests if they use OSCORE. Yes, I think that could be something to consider adding. I can think about how it fits in Californium. |
| @Override | ||
| public synchronized OSCoreCtx getContext(String uri) throws OSException { | ||
|
|
||
| OSCoreCtx osCoreCtx = super.getContext(uri); | ||
|
|
||
| if (osCoreCtx == null) { | ||
| byte[] rid = store.getRecipientId(uri); | ||
| if (rid != null) { | ||
| osCoreCtx = getContext(rid); | ||
| // TODO don't know if I should add by uri here ? | ||
| // super.addContext(uri, osCoreCtx); | ||
| } | ||
| } |
There was a problem hiding this comment.
(from @rikard-sics)
Here I would add the context to the DB associated to the URI. As here the URI would be the "foreign peer address".
Then this would allow the ObjectSecurityLayer to find the correct context for later outgoing requests to that peer.
Thinking a bit more about this :
In LWM2M the foreign peer address could change (e.g. because devices are behind NAT).
When address changes client should update its registration.
So to handle this
- either we need to never cache the context by uri in DB (but that means more call to registration store.
- Or we cache in for uri and we need to update/clean DB on registration update. (still a bit afraid by this kind of house keeping)
There is another solution and this is something we will maybe need anyway.
At LWM2M level when we send a request we can tell the "identity" of the destination. This should even be done to be sure that context does not change between the moment where user decide to send the request and the moment where we really send the request.
So when we send the request we could say the expected OSCORE foreign peer RID.
(This is what we do for DTLS see : https://github.com/eclipse/leshan/blob/leshan-2.0.0-M6/leshan-server-cf/src/main/java/org/eclipse/leshan/server/californium/request/CoapRequestBuilder.java#L304-L306)
If we do that I guess ObjectSecurityLayer can find RID in EndpointContext and so get by RID and not by URI, right ?
There was a problem hiding this comment.
Right, so you mean that the ObjectSecurityLayer would get the RID from something like the following?
endpointContext.get(OSCoreEndpointContextInfo.OSCORE_RECIPIENT_ID)
That could be an addition to Californium, so if that value is set the ObjectSecurityLayer would use the RID there to get the context, rather than the request URI.
There was a problem hiding this comment.
Right, so you mean that the ObjectSecurityLayer would get the RID from something like the following?
endpointContext.get(OSCoreEndpointContextInfo.OSCORE_RECIPIENT_ID)
Yep
There was a problem hiding this comment.
I just implemented oscore store at bs server side and this idea ☝️ would help a lot.
There was a problem hiding this comment.
I just implemented oscore store at bs server side and this idea point_up would help a lot.
I see, then that is something I can add to the Californium side.
|
Not directly linked to this PR. |
sbernard31
force-pushed
the
oscore_store
branch
from
ebed7a5 to
858be90
Compare
|
With last commits ☝️ I removed all old static oscoreDBHandler An other important part I would like to discuss is lifetime of context. At DTLS side :
We also have several discussion about having a kind of maximum lifetime for DTLS connection but this was never implemented in californium. I don't know if this kind of maximum lifetime makes also sense for oscore context ? |
Let me have a look at this and get back to you. |
Yeah, currently there is no specific lifetime of an OSCORE context. The only limit applied is that when the sender sequence number reaches its max value, then the context must not be used further. In the OSCORE ACE profile, if the Token associated to the context expires the context should no longer be used: We are also working on a new draft Key Update for OSCORE (KUDOS) that is mainly about an alternative to the OSCORE appendix B.2 procedure, but it also introduces an explicit expiration parameter for OSCORE contexts: When it is desirable, contexts can be removed from the DB using removeContext(OSCoreCtx ctx)*. This could be done due to memory restrictions, or if a client has deregistered or been removed by the user in the server UI. If the client wishes to register then a new context will be derived for it (plus running of Appendix B.2). *I was recently informed that the removeContext method does not remove the context from the URI map. I will update the code in Californium to resolve this. |
Having a look at this this, the main operations taking time when deriving a new context would be running 3 times a HMAC-based Extract-and-Expand Key Derivation Function (HKDF). (For generating the Sender Key, Recipient Key and Common IV). See deriveKey which is called in the constructor for OSCoreCtx: |
|
@rikard-sics thx for you last answer 🙏 I squashed all this commit and integrated this in |
This aims to clarify the ideas I try to explain at #920.
This is a kind of "fill-in-the-blank code" but the bootstrap server part is not done.
(I reuse the @Michal-Wadowski's
OscoreIdentityfrom #1175 )OscoreSettingandOscoreParameterslooks like the same but one is intended to be pushed in californium and the other is abstraction intended to be used in code without californium dependency.