Re: [6tisch] [6tisch-security] X.509 Cert sizes and joining flows

Jonathan Simon <jsimon@linear.com> Tue, 04 November 2014 04:27 UTC

Return-Path: <jsimon@linear.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6222F1A6EF9; Mon, 3 Nov 2014 20:27:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SF8H98hP3afk; Mon, 3 Nov 2014 20:27:10 -0800 (PST)
Received: from p01c11o147.mxlogic.net (p01c11o147.mxlogic.net [208.65.144.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4752C1A1C03; Mon, 3 Nov 2014 20:27:09 -0800 (PST)
Received: from unknown [12.218.215.72] (EHLO smtpauth1.linear.com) by p01c11o147.mxlogic.net(mxl_mta-8.2.0-0) with ESMTP id c9558545.0.87062.00-345.214316.p01c11o147.mxlogic.net (envelope-from <jsimon@linear.com>); Mon, 03 Nov 2014 21:27:09 -0700 (MST)
X-MXL-Hash: 5458559d4ac8df2f-2bd25e51f53ffd51bf7ad1763bfa6e67b47ad9f0
Received: from mail-ie0-f179.google.com (mail-ie0-f179.google.com [209.85.223.179]) by smtpauth1.linear.com (Postfix) with ESMTPSA id 5B95C741EB; Mon, 3 Nov 2014 20:27:08 -0800 (PST)
Received: by mail-ie0-f179.google.com with SMTP id rl12so6574734iec.24 for <multiple recipients>; Mon, 03 Nov 2014 20:27:07 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.107.40.141 with SMTP id o135mr12267478ioo.26.1415075227895; Mon, 03 Nov 2014 20:27:07 -0800 (PST)
Received: by 10.107.15.151 with HTTP; Mon, 3 Nov 2014 20:27:07 -0800 (PST)
In-Reply-To: <54583572.6020502@gmail.com>
References: <3C90505D-AF81-493B-A29A-86F2A1A5A207@linear.com> <E045AECD98228444A58C61C200AE1BD848A2B5F4@xmb-rcd-x01.cisco.com> <CDBBFFF6-8497-404A-99DF-7F2EB1B6276A@linear.com> <5453B837.5040305@gmail.com> <54583572.6020502@gmail.com>
Date: Mon, 03 Nov 2014 20:27:07 -0800
Message-ID: <CAJeFcoROPXVyfTo02aUN7jxJY-ebqE-+5UV7uiLM=kMHvF0GfA@mail.gmail.com>
From: Jonathan Simon <jsimon@linear.com>
To: Rene Struik <rstruik.ext@gmail.com>
Content-Type: multipart/alternative; boundary="001a1141f0104a105f050700e0c8"
X-AnalysisOut: [v=2.1 cv=U/WGDIbu c=1 sm=1 tr=0 a=glloKNylpeYNumXQcclYyA==]
X-AnalysisOut: [:117 a=glloKNylpeYNumXQcclYyA==:17 a=BLceEmwcHowA:10 a=MqD]
X-AnalysisOut: [INYqSAAAA:8 a=pGLkceISAAAA:8 a=YlVTAMxIAAAA:8 a=1XWaLZrsAA]
X-AnalysisOut: [AA:8 a=48vgC7mUAAAA:8 a=SyYMxH9GAAAA:8 a=AUd_NHdVAAAA:8 a=]
X-AnalysisOut: [xNjghb5tWkwzJ54BojIA:9 a=LuZtJmNiMv6PlYp_:21 a=PepowG6E4-t]
X-AnalysisOut: [p0P4j:21 a=QEXdDO2ut3YA:10 a=wUAfXdCGL-oA:10 a=G1HyQLfxkfk]
X-AnalysisOut: [A:10 a=19wCD08tTksA:10 a=vsVyj9psLt0A:10 a=yRLhjdVT-pYA:10]
X-AnalysisOut: [ a=uztyEWA5df8A:10 a=qVizmW-ZYBIA:10 a=p-HxVa_ds0YA:10 a=A]
X-AnalysisOut: [eFSex2-gKoA:10 a=QxAq9r8ObNgA:10 a=B6niZy2Ubl4A:10 a=nJULN]
X-AnalysisOut: [bPdoQ66ZcHodqAA:9 a=FP_DtNxTU6GU4ckT:21 a=E9H_5z5ZNP6pEb0u]
X-AnalysisOut: [:21 a=zXgT6hFItCxjYJJd:21]
X-Spam: [F=0.6941747573; CM=0.500; MH=0.694(2014110326); S=0.200(2014051901)]
X-MAIL-FROM: <jsimon@linear.com>
X-SOURCE-IP: [12.218.215.72]
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/lBJ7t8nFs55wIxC1JWCFaGYYsbw
Cc: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Jonathan Simon <jsimon@linear.com>, "6tisch@ietf.org" <6tisch@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>
Subject: Re: [6tisch] [6tisch-security] X.509 Cert sizes and joining flows
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: jsimon@linear.com
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 04:27:14 -0000

For minimal, there's a link key and a DTLS session to establish. Maybe
something else I'm missing.

In a typical WirelessHART network, there are multiple end-to-end CCM*
security sessions,  run-time slotframes and links, mesh-under routing
information, set one or more timing parents, a bunch of timers (e.g. for
statistics collection)  -  somewhere ~ 5-600 bytes, but it isn't
necessarily as compact as CoAP could be.

Jonathan

On Mon, Nov 3, 2014 at 6:09 PM, Rene Struik <rstruik.ext@gmail.com> wrote:

>  Hi Jonathan:
>
> Do you have some ballpark numbers for the size of configuration info to
> play around with? Please see below (my Que to you of Fri Oct 31, 2014).
>
> Best regards, Rene
>
> On 10/31/2014 12:26 PM, Rene Struik wrote:
>
> Hi Jonathan:
>
> The join protocol includes (1) authentication; (2) authorization; (3)
> configuration steps.
> Without hands tied behind the back with protocol design, I anticipate the
> main communication overhead of the join protocol to be with the
> configuration step (#3) and *not* with the underlying authenticated key
> agreement scheme (#1). Here, configuration relates both to security manager
> to joining node info and vice-verse.
>
> See also item #a of my May 20, 2014 email -- *which is still outstanding
> BTW.*
> Que - Would you like to take this one on? {as first step, what about
> providing a rough number, say, 1500 bytes [fill in correct number here]}.
>
> Some brief feedback on certificate sizes:
> a) certificates should definitely have policy fields, including key
> validity period.
> b) certificate compression is of course possible, including that of
> certificate issuer (whether the latter would be prudent remains to be seen).
> c) some of your figures are too pessimistic, e.g., P-256 keys are 65 bytes
> in uncompressed format; ECDSA signatures are 64-bytes. EUI-64 could be used
> as SubjectPublicKey field, but depends on naming issues (see item #b of my
> May 20, 2014 message).
> d) there is no absolute need to use X509 certs, which would add
> considerable freedom to cut down overhead.
>
> I estimate one can implement the authentication scheme (#1) with one or
> two 802.15.4e frames in each protocol flow (assuming cert chains of length
> one).
>
> Email of May 20, 2014 with outstanding issues:
> http://www.ietf.org/mail-archive/web/6tisch-security/current/msg00086.html
> <http://cp.mcafee.com/d/FZsScxMOrhohvKUeLuVKVJ5MsOCrhs7cLCQn1NEVhjpd79JNVVVNyZPoziiJo0E-kfSfbCPVg_oYKr73DSnDS7-LOr0VBBPHTbFIEEYMY--OPORQr8FGEEFYG7DR8OJMddECQPt-jpoKMC--OCrKr01i-rL00s4O-NIjAp_01oVelb4OZfIT6kOSmrz7UjNmx6ZXLes3zsqjyT8HTxYMkh4-ndIKfe3zobZ8Qg6BJOsGm9BWvpKcFBziWq806V-VEVd40BYpCy2AxjW6y3o86y0hHa4E4jh0WvkNgS-Ur0gdCUmki>
> a) Packet sizes:
> get more info on packet sizes configuration parms, as w/HART uses. Note
> RS: during call, Tom Phinney suggested contacting Wally Bratt from HART
> Comm. Foundation for this).  Note RS: Shouldn't, e.g., Dust Networks have
> info on packet sizes/structure?; ISA SP100.11a metrics would also help, as
> would ZigBee 2.0 config parms. Does, e.g., Cisco have useful data points
> here?
> b) Device Ids:
> With industrial control, network manager would look up "tag name" device
> in pre-configured database. Details on tag name syntax, how assigned, and
> how bound to, e.g., EUI-64 are missing. Note RS: Perhaps, Tom Phinney could
> point at tag name syntax and lifecycle aspects here?
>
> On 10/31/2014 11:48 AM, Jonathan Simon wrote:
>
> Pascal -
>
>  Yes - I don’t know where the effort belongs though.  I think we need a
> standard way of compressing an X.509 cert with the goal of fitting it in
> under 200 bytes. Maybe this compressed cert is only used at joining in
> 6TiSCH, or maybe border routers can compress/decompress along with the
> 6LoWPAN header so we can use it end-to-end.
>
>  —
>
>   Jonathan
>
>  On Oct 31, 2014, at 3:17 AM, Pascal Thubert (pthubert) <
> pthubert@cisco.com> wrote:
>
>   Hello Jonathan:
>
> Are you suggesting that we define a “6LoWPAN compression” for a
> certificate?
>
>  Cheers,
>
> Pascal
>
>   *From:* 6tisch-security [mailto:6tisch-security-bounces@ietf.org
> <6tisch-security-bounces@ietf.org>] *On Behalf Of *Jonathan Simon
> *Sent:* vendredi 31 octobre 2014 00:31
> *To:* 6tisch-security@ietf.org
> *Subject:* [6tisch-security] X.509 Cert sizes and joining flows
>
>  I voiced my concern a while back about certificate exchanges making
> joining really slow:
>
>
> http://www.ietf.org/mail-archive/web/6tisch-security/current/msg00023.html
> <http://cp.mcafee.com/d/k-Kr3x8pdEI8I3DXKce6XCQn1PapJ5MsO-rhs76zB5dAQsCT7DDD6bTdyd9aRw2zVg_oYKrfB3ZzOVJYwyUO-M_R-juoKODRXBQSnzhPP0VNZ5zBHFShjlhhpVkffGhBrwqrhdECXYyMCY-ehojd79KVI05bVKY01MjbX6NehDY05zAVkIjbQ-PspjbppKcvxf5q4rTKCPMedHj9JAfzc5mBiRundEIILK6Mmd96y0QJKjBiNcLjXdNBcIqnjh00TfTd79Ew4LzcQgkAavgQgr10Qg2dpgB0yq87jWCa6TT3u8qvt4qz>
>
>  There I assumed a 300-byte compressed cert. Obviously, a 1500-byte cert
> is going to be 5x worse.
>
>   One reason the certs are big is that there is a lot of stuff we don't
> need, or may not need, or could compress a la 6lo.
>
>  Version: could be elided?
>  Serial number: Maybe this is the EUI of the device (elidable).
>  Signature:  ~80 bytes for secp256r1 (128-bits protection).  Needs to
> cover the full expanded X.509 fields.
>  Issuer: may be compressible?
>  Validity: 26 bytes - do we need to be able to revoke certs, or could
> this be handled on an app level.
>  Subject: can be empty
>  SubjectPublicKeyInfo: contains an algorithm definition (which can be
> elided if we only use one) or compressed (if we support a few), and the
> public key (32 bytes)
>  IssuerUniqueIdentifier: optional
>  SubjectUniqueIdentifier: optional
>  Extensions: optional, but if we don't include a subject we might want to
> support subjectAltName, again probably in compressed form.
>  SignatureAlgorithm: can be elided if we only use one or compressed if we
> support a few
>  Other fields?
>
>  Point is, I think we can get this to fit into 2 packets and I think that
> should be our target unless there’s a really a compelling reason to include
> fields.
>
>  --
> Jonathan Simon
>
>
>
>
> This body part will be downloaded on demand.
>
>
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>


-- 
Jonathan Simon, Ph. D
Director of Systems Engineering
Linear Technology, Dust Networks product group
32990 Alvarado-Niles Road, Suite 910
Union City, CA 94587
(510) 400-2936
(510) 489-3799 FAX
jsimon@linear.com

**LINEAR TECHNOLOGY CORPORATION**
*****Internet Email Confidentiality Notice*****
 This e-mail transmission, and any documents, files or previous
e-mail messages attached to it may contain confidential information that
is legally privileged. If you are not the intended recipient, or a
person responsible for delivering it to the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of any of
the information contained in or attached to this transmission is
STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify me by reply e-mail, or by telephone at (510)
400-2936, and destroy the original transmission and its attachments without
reading or saving in any manner. Thank you.