Re: [Ace] [Secdispatch] FW: [secdir] EDHOC and Transports

John Mattsson <john.mattsson@ericsson.com> Sun, 03 March 2019 23:42 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1091277CC for <ace@ietfa.amsl.com>; Sun, 3 Mar 2019 15:42:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=XwRAY5R0; dkim=pass (1024-bit key) header.d=ericsson.com header.b=aZumjmKX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EwrK1kuGmr4Q for <ace@ietfa.amsl.com>; Sun, 3 Mar 2019 15:42:01 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4340124BF6 for <ace@ietf.org>; Sun, 3 Mar 2019 15:42:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1551656518; x=1554248518; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6Eh10FfqD6epNpUC6BwhFw2+P0MKoKRgbZTWIv6Qr+I=; b=XwRAY5R0eHhVqc7j/J6Dh/eJBkuPz38G72EwSFfYNMn/Y/bllFQ5akFYfmih/wBZ 68AkUsYBbv2uAAbP9UfQj60G/ji88dzhHD2y50A8vtV+iQYObtyA3DWkpwlOIGTc dFhvOcQq4h1eeagf6yZdHW4CQumTv/vzogJ3tPBwnAo=;
X-AuditID: c1b4fb30-fabff7000000355c-93-5c7c66465a01
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 1A.D1.13660.6466C7C5; Mon, 4 Mar 2019 00:41:58 +0100 (CET)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 4 Mar 2019 00:41:58 +0100
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 4 Mar 2019 00:41:58 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6Eh10FfqD6epNpUC6BwhFw2+P0MKoKRgbZTWIv6Qr+I=; b=aZumjmKXl3gA4ymTKCHl4z2zbx1edbOpSFQKcM/I/vVl913VAxa72FjShehFQZrtVoN6uv65Awm5uoyVOJN+QB4RmTqNjm8DukxSTS8wnNpre0xmLNxRuJ6IQcfXRYfPycmzZIgsDcayEq0IeisglKvZelXbbqaMkmvYyx+P3xI=
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com (20.176.6.24) by VI1PR07MB4269.eurprd07.prod.outlook.com (20.176.6.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.9; Sun, 3 Mar 2019 23:41:57 +0000
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047]) by VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047%4]) with mapi id 15.20.1686.015; Sun, 3 Mar 2019 23:41:57 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "secdispatch@ietf.org" <secdispatch@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Secdispatch] FW: [secdir] EDHOC and Transports
Thread-Index: AQHU0hqw2xvTuMwLm02adBmzrzqPLQ==
Date: Sun, 3 Mar 2019 23:41:57 +0000
Message-ID: <52643A73-867C-4221-8C0F-069F0BCCF5D6@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bfa51d1a-8905-4cc6-f513-08d6a031d31e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB4269;
x-ms-traffictypediagnostic: VI1PR07MB4269:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtWSTFQUjA3TUI0MjY5OzIzOmFITElmVXQ3eld0bmc4M2oxaXJyT0VpOTZU?= =?utf-8?B?UEdlWDdOWmZ0cGFjZ0tTS2NuOGVySEhvSGtMVkhSR2lTK3V4YlhjRVBjQWhR?= =?utf-8?B?UTgvZ1NnYUFjcnc0Vyswc1BwM1V3NDUyaGoxMHQ0YWVncHBxdGdiUU94MzUy?= =?utf-8?B?aUtCdElySzg5c293R3VhYWR0R2srdDQydnlSdEVGaGd0NEt3citpNXlkVUxz?= =?utf-8?B?WXdxdUsxa1VieUlVaFplOFg1VzFYeXZLdm8zV09hN0lYTnIrY3hoMUNTbnZx?= =?utf-8?B?Rk83MCtpSHp3SThOcUVjL2pCdVVFMjNyYjBCc1VLZVQwNWFzblN6bW0ycUxh?= =?utf-8?B?STZPWmU4aVJZZmYvdXQrcW5DVzB5MW9IVElHeTU4ekhZQUxlQzh0RTFpeEpV?= =?utf-8?B?QlNINWdIY2lObjYxTFFic2l4UFJFODljSWhTM0xoNUpPaFBCclRIMHJxR3Yr?= =?utf-8?B?MmYxMFVmclVYSWpTdmt5cVlhS2RlZTN5K2hZM3hoZjZVeDMzRERMWlVhSEZP?= =?utf-8?B?NG4zZFIzWUY3Q1JDMk40NGNVUm1SdVJvREVlaTRsSlhoTE5LNHZTb3JGWWd2?= =?utf-8?B?QjU4MmJJK2FkM2ZCbE93azR2d1ppMDlGVDhQMnMwRlQrYUFKNnBpSmp4MXRw?= =?utf-8?B?cVJtZVI5ekdJVEV0eGdMTU9haDRINFhOVzBBdSsxQnZ2Q0tybUNtcm80NEds?= =?utf-8?B?d3BuR0J5d093UVJwV3diT0hnS0xEUUtpNFdwWFZWVGtvYVRXZy9BUFhQT2w4?= =?utf-8?B?T0ZZM2Zpell1ZGUvQ0FuZVFoSnVjUmdBaVVocFhFUlMvKzdIdFRGUVQ1VklH?= =?utf-8?B?UzRPZUIyMEF4TjZWWVIyRlFUMTdlaCt3My9uVHFTNWtqc1VyUWNJMkc1aDJz?= =?utf-8?B?NTdpSCtVUEN2RHdBZDV5WG8zVzlqRS9WSmlKdGYzTzhsMGZ2d2trUGtqSUha?= =?utf-8?B?RHFzanRsR2dkSytaMHdKcUdhMGNVQlpDZnZiNit6RysyWjF1ZEs4bFNhY2dz?= =?utf-8?B?NFoyTXY5aHkxWXRsbE9VWFNINkZLTXZqL01YUUNMRTh1WUdOUmM4M3VRZjNS?= =?utf-8?B?WGU2VHN6aVFoeDhvRE9Rd1ZVWmpXRERDRHlMd0Nka09EYlFrMGJqZkdmT0Iv?= =?utf-8?B?TjFTS3NTcmpCU2xxaDhHQ01VNlVndTdPNU9Wb0pRME9LT3dDREtPZ2N0a3R6?= =?utf-8?B?bklVM0pLZ3hQWlR3ZE95S24vVVVnUnBaK1dVMWJvdVNjblJzeldTbG1NZG5o?= =?utf-8?B?WHlVQ2ZhRWt6Q1I0VUdZT2dNZkMwV2pJejZiWDhkS1VVNjBaSGg5b2tzQm9S?= =?utf-8?B?RkliU3h2a1hxQk5nTzhoSGd6MUpLa3l1UVgyaWJZWUI2SDdKelhpRzRxWjJH?= =?utf-8?B?QjR2bHRSNjZ4UElMWkx0Zm0yZU1EekRrU0kxTkRxTWFqcEN4OHNvYzY1dmxN?= =?utf-8?B?UlQ4bGtFdlhRMUpiVmp3Z3hidjJHdjZWQ0NYZjdVMWMxbGFkanB6OEZhSEF4?= =?utf-8?B?K1BuaFR1ZHU2TXRCYlZxYThGNk94WDlIeW9WRFNzcDV6QWJRRGIzSi9BS2ls?= =?utf-8?B?alp1bnROSTBPTjJlUmsvNHdrYUNQRDdVTk53WVhjcW4zTHU5aWhFVHlvbkJj?= =?utf-8?B?dHlwcFloakNEVTA5TFJxMTFZejhtelNYcjdmT3VsTVhLNis4Z216YTUrM1N3?= =?utf-8?B?dnFsQVIzSG4vTUN0MDJUZ05FUDRZQ0JVUm1rQk5WUDdXbGFhUlg3eXRCaGJY?= =?utf-8?B?ejhpbkxMUU5JM3IzMTgyQT09?=
x-microsoft-antispam-prvs: <VI1PR07MB4269C41D5CD9A59F8C0F320A89700@VI1PR07MB4269.eurprd07.prod.outlook.com>
x-forefront-prvs: 096507C068
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(366004)(396003)(346002)(39860400002)(376002)(199004)(189003)(8676002)(86362001)(5660300002)(81166006)(450100002)(229853002)(6436002)(82746002)(6486002)(8936002)(81156014)(53936002)(305945005)(25786009)(68736007)(6306002)(7736002)(3846002)(6246003)(6116002)(6512007)(2906002)(97736004)(36756003)(256004)(14444005)(186003)(6346003)(6506007)(102836004)(26005)(99286004)(71200400001)(71190400001)(83716004)(33656002)(58126008)(316002)(110136005)(66066001)(2616005)(105586002)(476003)(44832011)(486006)(2501003)(14454004)(106356001)(478600001)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4269; H:VI1PR07MB4175.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: /7o9P0912QaRpNTRaIofrRoaG803uVFizakEyZ5U1FftWq+xpTiWWtjd7UeRaDyP1VySlR0ioF0dln/mLG2JUJyGR0NhIBSumwaEm6gf9Ae/i2QPZj28TXSDPytCKWiklxX0XAn+2YSc8kcCEHZcBbxTbKm+aBRWq7FgOHq41fS6an6MxWkJGwXBapKMQfKh9zfJVXTRv8wJti0ifXYIJKM1MQwwkmzEfiYyjBWXgDly7LR6Cv93oWAiu1regRXiaDbFYu4eoeeorFk/9Lk7PsHtoE3clW3Oz+OMW+dqJ1/6eM025hpYn6Eyh3wUZfmbKjBGXzf307c84wZgS9GfwG1X1hXgJKqQ6t85h/JuA0KBMisKdYfp461Ph+/V8uWeCoVcM0btDfeWBei6a6LdPXR4wZRBo2f97kqWeLrnZdk=
Content-Type: text/plain; charset="utf-8"
Content-ID: <255F805AD7968C4BB48466179A77B16B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bfa51d1a-8905-4cc6-f513-08d6a031d31e
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2019 23:41:57.4066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4269
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleLIzCtJLcpLzFFi42KZGbG9UtctrSbG4M98M4vv33qYLdZcu87q wOSxZMlPpgDGKC6blNSczLLUIn27BK6MXT3bmQq6ZCpmv7jM3MC4RrqLkZNDQsBE4uX8M0xd jFwcQgJHGCUOPD/MAuF8ZZR49PsgVGYxk8TpwzuZQRwWgQnMEp8WtkFl+pgkJv3azA7h3GeU +HhmLRPIZDYBA4m5exrYQGwRgSCJpxOfgMWFBWwkpvU/ZoeI20o8/HyWsYuRA8jWk1j71wAk zCKgInH151qwEl4Be4mnT+YzgtiMAmIS30+tARvDLCAucevJfCaIJwQkluw5zwxhi0q8fPyP FcQWFdCX2NL3gAUirihxet8KqBpZiUvzuxkhbF+JhzeusYHcLyFwk1Hi5okZ7BAJLYlJP09D FUlJnLh4lBWi6KigxOFzl1ghEtkSj3fdgrJlJM5+ngG17SmrRPeHEBBbSCBVYvnaVqgPYiVa W6dD1ctJrOp9yDKBUXcWkodmAcOCWUBTYv0ufYiwh8Tc189YIGxFiSndD9lngcNFUOLkzCcs CxhZVzGKFqcWJ+WmGxnppRZlJhcX5+fp5aWWbGIEppGDW34b7GB8+dzxEKMAB6MSD69hTE2M EGtiWXFl7iFGCQ5mJRFeOzegEG9KYmVValF+fFFpTmrxIUZpDhYlcd4/QoIxQgLpiSWp2amp BalFMFkmDk6pBka1478jBRw9d3bNSz1zsVRCzayvUfv+D84TTdun6uu0TX6cd3v9/qmbdr9b c2VWYMiC9ewh60Xm/Y5WdlWLi3v5PHrCCtHoTxG2hzz7wzWupfz+9Xep7EzuA+EbsrkPad6c K7z2U4S73LJNr4L4p1fd2KOtdJ31rPixlJWTrgVMZN5Z87Rnyz9+JZbijERDLeai4kQADsEc ah8DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/p6WpWovkaPkJcCG-MkdiYsjjfHU>
Subject: Re: [Ace] [Secdispatch] FW: [secdir] EDHOC and Transports
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2019 23:42:05 -0000

Richard Barnes <rlb@ipv.sx>sx>; wrote:

>This is the part that worries me.  It would be helpful to be very crisp
>about what assumptions are being changed here, and why it's OK for them to
>be changed.  Especially given that the Bruni et al. paper seems to have
>found flaws.

As explained in Stanislav's CFRG crypto review:

"The concerns of [1] (namely, section 2.3 of [1]) has been addressed."
https://mailarchive.ietf.org/arch/msg/cfrg/6WN2C2RYGTIAInE2jIUco6L9pO8

As the concerns were about the ability of end users to understand the security properties of early application data, I think similar concerns could be made regarding (D)TLS 1.3. 

Regarding differences between EDHOC and TLS 1.3, EDHOC is closer to the deeply analyzed SIGMA-I protocol. Many of the additions TLS 1.3 do to SIGMA-I are as far as I know done to support additional features:

- Nonces enable TLS 1.3 to work with 0-RTT data, to support PSK mode without PFS, to work with static Diffie-Hellman keys in older versions of TLS, and to look like TLS to middleboxes and applications that expect TLS to look a certain way.

- A MAC in TLS flight #1 enables 0-RTT data.

- The split into handshake and record layer means that TLS flight #2 and #3 contain two MACs

Most of the additions EDHOC made to SIGMA-I are summarized in Stanislav's CFRG review:

"The EDHOC protocol looks well-designed. Particularly, the reviewer would
like to mention such solutions as CRED_x under signature, which is good to
prevent DSKS-type attacks; a downgrade protection based on sending both a
list of supported suites and a selected one with aad2 and aad3 messages
being hashes from all previous messages (binding the communications
together); KCI-attacks are inapplicable due to SIGMA-like ephemeral keys
usage."

(Similar additions are done in TLS 1.3 as well, but EDHOC aims for very simple solutions that keep the code and memory complexity as low as possible).

- Other differences are mainly in encoding and different design requirements, TLS supports a large number of additional extensions and options and it also has to interop with older versions. DTLS adds a lot of transport related things that EDHOC relies on CoAP for. TLS was designed with web servers as the main use case. EDHOC is not trying to replace TLS, I love TLS 1.3, and I advise Ericsson products and SDOs to use TLS as much as possible. But the TLS handshake was certainly not designed with constrained IoT as the main use case. We are trying to bring SIGMA-I level end-to-end protection to constrained IoT systems where TLS is impractical.

Cheers,
John