Re: [6tisch] [6tisch-security] X.509 Cert sizes and joining flows
Rene Struik <rstruik.ext@gmail.com> Fri, 31 October 2014 16:26 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A921A01BA; Fri, 31 Oct 2014 09:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_28=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zcf4DKJmoktI; Fri, 31 Oct 2014 09:26:41 -0700 (PDT)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 161481A0060; Fri, 31 Oct 2014 09:26:41 -0700 (PDT)
Received: by mail-ie0-f178.google.com with SMTP id rp18so1603529iec.37 for <multiple recipients>; Fri, 31 Oct 2014 09:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=41T0uNYJgSl/quJrIYH/tOG1+rn+jX+dgerFQHhrefI=; b=0dM67Re4gkxPTdKLQCEplgQ2f2j9fQJRcYkAggVdub8D0qznx0IHhh0ijUuS2gniYf Jfi+kDwz9DwAic8TZyn6xt0wTSPc9OSE1hXmol5k40ihWecG0WCIE+1pVWdKIO+/WdQZ nXqarg1WSnVqoWFeR4ftSzLqvT4d/CtwQBVwd+WJ+5XOC4l9fKc52vYC/z8LxQlAZto8 u6Btj1UqVtPCwwUfNQvr8kPUBYZ/5wohO66GeO3evk3vqsBi5x5gHnE5+7sz4zcGTEaO xqzstNemZLGlGMpfwK1Wk33JS5Tk8ZMyUJAyhKOHkCg0PnYCqELsg2SvGF5yXndddWDN /y/A==
X-Received: by 10.107.128.146 with SMTP id k18mr4084454ioi.69.1414772800455; Fri, 31 Oct 2014 09:26:40 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id q8sm5421974ioe.1.2014.10.31.09.26.39 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Oct 2014 09:26:40 -0700 (PDT)
Message-ID: <5453B837.5040305@gmail.com>
Date: Fri, 31 Oct 2014 12:26:31 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Jonathan Simon <jsimon@linear.com>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>
References: <3C90505D-AF81-493B-A29A-86F2A1A5A207@linear.com> <E045AECD98228444A58C61C200AE1BD848A2B5F4@xmb-rcd-x01.cisco.com> <CDBBFFF6-8497-404A-99DF-7F2EB1B6276A@linear.com>
In-Reply-To: <CDBBFFF6-8497-404A-99DF-7F2EB1B6276A@linear.com>
Content-Type: multipart/alternative; boundary="------------080607040209020002050206"
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/b9IwpOCdmA5NMBX7cJOmi0fBAUY
Cc: "6tisch@ietf.org" <6tisch@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>
Subject: Re: [6tisch] [6tisch-security] X.509 Cert sizes and joining flows
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 16:26:44 -0000
Hi Jonathan: The join protocol includes (1) authentication; (2) authorization; (3) configuration steps. Without hands tied behind the back with protocol design, I anticipate the main communication overhead of the join protocol to be with the configuration step (#3) and *not* with the underlying authenticated key agreement scheme (#1). Here, configuration relates both to security manager to joining node info and vice-verse. See also item #a of my May 20, 2014 email -- _which is still outstanding BTW._ Que - Would you like to take this one on? {as first step, what about providing a rough number, say, 1500 bytes [fill in correct number here]}. Some brief feedback on certificate sizes: a) certificates should definitely have policy fields, including key validity period. b) certificate compression is of course possible, including that of certificate issuer (whether the latter would be prudent remains to be seen). c) some of your figures are too pessimistic, e.g., P-256 keys are 65 bytes in uncompressed format; ECDSA signatures are 64-bytes. EUI-64 could be used as SubjectPublicKey field, but depends on naming issues (see item #b of my May 20, 2014 message). d) there is no absolute need to use X509 certs, which would add considerable freedom to cut down overhead. I estimate one can implement the authentication scheme (#1) with one or two 802.15.4e frames in each protocol flow (assuming cert chains of length one). Email of May 20, 2014 with outstanding issues: http://www.ietf.org/mail-archive/web/6tisch-security/current/msg00086.html a) Packet sizes: get more info on packet sizes configuration parms, as w/HART uses. Note RS: during call, Tom Phinney suggested contacting Wally Bratt from HART Comm. Foundation for this). Note RS: Shouldn't, e.g., Dust Networks have info on packet sizes/structure?; ISA SP100.11a metrics would also help, as would ZigBee 2.0 config parms. Does, e.g., Cisco have useful data points here? b) Device Ids: With industrial control, network manager would look up "tag name" device in pre-configured database. Details on tag name syntax, how assigned, and how bound to, e.g., EUI-64 are missing. Note RS: Perhaps, Tom Phinney could point at tag name syntax and lifecycle aspects here? On 10/31/2014 11:48 AM, Jonathan Simon wrote: > Pascal - > > Yes - I don’t know where the effort belongs though. I think we need a > standard way of compressing an X.509 cert with the goal of fitting it > in under 200 bytes. Maybe this compressed cert is only used at joining > in 6TiSCH, or maybe border routers can compress/decompress along with > the 6LoWPAN header so we can use it end-to-end. > > — > > Jonathan > > On Oct 31, 2014, at 3:17 AM, Pascal Thubert (pthubert) > <pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote: > >> Hello Jonathan: >> Are you suggesting that we define a “6LoWPAN compression” for a >> certificate? >> Cheers, >> Pascal >> *From:*6tisch-security [mailto:6tisch-security-bounces@ietf.org]*On >> Behalf Of*Jonathan Simon >> *Sent:*vendredi 31 octobre 2014 00:31 >> *To:*6tisch-security@ietf.org <mailto:6tisch-security@ietf.org> >> *Subject:*[6tisch-security] X.509 Cert sizes and joining flows >> I voiced my concern a while back about certificate exchanges making >> joining really slow: >> http://www.ietf.org/mail-archive/web/6tisch-security/current/msg00023.html >> <http://cp.mcafee.com/d/k-Kr3x8pdEI8I3DXKce6XCQn1PapJ5MsO-rhs76zB5dAQsCT7DDD6bTdyd9aRw2zVg_oYKrfB3ZzOVJYwyUO-M_R-juoKODRXBQSnzhPP0VNZ5zBHFShjlhhpVkffGhBrwqrhdECXYyMCY-ehojd79KVI05bVKY01MjbX6NehDY05zAVkIjbQ-PspjbppKcvxf5q4rTKCPMedHj9JAfzc5mBiRundEIILK6Mmd96y0QJKjBiNcLjXdNBcIqnjh00TfTd79Ew4LzcQgkAavgQgr10Qg2dpgB0yq87jWCa6TT3u8qvt4qz> >> There I assumed a 300-byte compressed cert. Obviously, a 1500-byte >> cert is going to be 5x worse. >> One reason the certs are big is that there is a lot of stuff we don't >> need, or may not need, or could compress a la 6lo. >> Version: could be elided? >> Serial number: Maybe this is the EUI of the device (elidable). >> Signature: ~80 bytes for secp256r1 (128-bits protection). Needs to >> cover the full expanded X.509 fields. >> Issuer: may be compressible? >> Validity: 26 bytes - do we need to be able to revoke certs, or could >> this be handled on an app level. >> Subject: can be empty >> SubjectPublicKeyInfo: contains an algorithm definition (which can be >> elided if we only use one) or compressed (if we support a few), and >> the public key (32 bytes) >> IssuerUniqueIdentifier: optional >> SubjectUniqueIdentifier: optional >> Extensions: optional, but if we don't include a subject we might want >> to support subjectAltName, again probably in compressed form. >> SignatureAlgorithm: can be elided if we only use one or compressed if >> we support a few >> Other fields? >> Point is, I think we can get this to fit into 2 packets and I think >> that should be our target unless there’s a really a compelling reason >> to include fields. >> -- >> Jonathan Simon > > > > This body part will be downloaded on demand. -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- Re: [6tisch] [6tisch-security] X.509 Cert sizes a… Rene Struik
- Re: [6tisch] [6tisch-security] X.509 Cert sizes a… Rene Struik
- Re: [6tisch] [6tisch-security] X.509 Cert sizes a… Jonathan Simon