Re: [6lowpan] Comments on draft-sarikaya-6lowpan-cgand-00
Behcet Sarikaya <behcetsarikaya@yahoo.com> Wed, 27 April 2011 15:27 UTC
Return-Path: <behcetsarikaya@yahoo.com>
X-Original-To: 6lowpan@ietfa.amsl.com
Delivered-To: 6lowpan@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15EFCE0801 for <6lowpan@ietfa.amsl.com>; Wed, 27 Apr 2011 08:27:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[AWL=0.569, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdN7HdrtEmNl for <6lowpan@ietfa.amsl.com>; Wed, 27 Apr 2011 08:27:16 -0700 (PDT)
Received: from nm15-vm1.bullet.mail.sp2.yahoo.com (nm15-vm1.bullet.mail.sp2.yahoo.com [98.139.91.209]) by ietfa.amsl.com (Postfix) with SMTP id D61EBE07FF for <6lowpan@ietf.org>; Wed, 27 Apr 2011 08:27:15 -0700 (PDT)
Received: from [98.139.91.70] by nm15.bullet.mail.sp2.yahoo.com with NNFMP; 27 Apr 2011 15:27:12 -0000
Received: from [98.139.91.32] by tm10.bullet.mail.sp2.yahoo.com with NNFMP; 27 Apr 2011 15:27:12 -0000
Received: from [127.0.0.1] by omp1032.mail.sp2.yahoo.com with NNFMP; 27 Apr 2011 15:27:12 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 653447.21404.bm@omp1032.mail.sp2.yahoo.com
Received: (qmail 97088 invoked by uid 60001); 27 Apr 2011 15:27:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1303918032; bh=8UzaMiKLcvwGYbaSOGCEj95+YnF1BaktU8edsBmnt3A=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=ROYAQ4z1Rs6IO2FCcVG9uuff9IGHM0BW/jQezXMG7ZQcsTFP6Aa9Vu4f0fzij7MMLPTEo2XqUwPLiLolb7mFAvRDtmDxp39pyB3Ow7Kau4otuvtku+Lf9LGcPmzwhvQeI7O2uY3ue4P26WGwMC3BhBsrdAvBV/VBq0pXX/92U58=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=6Epjvrmm3TZ6Fi2U8ZJyjoPzzx8ArMitMY3GanRaNx+qOTh+sJbPi5pW3g/8T0jYA8ijMEVRbv7tcnaJ8BvSQjCghNwF7izKEECTYZW08s7Pa+v7Y9lGySrPkIX7VAaRlRdFluyL7oLRlOJZB95Jd5PJkapLSejTs2Gj7OLVOUA=;
Message-ID: <35734.97070.qm@web111408.mail.gq1.yahoo.com>
X-YMail-OSG: kvy9omkVM1mrNYAr8F5KzdF67I_CR5GQhYZMLVc3SNQkHri vm2tcRW0orZdNTeg7TPkSvgcQFvVvwbmYIMx85h8Ja0CCUpoDQ_gZW4X8ZXn B1kgJZgb2CXy1VvrO18eXz1VafH9EAHWYPOI6k.PI0RYJvLiLKHpKALsJG.Z .x0AZ0EQqZe6jwXF.zHexy2nF.llxfRM4llsldc22hnA6e8SgJt9eN2Ys4Em OREhG54HJ1S_0vZytMfpxSPSkIwe53HKY6.OUy3NURXEWrkzymK1rmAjg9as bQl0ZF3kjzH6vngBwo0X.CfnGIvqlUeratkAlzu6fCQwaPR.eY5Mf3rSeCV. P9OEu0EmkQ46SG9gZoPIuR36hXpuoMW1zalaDpkLedCx63g2xpcDKqMMZXLv lrbWGZ2pt4ddD4w--
Received: from [206.16.17.212] by web111408.mail.gq1.yahoo.com via HTTP; Wed, 27 Apr 2011 08:27:11 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.110.299900
Date: Wed, 27 Apr 2011 08:27:11 -0700
From: Behcet Sarikaya <behcetsarikaya@yahoo.com>
To: Greg Zaverucha <gzaverucha@rim.com>, "6lowpan@ietf.org" <6lowpan@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [6lowpan] Comments on draft-sarikaya-6lowpan-cgand-00
X-BeenThere: 6lowpan@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Behcet Sarikaya <sarikaya@ieee.org>
List-Id: Working group discussion for IPv6 over LowPan networks <6lowpan.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lowpan>, <mailto:6lowpan-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6lowpan>
List-Post: <mailto:6lowpan@ietf.org>
List-Help: <mailto:6lowpan-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lowpan>, <mailto:6lowpan-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2011 15:27:17 -0000
Hi Greg, Thanks for your careful reading. My replies below. > Comments on draft-sarikaya-6lowpan-cgand-00 > "Lightweight Secure Neighbor Discovery for Low-power and Lossy Networks" > > I think the draft is a good idea, providing an important security feature > to neighbor discovery. The draft proposes a protocol called LSEND: Lightweight > Secure Neighbor Discovery. Thanks for the comments. > > Here are some comments on the draft. > > The introduction could do a better job of describing how LSEND relates to >other > drafts. LSEND is very close to SEND (RFC 3971) but uses ECDSA instead of RSA. > SEND was designed to secure ND (RFC 2641) but RFC 2641 was obsoleted by RFC > 4861. Do the changes from 2641 to 4861 break SEND? Can the SEND protocol be > used with the 6lowpan version of neighbor discovery, described in > draft-ietf-6lowpan-nd-15? (It appears so, LSEND + draft-ietf-6lowpan-nd-15 is > described in Section 5.) This should be RFC 2461 not 2641. Section 11.2 in 4861 says that SEND is one possible protocol to use for 4861 or ND. As we explained in Section 3, SEND as is can not be used so we need LSEND. > > In Section 1, an additional motivation is that key generation (required for >CGA > on low power hosts) is computationally much cheaper with ECDSA than RSA. OK > > The references for ECDSA (there are two: SEC 1 and FIPS 186-3) should both > appear in one place, I'd suggest under "Digital Signature" in Section 4.1, >page > 5. The reference to SEC 1 should also be updated to version 2.0 (May 2009). > Since SEC 1 is specifying ECDSA for use with LSEND, I think it should be a > normative reference. OK > A reference to the SECG standard "SEC 2: Recommended Elliptic Curve Domain > Parameters version 2.0" could also be added as an informative reference since > it contains relevant information about the EC domain parameters used by LSEND > (the named curved secp256r1). > OK > In Section 4.2, the Key Hash is computed with SHA-2 instead of SHA-1 because >of > the weakness of SHA-1. From what I can tell, the Key Hash field is not > authenticated (signed), since the Digital Signature Option signs the preceding > options (c.f., Section 5.2 of SEND, RFC 3971), and some other information, but > not the Key Hash. From RFC 3971, the purpose of the Key Hash is "to associate > the signature to a particular key known by the receiver". Since the Key Hash >is > being used only to help the receiver use the right key, and could be modified > in transit, I don't think it needs to be computed with a cryptographic hash > function at all, even just truncating the public key to 128 bits would be OK. > That said, I don't see a problem with using SHA-2 here, since it must be > implemented for ECDSA anyway. I just think the text is misleading by saying >the > Key Hash is computed with SHA-2 for security reasons. Following the same > reasoning, LSEND could reduce the size of Key Hash to 64 or 48 bits to save > bandwidth, if desired. Yes, as it has recently been debated on the CoAP list, SHA-2 is the way to go. As for Key Hash, in our draft, it is used as in 3971 except SHA-2. Reducing its size can be considered. > In Section 4.2 the sequence of octets to be signed is given by Section 5.2 of > RFC 3971 (SEND). The first input is a "CGA Message Type Tag for SEND", a > 128-bit constant. Should LSEND define its own CGA Message Type Tag? > Good point! We had assumed the same value as SEND. Why not a new value? Just now I generated one 0xE8C47FB7FD2BB885DAB2D31A0F2808B4 > Figure 1, caption: LLA is undefined in this document. Good catch. It should be LLN. > > Section 5.1. For the given domain parameters, an 88-octet ECC public key is >not > using point compression, as defined in RFC 5480, Section 2.2. By using point > compression the size of the public key is reduced by 32 octets, to 56. Section > 4.3 should specify that point compression be used when describing how the > public key is to be encoded. Agreed. > > General comment: The fast verification feature of ECDSA would be applicable >for > this draft. The ECDSA signing algorithm is not changed, but verification is > implemented with an equivalent computation that is more efficient. The > verification efficiency is even greater if the signer includes one bit of > ``side information'' as a convenience to the verifier. In LSEND this extra >bit > could come from the reserved bits in the Signature option header, or the Key > Hash could be reduced from 128 bits to 127 bits. If a particular signer or > verifier does not implement the fast verify techniques, they may still > interoperate with those that do. The fast verify convention will allow border > routers to process a larger number of signatures. > Page 12 of this paper describes the verification technique: > http://www.cacr.math.uwaterloo.ca/techreports/2005/cacr2005-28.pdf > This draft is also on the subject of fast verification: > http://tools.ietf.org/html/draft-struik-ecc-efficiencies-00 OK, I understand. Of course this feature (accelerated verification) could be incorporated if there is enough interest. Regards, Behcet
- [6lowpan] Comments on draft-sarikaya-6lowpan-cgan… Greg Zaverucha
- Re: [6lowpan] Comments on draft-sarikaya-6lowpan-… Behcet Sarikaya