IETF Logo Mail Archive

Re: [Ace] Message overhead of the OSCORE profile and ACE specs

Jim Schaad <ietf@augustcellars.com> Mon, 16 July 2018 16:31 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 510F9131122 for <ace@ietfa.amsl.com>; Mon, 16 Jul 2018 09:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.593
X-Spam-Level:
X-Spam-Status: No, score=-0.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, TRACKER_ID=1.306, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCuV7VFTUQen for <ace@ietfa.amsl.com>; Mon, 16 Jul 2018 09:31:08 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D1D213111B for <ace@ietf.org>; Mon, 16 Jul 2018 09:31:05 -0700 (PDT)
Received: from Jude (31.133.140.188) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 16 Jul 2018 09:27:10 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mališa Vučinić' <malisa.vucinic@inria.fr>, ace@ietf.org
References: <CANDGjycfuiPkMjxn9f1kKS=CMVB+FxvnKd51dLrWofAnRkGzMA@mail.gmail.com>
In-Reply-To: <CANDGjycfuiPkMjxn9f1kKS=CMVB+FxvnKd51dLrWofAnRkGzMA@mail.gmail.com>
Date: Mon, 16 Jul 2018 12:30:36 -0400
Message-ID: <013d01d41d22$54fc2010$fef46030$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_013E_01D41D00.CDECF110"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQJtBBENPdVz06UI0n7KTJGDaKse2aNgO0rg
X-Originating-IP: [31.133.140.188]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/B6Q7dxDDUv9o3Nf__QgYf1bZ3Ds>
Subject: Re: [Ace] Message overhead of the OSCORE profile and ACE specs
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 16:31:10 -0000

 

 

From: Ace <ace-bounces@ietf.org> On Behalf Of Mališa Vucinic
Sent: Sunday, July 15, 2018 5:44 PM
To: ace@ietf.org
Subject: [Ace] Message overhead of the OSCORE profile and ACE specs

 

Hi Ludwig, all,

 

I am in the process of implementing draft-ietf-ace-oscore-profile-02 for openwsn.org <http://openwsn.org/> . For now, I have a first implementation of AS available, and will be going to the firmware part in the next weeks.. 

 

I have to say that I was quite frustrated with the number of drafts that I had to go through in order to understand what should be implemented. Maybe this is implied knowledge for people actively working on ACE, but I believe a guide somewhere pointing to different specs one needs to follow in order to instantiate a profile would be quite beneficial.

 

Here, I'd like to share my comments about the message overhead found when implementing the OSCORE profile and give some optimization proposals. I am mostly concerned with the response from AS to C, where C is in a constrained network.

 

Please bear with me that my understanding of the specs is correct and that my implementation generated correct outputs.

 

Assumptions used in the implementation: 

- OSCORE channel between AS and C, AS and RS.

- AS and RS share an additional key, derived from the OSCORE Master Secret using HKDF label 'ACE' and RS's unique identifier. Explicit monotonically increasing counter kept to generate nonce, incremented for each Encrypt0 object generated towards a given RS.

- Profile is implicitly known by all the parties

- Scope is implicitly known by all the parties

- Audience is implicitly known by all the parties

- Default values of OSCORE KDF, salt, id_context

 

To save bytes, I use the following optimizations:

- Sending single byte for PIV in COSE Encrypt0 of CWT, the actual AEAD nonce is PIV prepended with zeros

- Using single byte for OSCORE IDs in the security context generated by AS

 

[JLS] Both of these optimizations are ones that I would expect to be used.

 

With this, I got the CoAP payload from AC to C down to 82 bytes. This overflows 802.15.4 + 6LoWPAN + UDP packet by 29 bytes, assuming the latest OpenWSN implementation implementing most of the cross layer optimizations available and not supporting fragmentation.

[JLS] From the computations that I thought existed, I was under the impression that 82 bytes of COAP payload should fit.  This is slightly disappointing.

 

I copy here output of the payload that I generated:

 

A2                                      # map(2)

   18 19                                # unsigned(25) # cnf label

   A1                                   # map(1)          # cnf   

      01                                # unsigned(1)    # COSE_Key label

      A4                                # map(4)           # COSE_Key

         01                             # unsigned(1)    # type label

         04                             # unsigned(4)   # symmetric

         20                             # negative(0)    # key value label

         50                             # bytes(16)       # key value

            6F92418A5CAA7C639255A1AF0C7B832C # "o\x92A\x8A\\\xAA|c\x92U\xA1\xAF\f{\x83,"

         06                             # unsigned(6)   # OSCORE sender id label

         41                             # bytes(1)         # OSCORE sender id value

            00                          # "\x00"            

         07                             # unsigned(7)  # OSCORE recipient id label

         41                             # bytes(1)        # OSCORE recipient id value

            01                          # "\x01"

   13                                   # unsigned(19) # access_token

   58 2F                              # bytes(47)     

      8340A106015828E72233134093261AB93634B3413BB46D1273AB98DBE95C4E7E332C754B348FBC70EC9C921133E8AE 

 

where the access token decodes to:

 

83                                      # array(3) # COSE_Encrypt0

   40                                   # bytes(0) # protected bucket

                                        # ""

   A1                                   # map(1) # unprotected bucket

      06                                # unsigned(6) # PIV label

      01                                # unsigned(1) # PIV value

   58 28                                # bytes(40)  # ciphertext

   E72233134093261AB93634B3413BB46D1273AB98DBE95C4E7E332C754B348FBC70EC9C921133E8AE

 

where the corresponding plaintext is:

 

A1                                      # map(1)

   18 19                                # unsigned(25) # cnf label

   A1                                   # map(1)  # cnf

      01                                # unsigned(1) # COSE_Key label

      A4                                # map(4) # COSE_Key

         01                             # unsigned(1) # type label

         04                             # unsigned(4) # symmetric

         20                             # negative(0) # key value label

         50                             # bytes(16)   # key value

            6F92418A5CAA7C639255A1AF0C7B832C # "o\x92A\x8A\\\xAA|c\x92U\xA1\xAF\f{\x83,"

         06                             # unsigned(6) # OSCORE sender id label

         41                             # bytes(1)     # OSCORE sender id value

            00                          # "\x00"        

         07                             # unsigned(7) # OSCORE recipient id label

         41                             # bytes(1)       # OSCORE recipient id value

            01                          # "\x01"

 

To this, there is an additional tag of 8 bytes for AES-CCM-16-64-128 that was used.

 

Some points where we could save bytes:

- Does cnf label really need to fall into the 2-byte integers space? having the label encoded as a single integer would result in 2 bytes savings, since cnf is present twice

[JLS] That seems to me to be a reasonable request – this is going to be a high frequency field.

 

-  To save bytes, could we not define a specific structure to carry OSCORE context params instead of COSE_Key?  For example:

[JLS] I was thinking that this would be a reasonable thing to do in terms of defining a new Confirmation method to carry this.  It is not really a COSE_Key so putting it there seems to be an odd choice.  Defining a new confirmation structure for this sounds like a good idea.

 

Jim

 

[

sender_id : bstr

recipient_id : bstr

master_secret : bstr

? ( master_salt : bstr / nil,

     id_context : bstr / nil),

? ( hkdf : uint,

     alg : uint )

]

 

In the use case from above with sender_id : h'00', recipient_id : h'01' and master_secret  a random 16-byte string, this encodes to 22 bytes. COSE_Key carrying the same thing encodes to 27 bytes, resulting in 5 bytes savings per COSE_Key object, or total of 10 bytes saved in the payload from AS to C.

 

- Can we not define some sort of a compressed structure using arrays in the OSCORE profile for the cnf claim? Or something like OSCORE's compression flag byte omitting some of these labels?

 

With the current numbers, having a constrained client in OpenWSN simply does not work...

 

Mališa

v2.23.0 | Report a Bug | By Email