Re: [Ace] EDHOC standardization

John Mattsson <john.mattsson@ericsson.com> Fri, 22 February 2019 09:08 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A251124D68 for <ace@ietfa.amsl.com>; Fri, 22 Feb 2019 01:08:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=XgLsPCLn; dkim=pass (1024-bit key) header.d=ericsson.com header.b=OSPbstcL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dAKkR15tKhtO for <ace@ietfa.amsl.com>; Fri, 22 Feb 2019 01:08:35 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D9D3126D00 for <ace@ietf.org>; Fri, 22 Feb 2019 01:08:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1550826511; x=1553418511; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=yKZy53aNxrjCrWiezgdCBdudQRNOzvaKh/+D/LhT/9c=; b=XgLsPCLnpA1JtTGvOc09lppZGYAjU6YaaLrIxT0djCs1fn3M+Kgd+dhUZiX3nMub eeAwWI70hgm5B4Kp4tFEfkr8VYl8ijusrOrFL61wLebQXHvyd/l5z2l3NA5bJpGS q8H2qyl0B56qM/KTjx01690In4hBI8BTNsU+xi9qbo8=;
X-AuditID: c1b4fb30-41b3a9e00000355c-c7-5c6fbc0fc4fe
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 81.08.13660.F0CBF6C5; Fri, 22 Feb 2019 10:08:31 +0100 (CET)
Received: from ESESSMR506.ericsson.se (153.88.183.128) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 22 Feb 2019 10:08:23 +0100
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESSMR506.ericsson.se (153.88.183.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 22 Feb 2019 10:08:22 +0100
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 22 Feb 2019 10:08:22 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yKZy53aNxrjCrWiezgdCBdudQRNOzvaKh/+D/LhT/9c=; b=OSPbstcL8/1XoK083Rb2r5M3yxdLuPO4dwm4MvClYL7Kk6pNauqVbUuBQfd4zK/vMrsWAqaQ95eHmdJE8PGP63pUP2QmdblwEohfL/Jz1/90iZ9MP40wbSvV5By7fmfC1PBJ2prT7mcPoR2w6L4ZtZdu/shui30sLjcMybQFpQY=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3497.eurprd07.prod.outlook.com (10.170.247.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.11; Fri, 22 Feb 2019 09:07:51 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::49f9:ba7d:bd7d:2ffc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::49f9:ba7d:bd7d:2ffc%5]) with mapi id 15.20.1665.008; Fri, 22 Feb 2019 09:07:51 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>, "lwip@ietf.org" <lwip@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
CC: Benjamin Kaduk <kaduk@mit.edu>, "salvador.p.f@um.es" <salvador.p.f@um.es>
Thread-Topic: [Ace] EDHOC standardization
Thread-Index: AQHUcrwmx6N1o4AsH0uz6RMW3Bvpj6U+JgWAgBxb0gD///JFkICR01oA
Date: Fri, 22 Feb 2019 09:07:50 +0000
Message-ID: <94433D36-E1D5-4A62-AA45-2B19D72D8BC9@ericsson.com>
References: <C79F1336-A297-4E64-AB32-2F5D474A200E@ericsson.com> <20181103145857.GG54966@kduck.kaduk.org> <7F78CC92-5C48-4BFC-8087-E25D4D95A74F@ericsson.com> <VI1PR0801MB2112FB5DB96C48C36D4D0B98FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112FB5DB96C48C36D4D0B98FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.0.190211
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.92]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb23c6bc-5174-4960-fcff-08d698a538d6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3497;
x-ms-traffictypediagnostic: HE1PR07MB3497:
x-ms-exchange-purlcount: 6
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtIRTFQUjA3TUIzNDk3OzIzOngxcDhYdUZOY0Z0YTdTckFveUpxNk9xblI0?= =?utf-8?B?eEppMWsyYTlLWUlqMmdVbnc3MnFRSThiSk8rOTY0S3V6RXAyVjRuS0cwN0tj?= =?utf-8?B?bHZRRnVjeE5wcCtSMHE0c0RHNjJaT05sTUdiZXVPRmZrOUcxZElKYWYwRVJH?= =?utf-8?B?YkFtRFlYaEhFVkttalppRndPaWpWMGtVcFpMQTdHZnlKa29TYmZnM0tna1Z1?= =?utf-8?B?cTl1RlBPSFpkRGNyUDYxUXZDR1I2Q0dCaWxmMW1BSW4vWS9PM1NBRnh0MWRj?= =?utf-8?B?cFg3SXIvUGdwQm0vd1lvRjdtK0ZmUzdmcHBIOGEwQjhhSTVLS0MzYUhTZ1c0?= =?utf-8?B?R3Ywa0lGd3hiTHhJaEtvODNNOU10Zk9PODVGejlNei9LbnNLUjIyd2pRT3p5?= =?utf-8?B?TUV2OG1KaTB2RHNmYjUwNVdMZ25jL1pTZTVDYWxrZ2xETXBkdnYzWmc3WjJj?= =?utf-8?B?KzFLaVg0MkZ5SVhEOCtBY000Q2ExbnpVN3RIWms3UjFSM3VNREJXcXQvbEw1?= =?utf-8?B?bXV6Sk9ncGVJS1ZaNXB1K2tPY1h4VlV2djkvNHZGVURNbzArdlE1TDR0bWxl?= =?utf-8?B?OE0yODlOQW1PcnhyVDRxYUdzMWpOdVVpb2NVcmNIODVPVWw2N0xhWVlUYW8y?= =?utf-8?B?amZjQXRzbm4yZFpyZ1Q0UFZrYU9EbHVHNFlDUVpTNmdlMmc0dDVFSnp1Tk5F?= =?utf-8?B?WUlWcW1UWmJJbUFNc1Zvd29Jb1A2RjhBa0FlUmxXUE1LQTZLRTZ5VUhOMzRL?= =?utf-8?B?MVRkSUhUbkN3dHVpcURveUNOQ083S0Vzb1cwOHZpS0hFRmd0MjNSdUwyTzND?= =?utf-8?B?UnNzUzZIc2U4bTJSL2c3a2UzV2dKK3BweHNuelN0c2h1SzdOWEdyV09LaHhU?= =?utf-8?B?aTRoUEpPRlR0Y0k3dmpVUzA5bFhpNkp6M0lhV2llYW43K1N5czRlSTMxSXhy?= =?utf-8?B?cjZIWnllN21yUHBpZEh3VHBGbmFwQTMwdmlLSmNwdUwvWjVDYVdqNWlMY2NV?= =?utf-8?B?bWc4WXA0dXJWZmFzWHZKdHNzNFU2MGdYbmhFakhIZm5tNUNQR2ZSRTYybC9y?= =?utf-8?B?a3daY3hrWWpSeEd4RXNtd29OVmNIV2ZCUXVTajk5T2haR3U3bTczN1ZBc0E1?= =?utf-8?B?UmM2RnZzWU8wa1MyZ0pmNkVvbHpjSk45WnZKZlc0ak1SQUgzL2tvOFZ0NElG?= =?utf-8?B?UVpNRVpOdW50UWYrM2REaDVCb3NiMWVWRDBLdFMrQnhjallrcDZaVjh0QWkr?= =?utf-8?B?SW1mLzZjcGZ2MVpVYmlPWnZ0OWJYZVUvbDhVdHpZcGtPb0ZMTkNOaVJwd2tS?= =?utf-8?B?YXhQWjJlNWxEK25YTGRZT2hCYWxWYjdUbVFBM1lkTGJFc1g5M0UxYk02eEtN?= =?utf-8?B?TmJQcGxDZzFTWExmZ0E5dUdIZ1NqcG1LTkdCMG5jR28vV3B2c1JvcFQ2cnB0?= =?utf-8?B?aUhmOXJJVDN5K1VTWlNMUEFFd1BTRVdqQjY2c21XdnhKYTFCeWFkZlh2NnJB?= =?utf-8?B?Nzg3clNFeVpGajR6LzEyaDhidzBLK2tCTEJBNkNTRG5BTVJaMWVLcTU3WUF1?= =?utf-8?B?anVGVUpRdjBZRVpReXRuVzYvbWNPQWt0RkhVRXMxR0tLYngrZWkzWHk3YXV3?= =?utf-8?B?TTJIeXByZEZITWh0ZmFBaDkxekxsWVJBSWlwMElzRW9TWi9RdE55TExSdzRL?= =?utf-8?B?Q0tsOW14RzVJZ0dIa3dvUjUrOFBkMU11SjZRUVpCeVNTS3ZzOTFXTHc3eGNr?= =?utf-8?B?Ukp3RXU0ZmlEZlZnbVdSU0pDSkRLNTZFK1ZqV1EzUTJOWlpTakRzbmZFZkdY?= =?utf-8?B?enNHMStKbVU2ZmE5MkdXalVXTDUwMlNnOThzdkdCeVFzdUYxWEp5cUt0WTZu?= =?utf-8?B?ekEydnlXdHBmWG9mV1FtYUhYMmFleWkvSmRhMkV1SEpBaFFTZkR1ak9lTDl2?= =?utf-8?B?UDlhc0tiWUd4NE5KaUgrWjJGZzJxaHAzdk1JanAxWUJ1MEtqVDBaeXN2QlF3?= =?utf-8?B?MVZDNFpSQWgrSzU3Ulg5QlZBU2p5amJxWW1UOFJvT0NaRnRvN2luYm9JaEdt?= =?utf-8?B?OERsYnpjVmlQNEVDQ2hqb2FpSkhEbTh3bGdUbXNLT3doblRmS1FyN2FhYTZo?= =?utf-8?B?V2tKcVRyODcxMmZxMG85dFNXdGNsczgvSEIvcmtPWUxxMFFMSFd0MGFOQ1cx?= =?utf-8?B?K0ZCUGJwMjNIdUpRNVJjK3JBMW9BPT0=?=
x-microsoft-antispam-prvs: <HE1PR07MB34979966A341199D6078944F897F0@HE1PR07MB3497.eurprd07.prod.outlook.com>
x-forefront-prvs: 09565527D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(39860400002)(366004)(396003)(53754006)(189003)(51444003)(13464003)(40434004)(199004)(51914003)(6246003)(6116002)(7736002)(2501003)(25786009)(97736004)(66066001)(33656002)(4326008)(26005)(8676002)(81166006)(305945005)(105586002)(3846002)(186003)(106356001)(36756003)(14454004)(81156014)(54906003)(476003)(93886005)(58126008)(110136005)(82746002)(316002)(229853002)(486006)(11346002)(8936002)(53546011)(99286004)(6306002)(44832011)(6512007)(102836004)(68736007)(66574012)(53946003)(446003)(2616005)(478600001)(966005)(2906002)(53936002)(6436002)(71190400001)(5660300002)(256004)(14444005)(5024004)(86362001)(71200400001)(30864003)(83716004)(2201001)(76176011)(6486002)(6506007)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3497; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qFqMV5ldOvHWiqKA3+1nW6c4I5oU6bR0fA2wlrYPI2WBAKJckl/OIvuUviw1hMN/2W7eJKcERkZXqeK4dkJU7GwPFFR6tULdIpwf+DYY0+P1ED9M7mZ/7ESGzyVA6/IrrYkY1afX3SIjK4blJSMmVGhoM4Yxvk0d2FF/s3XmpeWbU+qRpZJvCNxAyU7DrPK/X5OL2o2rgWojnvac84cGbX2zZfyqvcCC/Wi3QF651oWN4u191ktAmunsnr1jKTQbOA/LhR8bS5mhz1+zs8+uf/eeB0j6LRMc+a4yWejSe4zMFZLKy/hB8Ut4wG0u2OoAQVD9lv1eNznFZnyTxMd/o5SY2bCSJ8qTcpPVwXMdkvowQL7HbtKceoM+/xr9e9EDMvjK2wRpXM+Q+KGAB6wO2SKSfZz+8tA55+sweRQLjpM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <984587D9AF21E44281C1275B9F384CBD@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cb23c6bc-5174-4960-fcff-08d698a538d6
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2019 09:07:50.8832 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3497
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTYRTHed7L9jpaPk7Ng6HVIEghL0NrHySVSmYhCEGIaLXyTU3dZK8T F1HroqFGjZo170UzdU3MG1lp4dRSCVNJy0sfvKFGhQlpK5Hc3hV9+//P+Z1znnN4GFLSTPsy 6aocVqNSZkoFIqo04alur3uHOinEVOspX1u9QcrHTQOEvLaplJBXvfSUX7WMCuXWsQ90lEBh rbIihdlsJxRX3vaSisGlAiqeShRFpLCZ6bmsJvjAKVHaxpM2KvvXGMpbtx/Ro/ZhVITcGMBh sFJpJIuQiJHgHgQ/Gz8RvFlFMNLUQv0zXyc3hLwxE9D98AHtMBQ2kPD4UZergZGA+ukqV83M ZoOqedIxRoBDoLJDL3AkvLAZgWn5szNB4jiYasunHNoT74GmojahQ3vhAChZ/E7wOgYsNa+d PIV3Q/dspTMuxpFwu33UNXoNQdPkoMCRcMNKGOqvcxYgvA3WBqwEP8wHJuaqCX5xDOaOdySv vWFpdoN2aG8cDI1zPI9wMuTn36N5Ziesj8wIeO0HI9XFrgPGwUzBiPNmgMcRjPYtuqBAqLFP uyBfGJ+qEfLQhDcs6NtdUAYYWq4RBhRa9t8DyxCzqQOg8XkwLxXQOXaQJ3aBsXhaWObc3wP6 S+eo+4i2IG+O5U5npcpkQawm/QzHqVVBKjanGW3+pK7W3yHtaGkh2oYwg6RbxBX16iQJrczl dFk2BAwp9RKXOULiFKXuPKtRn9RoM1nOhrYzlNRHvC7xSJLgVGUOm8Gy2azmb5Zg3Hz16FaF 3RQebjMWrrsfNsUUJTzLNsT2CMZCpg19Q5XXQ5X7/Hs9iPjlQze/1ekKFmNVAWdPeFxEiVBx V5tTMt+Q59OQ6fciYYPbOsyt7C9snS35IbssOHestfxofJTRcmk0vVMbdmHHx/f2SK2Q/lLe nWzLOy57dUdN+81FB0a88ZdSXJoyNJDUcMo/NeKkdUUDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/BOACqegmx80noypL0l-1DDOV7aU>
Subject: Re: [Ace] EDHOC standardization
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 09:08:38 -0000

Hi Hannes,

No wonder that ECDHE-PSK is not widely used in (D)TLS when the relevant ECDHE-PSK cipher suites TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 for TLS 1.2 (and similarly ECDHE + PSK + TLS_AES_128_CCM_8_SHA256 for TLS 1.3) were standardized just a few months ago (RFC 8442 and RFC 8446). Luckily most, if not all TLS 1.3 implementations are likely to support ECDHE + PSK + TLS_AES_128_CCM_8_SHA256.

Similarly, PRK (RFC 7250) is not supported in many TLS implementations (e.g. it is not supported in mbed TLS). The main use case for RPK and self-signed certificates are not as a replacement for PKI, it's a replacement for symmetrical group keys. 

My experience is that almost all IoT devices are capable of doing ECDH and doing so is very important as a way to get PFS. As required by RFC 725, IEFT protocols need to mitigate pervasive monitoring and one very effective way is to use PFS.

Looking at a lot of currently deployed IoT systems makes me sad, if security is used at all, it is often hop-by-hop and often not over the full path. The systems seldom provide PFS and in many cases use symmetrical group keys where they should not. A common reason that systems do not use PFS is because they think it’s an easy way to enable intercept.

IETF has a role to educate and guide people on what to use. I think that IETF should strongly recommend PFS in all use cases and recommend using RPK/ self-signed certificates instead of group keys where possible. A pre-requisite for doing so is to provide protocols that can be used even in very constrained systems.

Cheers,
John

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>;
Date: Wednesday, 21 November 2018 at 16:16
To: John Mattsson <john.mattsson@ericsson.com>;, "ace@ietf.org"; <ace@ietf.org>;, "lwip@ietf.org"; <lwip@ietf.org>;
Cc: Benjamin Kaduk <kaduk@mit.edu>;, "salvador.p.f@um.es"; <salvador.p.f@um.es>;
Subject: RE: [Ace] EDHOC standardization

Hi John,

From our experience neither PSK+ECDHE nor RPK usage is common in IoT deployments among the bigger IoT providers.
Today, most companies use certificate-based authentication in almost all cases. In some cases plain PSK is used for those cases where devices are particularly constraint.

Ciao
Hannes

-----Original Message-----
From: Ace <ace-bounces@ietf.org>; On Behalf Of John Mattsson
Sent: Wednesday, November 21, 2018 4:03 PM
To: ace@ietf.org; lwip@ietf.org
Cc: Benjamin Kaduk <kaduk@mit.edu>;; salvador.p.f@um.es
Subject: Re: [Ace] EDHOC standardization

Hi all,

Inspired by the discussion in this thread, I did more detailed calculations of the number of bytes when DTLS 1.3 is used for typical IoT use cases (PSK, RPK, Connection ID). The plan is to add this information to draft-ietf-lwig-security-protocol-comparison as this has been requested by several people. I think some bytes were missing in the earlier estimates for TLS 1.3, and as Ben commented, DTLS 1.3 adds some bytes compared to TLS 1.3.

==============================================================================
Flight                                #1         #2        #3       Total
------------------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE                 149        373       213        735
DTLS 1.3 PSK + ECDHE                 186        190        57        433
DTLS 1.3 PSK                         136        150        57        343
------------------------------------------------------------------------------
EDHOC    RPK + ECDHE                  38        121        86        245
EDHOC    PSK + ECDHE                  43         47        12        102
==============================================================================
                                 Number of bytes

Assumptions:
- Minimum number of algorithms and cipher suites offered
- Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256
- Length of key identifiers: 4 bytes
- Connection identifiers: 1 byte
- The DTLS RPKs use point compression (saves 32 bytes)
- No DTLS handshake message fragmentation
- Only mandatory DTLS extentions, except for connection ID
- Version 30 https://tools.ietf.org/html/draft-ietf-tls-dtls13-30

(EDHOC numbers are for the soon to be published -11 version with cipher suites)

I hope this information is useful for people. Please comment if I missed something or if you have any suggestion of things to add or how to present things. I do not know currently how these numbers compare to DTLS 1.2.

Below is detailed information about where the byte in different flights as well as the RPKs (SubjectPublicKeyInfo). Most of the bytes should have the correct value, but most of the length fields are just written as LL LL LL. Below is also information about how resumption, cached information [RFC 7924], and not using Connection ID affects the number of bytes.


======================================================
DTLS 1.3 Flight #1 RPK + ECDHE
======================================================

Record Header - DTLSPlaintext (13 bytes)
16 fe fd EE EE SS SS SS SS SS SS LL LL

Handshake Header - Client Hello (10 bytes)
01 LL LL LL SS SS 00 00 00 LL LL LL

Legacy Version (2 bytes)
fe fd

Client Random (32 bytes)
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Legacy Session ID (1 bytes)
00

Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes)
00 02 13 05

Compression Methods (null) (2 bytes)
01 00

Extensions Length (2 bytes)
LL LL

Extension - Supported Groups (x25519) (8 bytes)
00 0a 00 04 00 02 00 1d

Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes)
00 0d 00 04 00 02 08 07

Extension - Key Share (42 bytes)
00 33 00 26 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Extension - Supported Versions (1.3) (7 bytes)
00 2b 00 03 02 03 04

Extension - Client Certificate Type (Raw Public Key) (6 bytes)
00 13 00 01 01 02

Extension - Server Certificate Type (Raw Public Key) (6 bytes)
00 14 00 01 01 02

Extension - Connection Identifier (43) (6 bytes)
XX XX 00 02 01 42

13 + 10 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 = 149 bytes

------------------------------------------------------
DTLS 1.3 Flight #1 PSK + ECDHE
------------------------------------------------------

Differences compared to RPK + ECDHE

+ Extension - PSK Key Exchange Modes (6 bytes)
  00 2d 00 02 01 01

+ Extension - Pre Shared Key (51 bytes)
  00 29 00 2F
  00 0a 00 04 ID ID ID ID 00 00 00 00
  00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

- Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes)

- Extension - Client Certificate Type (Raw Public Key) (6 bytes)

- Extension - Server Certificate Type (Raw Public Key) (6 bytes)

149 + 6 + 51 - 8 - 6 - 6 = 186 bytes

------------------------------------------------------
DTLS 1.3 Flight #1 PSK
------------------------------------------------------

Differences compared to PSK + ECDHE

- Extension - Supported Groups (x25519) (8 bytes)

- Extension - Key Share (42 bytes)

186 - 8 - 42 = 136 bytes



======================================================
DTLS 1.3 Flight #2  RPK + ECDHE
======================================================

Record Header - DTLSPlaintext (13 bytes)
16 fe fd EE EE SS SS SS SS SS SS LL LL

Handshake Header - Server Hello (10 bytes)
02 LL LL LL SS SS 00 00 00 LL LL LL

Legacy Version (2 bytes)
fe fd

Server Random (32 bytes)
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Legacy Session ID (1 bytes)
00

Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes)
13 05

Compression Method (null) (1 bytes)
00

Extensions Length (2 bytes)
LL LL

Extension - Key Share (40 bytes)
00 33 00 24 00 1d 00 20
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Extension - Supported Versions (1.3) (6 bytes)
00 2b 00 02 03 04

Extension - Connection Identifier (43) (6 bytes)
XX XX 00 02 01 43

Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL

Handshake Header - Encrypted Extensions (10 bytes)
08 LL LL LL SS SS 00 00 00 LL LL LL

Extensions Length (2 bytes)
LL LL

Extension - Client Certificate Type (Raw Public Key) (6 bytes)
00 13 00 01 01 02

Extension - Server Certificate Type (Raw Public Key) (6 bytes)
00 14 00 01 01 02

Handshake Header - Certificate Request (10 bytes)
0d LL LL LL SS SS 00 00 00 LL LL LL

Request Context (1 bytes)
00

Extensions Length (2 bytes)
LL LL

Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes)
00 0d 00 04 00 02 08 07

Handshake Header - Certificate (10 bytes)
0b LL LL LL SS SS 00 00 00 LL LL LL

Request Context (1 bytes)
00

Certificate List Length (3 bytes)
LL LL LL

Certificate Length (3 bytes)
LL LL LL

Certificate (59 bytes) // Point compression
....

Certificate Extensions (2 bytes)
00 00

Handshake Header - Certificate Verify (10 bytes)
0f LL LL LL SS SS 00 00 00 LL LL LL

Signature  (68 bytes)
ZZ ZZ 00 40 ....

Handshake Header - Finished (10 bytes)
14 LL LL LL SS SS 00 00 00 LL LL LL

Verify Data (32 bytes)
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Record Type (1 byte)
16

Auth Tag (8 bytes)
e0 8b 0e 45 5a 35 0a e5

13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 = 373 bytes

------------------------------------------------------
DTLS 1.3 Flight #2 PSK + ECDHE
------------------------------------------------------

Differences compared to RPK + ECDHE

- Handshake Message Certificate (78 bytes)

- Handshake Message CertificateVerify (78 bytes)

- Handshake Message CertificateRequest (21 bytes)

- Extension - Client Certificate Type (Raw Public Key) (6 bytes)

- Extension - Server Certificate Type (Raw Public Key) (6 bytes)

+ Extension - Pre Shared Key (6 bytes)
  00 29 00 02 00 00

373 - 78 - 78 - 21 - 6 - 6  + 6 = 190 bytes

------------------------------------------------------
DTLS 1.3 Flight #2 PSK
------------------------------------------------------

Differences compared to PSK + ECDHE

- Extension - Key Share (40 bytes)

190 - 40 = 150 bytes



======================================================
DTLS 1.3 Flight #3 RPK + ECDHE
======================================================

Record Header (6 bytes) // DTLSCiphertext, Full ZZ ES SS 42 LL LL

Handshake Header - Certificate (10 bytes)
0b LL LL LL SS SS XX XX XX LL LL LL

Request Context (1 bytes)
00

Certificate List Length (3 bytes)
LL LL LL

Certificate Length (3 bytes)
LL LL LL

Certificate (59 bytes) // Point compression
....

Certificate Extensions (2 bytes)
00 00

Handshake Header - Certificate Verify (10 bytes)
0f LL LL LL SS SS 00 00 00 LL LL LL

Signature  (68 bytes)
04 03 LL LL //ecdsa_secp256r1_sha256
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Handshake Header - Finished (10 bytes)
14 LL LL LL SS SS 00 00 00 LL LL LL

Verify Data (32 bytes) // SHA-256
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

Record Type (1 byte)
16

Auth Tag (8 bytes) // AES-CCM_8
00 01 02 03 04 05 06 07

6 + 78 + 78 + 42 + 1 + 8 = 213 bytes

------------------------------------------------------
DTLS 1.3 Flight #3 PSK + ECDHE
-----------------------------------------------------

Differences compared to RPK + ECDHE

- Handshake Message Certificate (78 bytes)

- Handshake Message Certificate Verify (78 bytes)

213 - 78 - 78 = 57 bytes

------------------------------------------------------
DTLS 1.3 Flight #3 PSK
-----------------------------------------------------

Differences compared to PSK + ECDHE

None

57 bytes







======================================================
DTLS 1.3 - Cached information [RFC 7924] ======================================================

- Cached information together with server X.509 can be used to move bytes from flight #2 to flight #1
  (cached RPK increases the number of bytes compared to cached X.509)

Differences compared to RPK + ECDHE

Flight #1

- Extension - Server Certificate Type (Raw Public Key) (6 bytes)

+ Extension - Client Cashed Information (39 bytes)
  00 19 LL LL LL LL
  01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f

149 + 33 = 182 bytes

Flight #2

- Extension - Server Certificate Type (Raw Public Key) (6 bytes)

+ Extension - Server Cashed Information (7 bytes)
  00 19 LL LL LL LL 01

- Server Certificate (59 bytes -> 32 bytes)

373 - 26 = 347 bytes

==============================================================================
Flight                                #1         #2        #3       Total
------------------------------------------------------------------------------
DTLS 1.3 Cached X.509/RPK + ECDHE    182        347       213        742
DTLS 1.3 RPK + ECDHE                 149        373       213        735
==============================================================================



======================================================
DTLS 1.3 - Resumption
======================================================

To enable resumption, a 4th flight (New Session Ticket) is added

Flight #4 - New Session Ticket

Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL

Handshake Header - New Session Ticket (10 bytes)
04 LL LL LL SS SS 00 00 00 LL LL LL

Ticket Lifetime (4 bytes)
00 01 02 03

Ticket Age Add (4 bytes)
00 01 02 03

Ticket Nonce (2 bytes)
01 00

Ticket (6 bytes)
00 04 ID ID ID ID

Extensions (2 bytes)
00 00

Auth Tag (8 bytes) // AES-CCM_8
00 01 02 03 04 05 06 07

6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 = 42 bytes

The resumption handshake is just a PSK handshake with 136 + 150 + 57 = 343 bytes

==============================================================================
Flight                                      #1     #2     #3     #4    Total
------------------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE + NewSessionTicket    149    373    213     42      777
DTLS 1.3 PSK (resumption)                  136    150     57             343
==============================================================================



======================================================
DTLS 1.3 - Connection ID
======================================================

Without a Connection ID the DTLS 1.3 flight sizes changes as follows

DTLS 1.3 Flight #1:   -6 bytes
DTLS 1.3 Flight #2:   -7 bytes
DTLS 1.3 Flight #3:   -1 byte



==============================================================================
Flight                                #1         #2        #3       Total
------------------------------------------------------------------------------
DTLS 1.3 RPK + ECDHE (no cid)        143        364       212        721
DTLS 1.3 PSK + ECDHE (no cid)        180        183        56        419
DTLS 1.3 PSK (no cid)                130        143        56        329
==============================================================================





======================================================
DTLS Raw Public Keys
======================================================

SubjectPublicKeyInfo without point compression
-----------------------------------------------------

0x30 // Sequence
0x59 // Size 89

0x30 // Sequence
0x13 // Size 19
0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01.     // OID 1.2.840.10045.2.1 (ecPublicKey)
0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID 1.2.840.10045.3.1.7 (secp256r1)

0x03 // Bit string
0x42 // Size 66
0x00 // Unused bits 0
0x04 // Uncompressed
...... 64 bytes X and Y

Total of 91 bytes

SubjectPublicKeyInfo with point compression
-----------------------------------------------------

0x30 // Sequence
0x59 // Size 89

0x30 // Sequence
0x13 // Size 19
0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01.     // OID 1.2.840.10045.2.1 (ecPublicKey)
0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID 1.2.840.10045.3.1.7 (secp256r1)

0x03 // Bit string
0x42 // Size 66
0x00 // Unused bits 0
0x03 // Compressed
...... 32 bytes X

Total of 59 bytes


======================================================
Helpful Sources of Information
======================================================

In addition to relevant RFCs and the estimates done by Jim, the following references were helpful:

Every Byte Explained: The Illustrated TLS 1.3 Connection https://tls13.ulfheim.net/

Digital Certificates for the Internet of Things https://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf

/John




-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu>;
Date: Saturday, 3 November 2018 at 15:59
To: John Mattsson <john.mattsson@ericsson.com>;
Cc: "salvador.p.f@um.es"; <salvador.p.f@um.es>;, "ace@ietf.org"; <ace@ietf.org>;
Subject: Re: [Ace] EDHOC standardization

On Fri, Nov 02, 2018 at 02:55:54PM +0000, John Mattsson wrote:
> Hi Benjamin, Salvador
>
> While DTLS 1.3 have done a very good job of lowering the overhead of the record layer when application data is sent (see e.g. https://tools.ietf.org/html/draft-ietf-lwig-security-protocol-comparison-01 for a comparison between different protocols), I do not think the handshake protocol is much leaner (is it leaner at all?).

(There are some handshake messages that are removed entirely.)

> We tried to make an fair comparison between EDHOC and TLS 1.3 in the presentation at IETF 101 (see https://datatracker.ietf.org/meeting/101/materials/slides-101-ace-key-exchange-w-oscore-00). Since then, we have significantly optimized the encoding in EDHOC and the upcoming version (-11) is expected to have the following message sizes.
>
>    Auth.               PSK       RPK       x5t     x5chain
>    --------------------------------------------------------------------
>    EDHOC message_1      43        38        38        38
>    EDHOC message_2      47       121       127       117 + Certificate chain
>    EDHOC message_3      12        86        92        82 + Certificate chain
>    --------------------------------------------------------------------
>    Total               102       245       257       237 + Certificate chains
>
> As Salvador writes, the handshakes in TLS 1.3 and DTLS 1.3 are basically the same, so the numbers presented at IETF 101 should be a good estimate also for DTLS 1.3.
>
>    Auth.                PSK       RPK
>    --------------------------------------------------------------------
>    (D)TLS message_1     142       107
>    (D)TLS message_2     135       264
>    (D)TLS message_3      51       167
>    --------------------------------------------------------------------
>    Total                328       538

Thanks for the numbers!

> The numbers above include ECDHE. For handshake messages, my understanding is that the DTLS 1.3 and TLS 1.3 record layer have exactly the same size.

The DTLS 1.3 ones will be worse, due to the epoch and sequence number fields.

-Ben

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.