ATOCA | R. Barnes |
Internet-Draft | A. Chi |
Intended status: Informational | BBN Technologies |
Expires: April 11, 2013 | October 10, 2012 |
Encoding of Secure Common Alert Protocol Entities (ESCAPE)
draft-barnes-atoca-escape-02.txt
Recipients of emergency alerts need to be able to verify that an alert they receive was issued by an authorized source. The Common Alerting Protocol (CAP) provides a standard way of encoding alert information. This document describes a security wrapper for Common Alerting Protocol objects to allow alerts to be signed by alert originators.
Please send feedback to the atoca@ietf.org mailing list.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Emergency alerting is an increasingly important function of telecommunications networks, allowing authorities to distribute warnings of impending danger to large numbers of end users in a short period of time. However, because emergency alerts are such important messages to users, there is much more potential for abuse of alerting than other messaging systems. If an attacker can introduce a false emergency alert, he may be able to cause mass action, such as the evacuation of a building or city.
Traditionally, the security of alerting systems has been based mainly on the security of the system by which authorities provide alerts to broadcast points, and on the link-layer security of broadcast media that deliver alerts to end users. For example, alerting systems for cellular networks typically rely on sending alerts over the cellular control plane, so that only the local carrier can deliver alerts to an end device. Alerting via broadcast media such as television or radio is protected by legal limitations on the ability to transmit above certain power thresholds in portions of spectrum used for broadcast media (e.g., television stations).
In the context of the Internet, it is impossible to rely on link-layer security because IP runs over many types of link that have no analogous access controls. Indeed, alerts may transit multiple different types of network en route to end devices. For example, if an alert is delivered to a device that routes between cellular, Ethernet, and 802.11 interfaces, the router may need to translate an alert delivered by the cellular control plane into an IP datagram that can be delivered over Ethernet or 802.11. There is thus a need for an end-to-end security mechanism for alerts, so that an endpoint can verify that an alert is authentic even if the alert arrives over an untrusted interface.
This document describes ESCAPE, a secure container format for the Common Alerting Protocol (CAP) [CAP]. CAP documents provide information about an emergency alert; ESCAPE-wrapped CAP documents also provide security information that can authenticate the originator of the alert. Using this additional information, end alert recipients can verify that ESCAPE-wrapped alerts were originated by entities they trust, and reject false alerts from untrusted entities.
Note that ESCAPE validation is not a complete security solution for alerting. ESCAPE validation will authenticate the originator of an alert; it is up to the device to determine whether the originator is trusted. In general, this will require that devices be provisioned with credentials for trusted entities, either via manual provisioning (e.g., static keys in device firmware) or by some dynamic provisioning protocol.
Likewise, ESCAPE validation only proves that an alert came from an authorized originator, not whether the alert is relevant to the recipient in a more general sense. For example, the recipient may be outside the target area of the alert (as described by the <area> element of the CAP document). Alert applicability involves more than authenticity: it includes location, jurisdiction, and possibly other locale-specific factors. Other specifications may make additional requirements on the contents of CAP documents, or require endpoints to make checks on encoded CAP document beyond the basic validity check required by this document.
For purposes of this document, we assume that potential recipients of ESCAPE objects can be provisioned with two types of credentials: public keys and "alert token hashes". A public key for an authority is used to validate digital signatures by that authority. Alert tokens provide a faster rough authentication.
An alert token is a single-use binary string that is used as a fast authentication check, according to the process described in [RFC2289]. Clients are provisioned with a cryptographic hash that was produced by multiple iterations of a hash function against a secret binary string. Although the final hash is published to recipients through some provisioning process, the sequence of preimages, including the original secret string, are known only to an authorized server. These preimages are used in reverse order as the alert tokens. On receiving an alert token, a client hashes it one or more times to verify that it is indeed a preimage of the publicly provisioned hash, or optimally, the immediate preimage of the latest alert token. (Thus, alongside alert tokens, the provisioning system must specify the hash function used to verify the alert token as well as an iteration limit.) The detailed steps for verifying an ESCAPE object using a collection of provisioned public keys and alert tokens is described in Section 4.3.
The high-level operation of an ESCAPE-based alerting system can be summarized as follows:
This document defines procedures for generating, re-signing, and verifying alerts (steps 2, 4, and 5 above). The mechanisms used for provisioning trusted credentials (step 1) and for the actual delivery of alerts (step 3) are beyond the scope of this document.
Should we always apply GZIP to the entire encoded message? Pro: Slightly smaller message size. Con: Will need to require GZIP for all messages or add content transfer encoding indication.
Should we allow DER-encoded CAP as well as XML-encoded CAP? Pro: Smaller message size. Con: Clients need to support two encodings, although MIME content indication allows simple switching.
Should we constrain crypto algorithms? Pro: Marginally simpler implementation. Con: Need to maintain a list of supported algorithms. Could also do this in another document.
Should we require a public-key signature, or allow reliance on token checks alone? Pro: Enables cases with no public-key operations. Con: Risk of replay attacks using old tokens.
Should we move the Alert-Token field from the inner (signed) MIME entity to the outer (unsigned) MIME entity? Pro: Allows relays to add tokens. Con: Allows relays and attackers to remove or change tokens.
Should we use JOSE instead of S/MIME? Pro: Simpler to implement; might make it easier to have multiple, detached signatures with their own alert tokens. Con: Less mature, fewer libraries.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
The ESCAPE format encapsulates a CAP document as an S/MIME object [RFC5751]. First, the CAP document is encoded as a MIME entity [RFC2045], then the MIME entity is signed using S/MIME.
CAP XML documents have MIME type "application/cap+xml". An alert originator may choose to apply the gzip compression scheme to the alert before sending it. If the alert is compressed, the originator must encode the compressed alert using the base64 encoding scheme before transmitting it [RFC1952][RFC4648]. A CAP MIME body thus has the following properties:
ESCAPE introduces a new MIME header, Alert-Token, which provides a rough form of authentication. If alert recipients are configured with an algorithm for checking the validity of a token, along with the appropriate authentication material, the recipient of an alert message can check the validity of the value in the Alert-Token field before performing full S/MIME validation on the ESCAPE object. The Alert-Token field contains a single opaque binary string, encoded in base64. The ABNF syntax ([RFC5234]) for the field is as follows, where "base64" is as defined in RFC 4566 [RFC4566]. (Here we also follow the usual conventions with regard to whitespace in MIME headers.)
Alert-Token = "Alert-Token" ":" base64
An ESCAPE MIME entity MAY contain one or more Alert-Token header fields. Any header fields other than "Content-Type", "Content-Encoding", "Content-Transfer-Encoding", and "Alert-Token" MAY be ignored by alert recipients.
The Alert-Token authentication system implements an iterative hash-preimage scheme based on the same technique used by Lamport's One-Time Password system [RFC2289]. Such a scheme can provide rough authentication when the communication channel is adequately integrity-protected (e.g., by the signature on the ESCAPE object).
The Alert Originator, such as a government authority, first generates a sequence of one-time-use alert tokens, which are initially kept secret, known only to the Alert Originator. To do so, the Alert Originator chooses an iteration limit (n), and computes a hash chain starting from a secret binary string (s), and iteratively applies a cryptographic hash function (h) up to n times:
s, h(s), h^2(s), ... , h^(n-1)(s), h^n(s)
The final hash, h^n(s), is publicly provisioned (out of band) to the clients, along with the iteration limit, n. All previous elements of the sequence are initially kept secret by the authority for use as alert tokens. Note that once a token in the above sequence is public, so are all subsequent tokens. Each independent authority computes its own sequence of tokens, so each authority provisions one ordered pair (final_hash, iteration_limit) to the recipients.
When sending an emergency alert, the Alert Originator inserts an alert token in an Alert-Token header in the ESCAPE message and transmits the alert. The value of this token will generally be the immediate hash-preimage of the previous alert token. An Alert Recipient device receiving the message verifies the Alert-Token by iteratively computing the hash value of the alert token until it matches the most recent public hash, or until the iteration limit is reached. If a match is found, then the alert token is considered valid. Otherwise, the alert token is considered invalid.
To diminish the chances of replay, when the Alert Recipient encounters a valid Alert-Token, it MUST update its record of the "most recent public hash" and decrement the iteration limit. Replays of the same token MUST be rejected.
After a CAP message has been encoded into a MIME entity, an S/MIME signature is applied, following the S/MIME procedures for constructing a signed message of type "multipart/signed" (Section 3.4 of RFC 5751 [RFC5751]). The following constraints apply to the S/MIME encoding used in ESCAPE messages.[RFC3370][RFC5754]. Implementations MAY include additional algorithms, but alert signers SHOULD NOT sign alerts with non-standard algorithms, since some recipients may not be able to process them.
Except the constraints above, software to verify ESCAPE alerts MUST include full S/MIME support, including all defined cryptographic algorithms
An ESCAPE object is valid if and only if all of the following conditions are true:
An entity verifying an ESCAPE object MUST verify both of these criteria, but MAY check them in either order and omit further checks after the object fails one check. In particular, performing the token check before decoding and verifying the CMS signature may avoid the work of signature verification.
Note that the alert token mechanism is a much weaker form of authentication than a public-key signature. For example, a malicious actor that receives an alert token could use it to send bogus alerts to entities that had not yet received it. An alert recipient that is not provisioned with trusted public keys should thus treat alerts verified only by an alert token as suspect (e.g., by providing warnings in a user interface). A verifying entity SHOULD NOT accept ESCAPE objects if it is configured with neither trusted public keys nor valid tokens.
There are three main phases in the life-cycle of an ESCAPE object. First, it is created and signed by an alert originator. Second, it may pass through an alert relay that adds a signature under its key. Finally, it is received and verified by an end recipient. This section describes the steps that each type of entity follows to sign, re-sign or verify an ESCAPE object.
Inputs:
Processing steps:
Output: ESCAPE message
Inputs:
Processing steps:
Output: ESCAPE message
Inputs:
Processing steps:
If any of these headers are invalid, then return the CAP message is malformed. Return FALSE.
Output: Verification status
Consider the following CAP message:
<?xml version = "1.0" encoding = "UTF-8"?> <alert xmlns = "urn:oasis:names:tc:emergency:cap:1.1"> <identifier>43b080713727</identifier> <sender>hsas@dhs.gov</sender> <sent>2003-04-02T14:39:01-05:00</sent> <status>Actual</status> <msgType>Alert</msgType> <scope>Public</scope> <info> <category>Security</category> <event>Homeland Security Advisory System Update</event> <urgency>Immediate</urgency> <severity>Severe</severity> <certainty>Likely</certainty> <senderName>U.S. Government, Department of Homeland Security</senderName> <headline>Homeland Security Sets Code ORANGE</headline> <description>The Department of Homeland Security has elevated the Homeland Security Advisory System threat level to ORANGE / High in response to intelligence which may indicate a heightened threat of terrorism.</description> <instruction> A High Condition is declared when there is a high risk of terrorist attacks. In addition to the Protective Measures taken in the previous Threat Conditions, Federal departments and agencies should consider agency- specific Protective Measures in accordance with their existing plans.</instruction> <web>http://www.dhs.gov/dhspublic/display?theme=29</web> <parameter> <valueName>HSAS</valueName> <value>ORANGE</value> </parameter> <resource> <resourceDesc>Image file (GIF)</resourceDesc> <uri>http://www.dhs.gov/dhspublic/getAdvisoryImage</uri> </resource> <area> <areaDesc>U.S. nationwide and interests worldwide</areaDesc> </area> </info> </alert>
Suppose an alert signer has the following RSA key pair, encoded as a PEM-encoded private key and self-signed certificate [RFC1421]:
-----BEGIN PRIVATE KEY----- MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMqjkUYoHtH+uLPo w3FNAlpHyT5BG0KWjN6hG7LUgh2GP+c2wmyavn9+ShwEe1CG9qgwa1apqNl/7BTY UoRTCsSMlg43N+3X5OJSVHSALhR/IDcItf32jLUUD88lgKUoXI145GpeXRG3OARx vA0ONhvC6MdSB0gW8jx/7Vz6q+mPAgMBAAECgYB2sqtlMhkjnxaoY/8f/iETqxsp uU9ziOaJfkvQTATPsJT8JiprHZXa7qoQkVt+hyAy0vH9OLJsfS9X4oMrec1C22Jm 1EUqOqg+CXLye0OPSYckZukEPAt3EyQNBg4BIZFWC4ouKVcy0UECuL5X6oZ5Z5us nMJ0wHI8n6ghiY620QJBAPFm6sNOOZqs0jFutbHWm5eQ7vbNynGYcm4S2v7Esnyn GKy2iMf8MMiJjqmJiYQ47wn/Rm5rljNu/eTPNopcKhkCQQDW5JGsV6piWLN4fvg9 tpv0OG/mqJUBwjEejGg0LzupQiHociEg+cm+IPP61NX/MXoQXQIoFKcc6nXXq4rt +PXnAkEAiurg2nefqqUdaJj/MlH/w98BxUFz6J8D6tgq8kWbOSSnjGyWlg9Iu359 fI7Ldi2VUbl3fH+pNfv/W7bq+gBDsQJBAMKNsa18uQ/NCr9/BLSqzUswhW8pFa6/ 58SmjfkhAjzdWOGf4op+W749C2b+prgiTUbfTgKHoDy3sPUPo/qLueUCQQCdIdRB 3SrfM1gedy2h20RiFu6Ew1GCFSK2DUv60BcZJmbazVCNFQq8wBtHuqHew/7hxmtA DtxHTLote/VHyOj7 -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICKTCCAZKgAwIBAgIJAIGuauj9u0i0MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTExMDAzMjEzNDIzWhcNMTIxMDAyMjEzNDIzWjBF MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDKo5FGKB7R/riz6MNxTQJaR8k+QRtClozeoRuy1IIdhj/nNsJsmr5/fkocBHtQ hvaoMGtWqajZf+wU2FKEUwrEjJYONzft1+TiUlR0gC4UfyA3CLX99oy1FA/PJYCl KFyNeORqXl0RtzgEcbwNDjYbwujHUgdIFvI8f+1c+qvpjwIDAQABoyEwHzAdBgNV HQ4EFgQUKcxEepHj4Yr7+WDTS28DWxXcIvMwDQYJKoZIhvcNAQEFBQADgYEAVYsY /ZghXf3TfAR6eW6MmQpzPR0oBO9JHjf4Wic87WkxCFPNW/pSIMO67ZoIOjU4b0Is VOmcyPSHP8q0a0DS4f3rt9wF6VypcxLtaqkFD4lMRaoYNPvSwTSEBJj5yioPYsl7 OV5UgywTR5QueYK7YFyY+7gwUksTwtka6IIBlTk= -----END CERTIFICATE-----
Then if the signer signs the alert with the above private key and the token "foobar", he will create the following ESCAPE message:
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="----C16CFF6F1CB606631B8BBD4B5B43051F" ------C16CFF6F1CB606631B8BBD4B5B43051F Alert-Token: asdfasdfasdf Content-Type: application/cap+xml <?xml version = "1.0" encoding = "UTF-8"?> <alert xmlns = "urn:oasis:names:tc:emergency:cap:1.1"> <identifier>43b080713727</identifier> <sender>hsas@dhs.gov</sender> <sent>2003-04-02T14:39:01-05:00</sent> <status>Actual</status> <msgType>Alert</msgType> <scope>Public</scope> <info> <category>Security</category> <event>Homeland Security Advisory System Update</event> <urgency>Immediate</urgency> <severity>Severe</severity> <certainty>Likely</certainty> <senderName>U.S. Government, Department of Homeland Security</senderName> <headline>Homeland Security Sets Code ORANGE</headline> <description>The Department of Homeland Security has elevated the Homeland Security Advisory System threat level to ORANGE / High in response to intelligence which may indicate a heightened threat of terrorism.</description> <instruction> A High Condition is declared when there is a high risk of terrorist attacks. In addition to the Protective Measures taken in the previous Threat Conditions, Federal departments and agencies should consider agency- specific Protective Measures in accordance with their existing plans.</instruction> <web>http://www.dhs.gov/dhspublic/display?theme=29</web> <parameter> <valueName>HSAS</valueName> <value>ORANGE</value> </parameter> <resource> <resourceDesc>Image file (GIF)</resourceDesc> <uri>http://www.dhs.gov/dhspublic/getAdvisoryImage</uri> </resource> <area> <areaDesc>U.S. nationwide and interests worldwide</areaDesc> </area> </info> </alert> ------C16CFF6F1CB606631B8BBD4B5B43051F Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIBxQYJKoZIhvcNAQcCoIIBtjCCAbICAQMxCTAHBgUrDgMCGjALBgkqhkiG9w0B BwExggGTMIIBjwIBA4AUKcxEepHj4Yr7+WDTS28DWxXcIvMwBwYFKw4DAhqggdgw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTExMDA0 MTUzMzM4WjAjBgkqhkiG9w0BCQQxFgQUG0dU/Z+LJg/29/4nvzkou4Bion4weQYJ KoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFl AwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBDIjpmJ2uP nbFJqb35p7dGKdoWyh0Q0LUKr9SxOWkmvK9K6AB/Bodzlo1U5hGVqX10p7HqUWW9 SMt3DXB8sxSbEOrD0HUsdsQvmoulfWNAX5ZphS7jvy1LeR9qrYp8zyzUd1bWSOZA kQKwpg6PRyVYArqG8uAD00CW0elL34WKLQ== ------C16CFF6F1CB606631B8BBD4B5B43051F--
If the signer also applies the GZIP encoding and attaches the token, he will create the following ESCAPE message:
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="----C6A0932DF53B0609D38DC49A7E492DB3" ------C6A0932DF53B0609D38DC49A7E492DB3 Alert-Token: foobar Content-Type: application/cap+xml Content-Transfer-Encoding: base64 Content-Encoding: gzip H4sIADZhik4AA4VUW27bMBD8L5A7LPzVArUpJynSCopSI2keQF+onQMw5NoiQpE CSdnx7bukJFtBi/ZL4nBn9sktrl5qDVt0XlkDlzCZz7IJoBFWKrOJwOPqdvpxcl XCyZuCa3QBiGF8vGqdyS33yueG1+jzIHKs0W2Ivs8Fb/L5bD6JRCiURBPUWqErz 8+eso/Zxfzs4vSiYKMLgGTq0Ug6VZ77z7Lys43dFqwHjyahPM2ys2l2Ps1OV/Pz /OxTns2n2Yc8y5J16Pz6wEPry4UILdd00R17mdpvVvsGy0VMq2DDsSMKS78/2ye tBPHSqacps7bJCKAQPODGun25RNE6FfYFO0AAHYHMcBsjurc1am4kDMawkFvlyR aWex+whsdGErtgnf1IoO2qWj7UNUqVbAZoZOWJF3UpGvrBWIgeGBkJSpYrQ+BX9 Yw6RnxAXmnFin+nxpaPs+UM7ixJmZriet9Z3GDDXYgA2DX8kdvQs6TQa1bIpVYG /1KJJQYP11Yi/Pi1+H73pWAH454s0QunmkCDWq4q/J9/qLjvmKhxSxWTEIj1/x6 EyiEPQCTUiR9sHxMwuFebCpQBh76xxmO8pMqh1ip2A2FXKVFBzfedb2WkigMBHC okbkCTAkkuKOyAzlmnfD0r2DjBPmdlfHCt6KBF5/3akmZEQHmQKDR3JLmr0MQEH UaYd/wq2pP689hVAB4CF89+Bg8GuOzFKJFYn8T76WxA8rpF+Ibct5QtBP5MHlRy Ao3DrbKth1WXySEm3w/HLVLruab4hiZRUFR1HqukSM5XttUSBFFoBbjuYj9NZN+ goJUg/hoHRcCFsE7yVG4VqhiRcn2vXyjBuLkaarKnor6q4DDbO3wqqxCanLHdbj frtwyjb5MePJPKk8D+ipRrvDz9VLBI6dmUEc10iOsoAQRtuW4xTfr9crEs2PH82 qQchrs79YJspHh8gJSsbZ0YSQzIDQ0KbQIqGayVRnh793D7rmCvro9CaXuof+e7 wTA8g6Qbt4s6hHeM5BgdDR3vzmNHEU3u08owPJZ9R/1NvY/vhKRoEnbWaRnxgh0 YI23Wi8dly4ZtS2hc0+XJm9+QWcJ8tAYAAA== ------C6A0932DF53B0609D38DC49A7E492DB3 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIBxQYJKoZIhvcNAQcCoIIBtjCCAbICAQMxCTAHBgUrDgMCGjALBgkqhkiG9w0B BwExggGTMIIBjwIBA4AUKcxEepHj4Yr7+WDTS28DWxXcIvMwBwYFKw4DAhqggdgw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTExMDA0 MDEyODIyWjAjBgkqhkiG9w0BCQQxFgQUh4vjrIyFiLJE0T6IK4OksdV+zBAweQYJ KoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFl AwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYB4SiBnr3vC T//nsi1NuSsb5/uSfBvJjtlTyr1SuqLaanqbeSoASflaqu6N/07LZpQI4m1PRq8V Qa/4HO0IDLAuYlwdXUoHQWcqePla6WHTp4U6s358JFkr2bg47nZ6Sgr41MMdC+9P OYWrmvTPTQOX/vbSUFAApJg4QP3O6PKunA== ------C6A0932DF53B0609D38DC49A7E492DB3--
This document requires no action by IANA.
This document defines a secure alert format that allows alert originators to apply S/MIME digital signatures to a CAP alerts [RFC5751], and to enclose an additional rough authenticator based on a one-time password scheme [RFC2289]. The security considerations discussed in the specifications for those security mechanisms apply here as well.
This document does not address the question of which signers or alert tokens should be accepted as authorized alert originators. There is a need for some out of band process for provisioning public keys and alert token hashes to potential alert recipients. Obviously, if that process can be exploited to cause alert recipients to trust an unauthorized public key, then affected recipients will be at risk of accepting inappropriate alerts under that public key (assuming the attacker can deliver the alert to the recipient). The risk is lower with regard to alert token hashes, because they are only used as a rough check to avoid signature verification on obviously bogus alerts. If an attacker can cause only unauthorized alert hashes to be provisioned as trusted, and not unauthorized public keys, then he will only be able to waste resources on recipient devices by forcing them to verify bogus signatures.
Finally, a note on the choice of security technology. The CAP specification does provide for alert signing, using XML-DSig. In this document, we use S/MIME as a simpler mechanism for signing. Because S/MIME signs over a serialization of an XML document rather than the logical structure of the document, it does not require XML canonicalization (as XML-DSig does). Using S/MIME also means that ESCAPE can accommodate alerts that are not encoded in XML, such as DER-encoded CAP alerts, both because the signature computation is agnostic to the format of the signed content and because MIME provides content type indication.
[TODO]
[I-D.ietf-atoca-requirements] | Schulzrinne, H, Norreys, S, Rosen, B and H Tschofenig, "Requirements, Terminology and Framework for Exigent Communications", Internet-Draft draft-ietf-atoca-requirements-03, March 2012. |