Re: [Ace] [Secdispatch] FW: [secdir] EDHOC and Transports

Richard Barnes <> Thu, 14 February 2019 15:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6C6C013105F for <>; Thu, 14 Feb 2019 07:42:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nY4-HJVjddpO for <>; Thu, 14 Feb 2019 07:42:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A803F131069 for <>; Thu, 14 Feb 2019 07:42:26 -0800 (PST)
Received: by with SMTP id z19so11239033otm.2 for <>; Thu, 14 Feb 2019 07:42:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=17kuvZihby0MrPSt/338EJr7gD/hQzoDiDA3w0peo2w=; b=Z5NLHFA//iKzafYPRBXPb/7PFbtm1fTI+UIEHpc8SNydqZBSFdThVZ9JPNbtu4Cusn Ohi9icK4MoKPqV79rZ7/ixmUjhiANGzeNk2dxyNrWN4FV264iDNvkLKVgk58WNTNqbzH BnColBCva9UmxwND/xFiSBmkLVlJp36I/IEn/0P0vKYf+SL3gPBDVV8RFGv7PlWHhbo6 efqTKQIMQb9fzH26erIWtRA8rqNoJEGzsRgOlQe9coa72K5ggiSuBt7jOwxWEx1UNC8a flFQl3djmbWamAAhbYRUiVQlM0dIraiNLnI1D2QsWvicr9uGe7WTNA4MmrAUt8rXEItK 5iAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=17kuvZihby0MrPSt/338EJr7gD/hQzoDiDA3w0peo2w=; b=pyB33R6NyJY/E1MzQqrVYrlzgjz/rn8nHSU+pYWzchaKTrnu15pXNf9Q1nzzENpjo/ QoV94H+w/b7Yp+q5CfA3wDHV9pPd9jr5oDsszutsYh6SfXaJQfQaPg3R6Lwdjk+wyr3M WoR2eV8REu3yHxRzLqc1duRBPVMYcHqHNzRbNoAmtwG+5iXovEou2xSYgr3MMekwlEiB F8QTvaZJgTluCb+RtWcZUPT4TJuZTKEF9mTTb6olJ0eK/Ta1xxQEBhrtOfZpLcYcR9kZ 6DxQymJdsKqn6UmbQcsRjm5g6JdV806es25+bzJTNnzMFzt3p+QD+pBkQOgZuCo7XBCy wMSg==
X-Gm-Message-State: AHQUAubBfu0NXmlzdTMcTSST43CQprUnA/MnJs8yjLJuCS98+0G9zG7L BpJoylLA8Eep2Q5kv6LOEifoYu75qUvl1QQ8J7v5EQ==
X-Google-Smtp-Source: AHgI3IYt8X8Jcb6VTl2Q2TvVhFOmCILGsZKqZ4kiz2n6fyC3zh75pVGUnlPNaTzakxyt0nL8xBi0HirjznBpZ1A5eQM=
X-Received: by 2002:aca:4911:: with SMTP id w17mr2739121oia.36.1550158945352; Thu, 14 Feb 2019 07:42:25 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Richard Barnes <>
Date: Thu, 14 Feb 2019 07:42:09 -0800
Message-ID: <>
To: =?UTF-8?Q?G=C3=B6ran_Selander?= <>
Cc: Hannes Tschofenig <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000048948f0581dc81f7"
Archived-At: <>
Subject: Re: [Ace] [Secdispatch] FW: [secdir] EDHOC and Transports
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Feb 2019 15:42:31 -0000

Göran: When these metrics talk about DTLS 1.3, do they mean that protocol
directly, unmodified?

One alternative approach people have had in mind is the idea of re-encoding
/ profiling down DTLS so that although it is syntactically different and
maybe has fewer options, it encodes the same underlying AKE.  Has that path
has been explored?

On the one hand, if it succeeds in slimming down DTLS to an acceptable
point, it would obviate the need for a whole bunch of new analysis.  On the
other hand, if it fails, then it should highlight the specific things EDHOC
has done differently, so that analysis can be focused on those things.


On Mon, Feb 4, 2019 at 10:41 AM Göran Selander <>

> Hi Hannes, secdispatch, and ace,
> (It seems Hannes original mail only went to secdispatch.)
> Apologies for a long mail, and late response. I had to ask some people for
> help with calculations, see end of this mail.
> On 2019-01-25, 15:15, "Secdispatch on behalf of Hannes Tschofenig" <
> on behalf of>
> wrote:
>     Fwd to SecDispatch since it was only posted on the SecDir list
>     -----Original Message-----
>     From: Hannes Tschofenig <>
>     Sent: Freitag, 25. Januar 2019 14:07
>     To: Hannes Tschofenig <>om>; Jim Schaad <
>     Subject: RE: [secdir] EDHOC and Transports
>     A minor follow-up: I mentioned that I am aware of a company using the
> energy scavenging devices and it turns out that this information is
> actually public and there is even a short video on YouTube. The company we
> worked with is called Alphatronics and here is the video:
>     As you can hear in the video we have been using our Mbed OS together
> with our device management solution (LwM2M with DTLS and CoAP) for these
> types of devices.
> [GS] Nice application of LwM2M. The showcased device didn't seem very
> constrained though, ARM Cortex M4?
>     -----Original Message-----
>     From: secdir <> On Behalf Of Hannes Tschofenig
>     Sent: Freitag, 25. Januar 2019 13:52
>     To: Jim Schaad <>om>;
>     Subject: Re: [secdir] EDHOC and Transports
>    [Hannes]  what we are doing here is making an optimization. For some
> (unknown reason) we have focused our attention to the over-the-wire
> transmission overhead (not code size, RAM utilization, or developer
> usability*).
> [GS] Exactly my point, it is not enough with reducing transmission
> overhead. We should also look at additional memory, flash, and
> configuration effort. These parameters are of course implementation
> dependent but can to some extent be inferred by bulk of specification and
> what pre-existing code can be reused.
>    [Hannes]  We are doing this optimization mostly based on information
> about what other people tell us rather than based on our experience. The
> problem is that we have too few people with hands-on knowledge and/or
> deployment experience and if they have that experience they may not like to
> talk about it. So, we are stepping around in the dark and mostly perceived
> problems.
> [GS] I don't think this rhetoric is very helpful. Who are "us"? The
> co-workers you quote below, are they "us" or the "other people"? The people
> active in 6tisch, lpwan or 6lo who are supporting the work on an optimized
> key exchange, are they "us" or the "other people"?
>    [Hannes]  Having said that I would like to provide a few remarks to
> your list below:
>   [Jim]   1.  Low-power devices that either are battery based or scavenge
> power, these devices pay a power penalty for every byte of data sent and
> thus have a desire for the smallest messages possible.
>     [Hannes] Low power is a very complex topic since it is a system issue
> and boiling it down to the transmission overhead of every byte is an
> oversimplification. You are making certain assumptions of how power
> consumption of radio technologies work, which will be hard to verify. I
> have been working on power measurements recently (but only focused on power
> measurements of crypto, see
> [GS] These kind of power measurements of crypto are part of the
> explanation for why transmission overhead is important to reduce.
> Optimizations and hardware support make the crypto contribution to power
> consumption possible to handle, so that there is no reason to deviate from
> the use of current best practice crypto in security protocols even for
> constrained devices. The energy cost for transmission, however, is a
> strongly coupled to the laws of physics which sets a limit for how much
> they can be optimized.
> [Hannes] I doubt that many people on this list nor in the IETF have a lot
> of experience in this field to use this as a basic for an optimization.
> [GS] There are people in 6tisch, lpwan and 6lo who knows about power
> consumption and constrained characteristics. Some of them were supporting
> EDHOC in ACE when you were chair.
> [Hannes]   My co-workers, who are active in this space, tell me that there
> is nothing like a "per byte" linear relationship (for small quantities of
> data) in terms of energy cost. Obviously if you trigger "an additional
> transmission", which requires you to ramp up a PLL, turn on radio
> amplifiers, send lengthy preambles etc then the incremental cost of sending
> 64 bytes in that packet vs 16 bytes might be immeasurable small. The
> critical thing appears to be how long the RF amplifiers are powered on.
> Hence, you will often see publications that tell you that waiting for
> incoming packets is actually the most expensive task (in terms of power
> consumption).
> [GS] Energy consumption generally increases with message overhead in
> wireless systems. This function is different for different radio
> technologies, data rates, etc. Even if we pick a certain technology like
> 6tisch, LoRaWAN or NB-IoT, events like packet loss and retransmission
> impacts the result. So indeed, this is complicated, but we can still make
> general claims as well as estimates of particular technologies. I asked a
> colleague to make some power consumption estimates for NB-IoT devices.
> NB-IoT is licensed spectrum, which implies that the devices are allowed to
> transmit at a higher power compared to unlicensed spectrum. It also means
> that the application provider in general does not control how good the
> coverage is, since that depends on location of base station and
> environment. A comparison [3] between DTLS 1.3 and EDHOC is given at the
> end of this mail, but just because you mentioned the incremental cost of a
> device sending 64 vs 16 bytes, the difference is indeed measurable: 992 mJ
> vs 479 mJ, i.e. half a Joule of difference in a case of low coverage (see
> [3]).
> [GS]: About cost for listening: there are different techniques for
> decreasing time to listen, like time slots, DRX etc. These are examples of
> where the radio guys can be innovative and make optimizations, in contrast
> to transmission overhead for security where they just have to accept what
> the security people decided.
>   [Jim]  2. CoAP over SMS:  SMS has a 140 byte packet size.  There are two
> approaches for dealing with packets of larger than 140 bytes:  1) There is
> a method of appending multiple packets together to form a single larger
> packet.  2) You can use CoAP blockwise transfer.  Using CoAP blockwise
> would result in 128 byte packets for the underlying transfer assuming that
> only 12 bytes are needed for the CoAP header itself.
>     [Hannes] It turns out that CoAP over SMS is rarely used for delivering
> data of IP-based devices since SMS is a pretty expensive transport. From my
> work in the OMA I know that people use SMS to trigger the wake-up of
> devices and then switch to regular data transmission over IP. IMHO
> optimizing for use cases that barely anyone  uses appears to be a waste of
> time.
> [GS]  I strongly disagree with the general argument that what is currently
> applied is the only thing that is worth working on. One problem with this
> type of argument is that it reinforces the existing limitations and becomes
> a self-fulfilling prophecy. The fact that key exchange protocol messages
> currently does not fit into an SMS contributes to the reason why it is not
> so much used. More SMSs also adds to cost, but the cost depends on the
> agreement with the operator so is not necessarily a hard limitation. Who
> are we to predict what technology will used given a more efficient key
> exchange protocol? For EDHOC with PSK or RPK, each message fits into one
> SMS.
>  [Jim]   3. 6LoPan over IEEE 802.15.4:  This has a packet size of 127
> bytes.  The maximum frame overhead size is 25 bytes allowing for 102 bytes
> of message
>     space.   If one assumes 20 bytes of overhead for CoAP then this means a
>     protocol packet size of 82 bytes.  If one needs to break the message
> across multiple packets then the maximum data size is going to be 64 bytes
> using CoAP blockwise options.
>     [Hannes] For some reason there seems to be the worry that a small MTU
> size at the link layer will cause a lot of problems. There are some radios
> that have this small MTU size, IEEE 802.15.4 and Bluetooth Low Energy
> belong to them. It turns out, however, that higher layers then offer
> fragmentation and reassembly support so that higher layers just don't get
> to see any of this. In IEEE 802.15.4 this fragmentation & reassembly
> support is offered by 6lowpan and in case of Bluetooth Low Energy the link
> layer actually consists of various sub-protocols. One of them offers
> fragmentation & reassembly. As such, the problem you describe is actually
> not a problem. There is no reason why you always have to put a single
> application layer payload into a single link layer frame.  We have been
> using LwM2M (which uses DTLS and CoAP) over IEEE 802.15.4 networks
> successfully for big commercial deployments. We have not run into problems
> with the smaller MTU size at the lower layers.
> [GS] I'm happy to hear you don’t experience any problems, but MTU sizes
> does matter. If message overhead at a higher layer causes fragmentation at
> a lower layer, instead of only powering up the radio and sending the
> physical preamble once, it will be necessary to do that once per each
> fragment in the next transmission opportunity at the MAC layer. On top of
> this wireless links can be quite lossy, particularly with low-power radios
> like what is used e.g. with 6tisch. For example, Packet Delivery Ratio
> (PDR) that you will typically find indoors with 802.15.4 radios is 60-80%
> [1]. Now, when you pass from this single frame to multiple fragments, you
> also exponentially increase the probability that one of those fragments
> will get lost and that it needs to be  retransmitted. It often occurs that
> the endpoint performing the reassembly of the fragments just drops the
> whole thing in case one of the fragments gets lost. This then results in
> retransmissions of all fragments at the sending endpoint, their link-layer
> retransmissions, etc, all employing the costly radio operations that you
> describe. Having this handled by "lower layer" only means that the
> application developer does not have to handle it himself, but the energy
> penalty for the system does not go away!
> [GS] Fragmentation also adds to latency in several ways. E.g. for LoRaWAN
> which operates on unlicensed band, in Europe 868 MHz, there is the concept
> of 1% duty cycle meaning that for each transmission the device must wait
> 100 times as long interval as message sending time before it is allowed to
> transmit again. LoRaWAN is currently PSK based and this is one example
> where a key exchange protocol would improve the overall security both in
> the case of PSK and RPK, see [2] for an analysis using EDHOC with PSK ECDHE.
> [GS] A comparison [4] of time on air between DTLS 1.3 handshake and EDHOC
> are given at the end of the mail. Since for LoRaWAN the maximum MTU is 242
> bytes, DTLS handshake with RPK ECHDE does not even fit and would require
> some fragmentation scheme (+ the 100 times additional delay). Depending on
> radio conditions, the higher data rates associated with 242 bytes may incur
> too much packet loss requiring the use of a lower data rate with associated
> lower frame size and even more severe message overhead restrictions to
> avoid fragmentation.
>   [Hannes]  When it comes to energy scavenging devices then it becomes
> even more challenging since this is a more rarely used case. I know about
> one company doing this and I have spoken with a researchers at last year's
> Arm research summit who show-cased one device. The device shown by the
> researcher was a prototype and didn't use any Internet protocol nor a
> security mechanism. I wouldn't call myself knowledgeable enough to optimize
> a system based on this experience but maybe you have more expertise in this
> field. I am happy to learn more.
> [GS] As mentioned in my previous mail, the scope of this work is about
> optimizing security for deployments that can support some kind of CoAP
> stack, e.g. CoAP/UDP/IP or CoAP over some link technology.
> [Hannes] The handshake itself is just a very small part of the overall
> size of data that gets transmitted during the lifetime of the device since
> the handshake obviously happens extremely rarely.
> [GS] How often a handshake is invoked is application dependent, it could
> for example be the result of the device needs to power off, or because the
> device reboots. If one handshake consumes as much energy as months of
> normal operations, then this contribution may well be noticeable in the
> lifetime of the battery.
> [Hannes] There are much better ways to optimize traffic and you obviously
> have to look at all the data you are transmitting for the device.
> [GS] How much further optimization you can do is application dependent,
> and for some applications security overhead matters.
>     Ciao
>     Hannes
>     *: In my experience the ability for developers to easily use any of
> the performance optimization techniques is the biggest barrier for gaining
> performance. Of course, this does not fit nicely in any of the
> standardization efforts in the IETF so the focus has to be somewhere else.
> [GS] The need for performance optimizations depends on the design of the
> protocol, so there are definitely efforts in the IETF which can make the
> life easier for developers.
> [GS] Now for the comparisons:
> NB-IoT
> ======
> Calculations of energy consumption for NB-IoT comparing EDHOC and DTLS 1.3
> handshake is given in [3]
> PSK + ECDHE (normal coverage)
> ----------------
> DTLS 1.3 handshake: 47 mJ
> EDHOC: 19 mJ
> PSK + ECDHE (low coverage)
> ----------------
> DTLS 1.3 handshake: 2992 mJ
> EDHOC: 912 mJ
> RPK + ECDHE (normal coverage)
> ----------------
> DTLS 1.3 handshake: 64 mJ
> EDHOC: 29 mJ
> RPK + ECDHE (low coverage)
> ----------------
> DTLS 1.3 handshake: 4326 mJ
> EDHOC: 1677 mJ
> We see that the factor 4 in message overhead with PSK ECDHE between DTLS
> 1.3 handshake and EDHOC (appendix E of EDHOC) is translated to a factor
> 2.5-3.3 in energy consumption for a NB-IoT device depending on coverage.
> Analogously the factor 3 in message overhead with RPK ECDHE is translated
> into a factor 2.2 - 2.6 in energy consumption.
> ======
> Calculations of time-of-air of handshake of EDHOC and DTLS 1.3 for LoRaWAN
> is given in [4]
> ----------------
> DTLS 1.3
> Message #1: 564 ms
> Message #2: 574 ms
> Message #3: 226 ms
> Message #1: 195 ms
> Message #2: 205 ms
> Message #3: 113 ms
> -----------------
> DTLS 1.3: N/A without fragmentation scheme
> Message #1: 184 ms
> Message #2: 389 ms
> Message #3: 297 ms
> As mentioned above, the time-on-air is an important property for LoRaWAN
> deployments since it both relates to power consumption and latency, in
> particular due to duty cycles.
> Summary
> =======
> There is a lot that speaks in favor of low message overhead, for example
> * Smaller per-byte contribution to power consumption, which has
> significant impact in e.g. licensed spectrum
> * Less latency, in particular due to duty cycles in LoRaWAN
> * Better fit into MTUs with less fragmentation and associated overhead
> * Smaller probability of packet loss
> The comparisons presented here show that DTLS 1.3 is far from optimal. Let
> me reiterate that this should not be interpreted as a criticism against
> TLS/DTLS. We are targeting applications in constrained environments which
> the TLS handshake was explicitly not designed to optimize for. We agree
> that for many IoT applications the performance of the handshake is
> adequate, so there is no need to change DTLS. We also agree that message
> overhead is only one aspect, and it is really important to look at other
> aspects such as memory, code footprint and usability, which all speak in
> favor of a protocol with limited functionality and which reuses existing
> code in the devices such as CBOR and COSE. For certain application
> providers current IETF protocols are prohibitive in one or more of these
> aspects, and unless the performance is drastically improved some consider
> (still, 2019) to skip end-to-end security (e.g. terminate security in a
> gateway), make their own security protocol, or use more pragmatic key
> exchange constructions like Noise [5].
> I would like to leave the comparison exercise soon and focus on the
> security properties. I hope we have made a point that constrained
> characteristics matter. Can the IETF support work on a key exchange
> protocol that is designed for the constrained IoT, or are we restricted to
> retrofit some other protocol with other design goals?
> Göran
> [1] Muñoz, Jonathan, et al. "Why Channel Hopping Makes Sense, even with
> IEEE802. 15.4 OFDM at 2.4 GHz." 2018 Global Internet of Things Summit
> (GIoTS). IEEE, 2018.
> [2] Sanchez-Iborra, Ramon, et al., "Enhancing LoRaWAN Security through a
> Lightweight and Authenticated Key Management Approach", Sensors, 2018
> [3] NB-IoT power consumption comparison EDHOC-DTLS 1.3
> [4] LoRaWAN Time-of-Air comparison EDHOC-DTLS 1.3
> [5] The Noise Protocol Framework
> _______________________________________________
> Secdispatch mailing list