Hi All, I would like to provide some comments to this draft, from a security point of view. Hope that it will be helpful.
The TLS and "HTTP Digest Auth" have been used, but seem unclear for me. Besides, it is not recommended to use the latter for some reasons listed below. - It is said that the HTTP/TLS protocol is deployed for mutual authentication. However, "HTTP digest authentication" is actually used for authenticating the device, which is typically weaker than normal TLS. Only the server side authentication is performed by TLS certificate-based crypto method. - It appears that authentication is done in different layers, i.e., device is done in PAWS layer by "HTTP digest auth" and server is achieved in TLS layer by certificate. I do not understand why security is done in mixed layers? - It is said that confidentiality is protected in HTTPS layer, but if authenticating device is achieved in different layer (i.e. in PAWS layer), how can the device and server negotiate the session key? - Or, if my above understanding is wrong and mutual authentication is indeed done in TLS layer, why does it need to have additional "HTTP digest auth" in PAWS layer? - "HTTP digest auth" only provides a hash-based protection for secrets like password and ID, and is known to be vulnerable to MitM (Man-in-the-Middle) attacks. Since according to the PAWS WG document, draft-ietf-paws-problem-stmt-usecases-rqmts-06, Chapter 8, threat 7, MitM attack should be thwarted. This draft using "HTTP digest auth" obviously does not satisfy the security requirement. - "HTTP digest auth" differs from HTTP over TLS, where the former provides no encryption for content, but the latter can encrypt the content by Public Key crypto. Thus TLS is preferred. - "HTTP digest auth" does not support HMAC algorithm (so-called Keyed Hash), thus it is yet a little risky to use SHA-1 to replace current MD5 algorithm, because NIST has not recommended to use the collision resistance of SHA-1 (but HMAC-SHA1 is fine). In contrast, TLS supports HMAC and does not have such a problem. From the above analysis, it is clear to see that the security and privacy of PAWS is not straightforward and needs to be carefully investigated, for design and implementation. It is also the reason why we have submitted an independent draft for PAWS security, to provide a base for discussion. BR, Yang ================== Yang Cui, Ph.D. Huawei Technologies [email protected] > -----邮件原件----- > 发件人: [email protected] [mailto:[email protected]] 代表 > [email protected] > 发送时间: 2012年7月22日 7:31 > 收件人: [email protected] > 主题: [paws] comments on draft-das-paws-protocol-02.txt > > It would be beneficial if there were discussions on the drafts to submitted > ahead of the F2F presentations. > Thus, I've taken the initiative to read the draft and provide some initial > comments: > > 1. I do not understand the purpose of the initialization process and why > messages INT-REQ and INT-RESP are necessary. The capability exchange can > be done during the registration process. > We may even consider merging the registration process with the DB query > process, there doesn't seem to be any reason to have them as separate > messages. > > 2. you may need a section where you map your newly defined messages to > existing http protocol messages. I saw that you have an example section, but a > normative section would be more desirable. > > 3. the data model part needs some more work. The structure is not very clear > to me, and some of the attributes reference obsolete RFC. > Eg, RFC3825 is referenced for the longitude/latitude attributes. I think you > should be better of using an element for geo-location, with the structure as > defined in RFC5491, a separate element for the civic location, with the > structure as defined in RFC5139, etc. > Instead of the DeviceOwner object, I would use a vCard element, with the > structure as defined in RFC2426. > You may also need an iCalendar element (RFC5545) to specify the channel > availability time (eg, when the channel is not available for the full 24H). > Etc. > > More comments are welcome. > - Gabor > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > ext Das, Subir > Sent: Saturday, July 14, 2012 7:36 AM > To: [email protected] > Subject: [paws] FW: New Version Notification for > draft-das-paws-protocol-02.txt > > Dear Chairs, > We have updated our draft and would like to request a slot in IETF-84 to > present it. > > Regards, > _Subir > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Saturday, July 14, 2012 10:30 AM > To: Das, Subir > Cc: [email protected]; [email protected] > Subject: New Version Notification for draft-das-paws-protocol-02.txt > > > A new version of I-D, draft-das-paws-protocol-02.txt has been successfully > submitted by Subir Das and posted to the IETF repository. > > Filename: draft-das-paws-protocol > Revision: 02 > Title: Device to Database Protocol for White Space > Creation date: 2012-07-14 > WG ID: Individual Submission > Number of pages: 32 > URL: > http://www.ietf.org/internet-drafts/draft-das-paws-protocol-02.txt > Status: http://datatracker.ietf.org/doc/draft-das-paws-protocol > Htmlized: http://tools.ietf.org/html/draft-das-paws-protocol-02 > Diff: http://tools.ietf.org/rfcdiff?url2=draft-das-paws-protocol-02 > > Abstract: > This document describes the `Protocol to Access White Space database > (PAWS)' that uses HTTP/TLS as transport. The protocol is used for > retrieving the necessary TV white space information (e.g., channel, > frequency, transmitted power) at a given location and time from a > database that is operating under a regulatory domain. The document > includes the protocol functionalities, its elements, corresponding > data model and recommends its encoding scheme. > > > > > The IETF Secretariat > _______________________________________________ > paws mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/paws > _______________________________________________ > paws mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/paws _______________________________________________ paws mailing list [email protected] https://www.ietf.org/mailman/listinfo/paws
