[Ace] Minimizing overhead of certificates in constrained IoT

John Mattsson <john.mattsson@ericsson.com> Fri, 02 November 2018 11:31 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A876130DC2 for <ace@ietfa.amsl.com>; Fri, 2 Nov 2018 04:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.77
X-Spam-Level:
X-Spam-Status: No, score=-4.77 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=GmN1jw8U; dkim=pass (1024-bit key) header.d=ericsson.com header.b=IdHrjQPK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgN7vCZKSDgV for <ace@ietfa.amsl.com>; Fri, 2 Nov 2018 04:31:20 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9006C1292AD for <ace@ietf.org>; Fri, 2 Nov 2018 04:31:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1541158278; x=1543750278; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=bewanTgegyPU13rDe9Tnmh7h2D0YU82AGFVc0twXZ0g=; b=GmN1jw8U2u5Jw5ZaMH7Ivc4yhgCfb7G6FD1YCrm/5AZZUkQRddlwR4BPAkBRndaa 512FLdR5dyjilicSlM6h7jAqdmfL1fvleN8VDdDZSooPfgJ0qfLibYtNDc1GQu4n ZKFoRrjoYkg/3NG0xMspGhQXXfTwx5bGdrmtzx7okFY=;
X-AuditID: c1b4fb2d-40dff7000000434d-78-5bdc3586be2e
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id A3.8C.17229.6853CDB5; Fri, 2 Nov 2018 12:31:18 +0100 (CET)
Received: from ESESBMR504.ericsson.se (153.88.183.139) by ESESBMB504.ericsson.se (153.88.183.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 2 Nov 2018 12:31:18 +0100
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESBMR504.ericsson.se (153.88.183.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 2 Nov 2018 12:31:18 +0100
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 2 Nov 2018 12:31:17 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bewanTgegyPU13rDe9Tnmh7h2D0YU82AGFVc0twXZ0g=; b=IdHrjQPKKP7CXelTZUkg/Ozt8IgjllmC+o0GXOJn+VXM0dsKm88lY2die61ueBaOjYAlBmBrEZyMYobvAgjcjk0JUdGs49+rsBJayOkigOIWQqSMO8M4V5nGeIMQt3XJVrdsTo4yGR0krQJ9MkroEVyAkDU3GDcQhdcLorVBY+k=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3163.eurprd07.prod.outlook.com (10.170.245.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.16; Fri, 2 Nov 2018 11:31:17 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::fcb5:ca45:9e56:1910]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::fcb5:ca45:9e56:1910%2]) with mapi id 15.20.1294.024; Fri, 2 Nov 2018 11:31:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "t2trg@irtf.org" <t2trg@irtf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Minimizing overhead of certificates in constrained IoT
Thread-Index: AQHUcp+R17G1j53EqkyuwSM7Na/Fng==
Date: Fri, 2 Nov 2018 11:31:16 +0000
Message-ID: <3F7E42DF-7CA9-4765-AB67-A53B4E7D1AC1@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3163; 6:MiF+84nTKYossnmwdQVKWEfJ3ueuyZmRHL2tbIMSdttTN+xyM0p3iDVNMGf+GLzPhho6TZ7joiNymXU2tBdHH+Gd9rsbyLSICbXjG/cVO0eXfQwWw1eWax7XreeR3kC6QmhbKziZvMwtaJnt7F8QdU1+NnJX33RS2Cc3llYWsUyGoFdh646TYc2BUmU6cYiUf9eEOBNGRdrlLgcjpGVi9U6kqSpIa6/SVfv0JO5eVI64pawyZ1jhQTD0lYADOVDeaZQ7f3atUhDo0CVpvExx9YfQvsFO0ftM0njrBL21X8vOZ60Bc7arGhW8dupBE8Cyp2KMlLAu4WCT2JWtTuKxyZhjA6nNA8TufPfgQZ5kA7mbLi16lUtmLCeC8LCmkjsieymOMRtRzn+XzlC1ExQTLpUchApiqwvlzYI6aSbKlYT9j1UQ64W56vscvmJigGpzEl/xEss0DbOIUnKEWLlbug==; 5:XE69y1Kzzd60iKd7v3C/InEIKWkpDSLH+PTg2pQHUnjhisxf9BeBotLr5KvOEJTIJW1byYMQPtZybiPSwqkQy6y8fQCjoGbZmTYN2F7rKqqrPnuSSjWDKKkfua5OVisGlHi9DsBzX7RRRTeePjSH0cVGNzNYdLgm7taZyVv0SzY=; 7:ILQvYwM0CstV+i3LQxHdoqrq+FRwPQF1VbxoE1p4sEda6OXvh65wI0d57Q6w8kI+o0Qj6MzJrtjLsee4YRFuBSUV7eqHL2Pp+hG6d9rbfwBplHS/+RwW26mudDyEfVP2QInMjt+S+fkE8qogWYkxtQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3baa10d7-4584-40f4-4e5b-08d640b6b41b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3163;
x-ms-traffictypediagnostic: HE1PR07MB3163:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB31633198FD84D3948D8B8E2C89CF0@HE1PR07MB3163.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(165104125076784)(17755550239193)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB3163; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3163;
x-forefront-prvs: 08444C7C87
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(376002)(346002)(366004)(136003)(51444003)(189003)(199004)(44832011)(966005)(5660300001)(7736002)(106356001)(105586002)(2900100001)(14454004)(102836004)(36756003)(99286004)(6506007)(2501003)(6486002)(53936002)(305945005)(8676002)(186003)(2906002)(26005)(6306002)(6512007)(81156014)(81166006)(110136005)(68736007)(82746002)(97736004)(6436002)(25786009)(6116002)(3846002)(2616005)(478600001)(14444005)(256004)(66066001)(71190400001)(476003)(316002)(486006)(58126008)(8936002)(86362001)(33656002)(71200400001)(83716004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3163; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: NJpFgnmFaZiBM410YiwvholAv2zCc9FFWDgRw2Dh/O8D7gE+iykISfCcZMV3VkYstwF4Z6wxvxtFtvi4DhzEAClvt5uRfdY5L4c+ymxjzLbjcTnRJ8WeJboScqTYvTEhpBatUdZOmvxA1ZhNlumEd/w1/qh4zDZpFD+k28TrGblrpBXBwEad5TwqpfLEniu62ukkYj7TiYkYpI3cjhN59nLZ1MpzmuiGjfCeTbv6dY+7eFanHEkIU0JBCOsOl/8saoSTS14zrqWNPdZiYBKDFGwkgBjzSC7nRFUD0yaJ9rkH8Y+vDsSkb4tQAiBwdT0jzA+7YrN8rcPFKPO1UrOJ3A+F4acZaohVZuWqeG5nZgU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <13EB1E261346F9478FD598E8539A4935@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3baa10d7-4584-40f4-4e5b-08d640b6b41b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2018 11:31:16.7256 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3163
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTURjHPffebdfV8rQ0HxSDDSUSnM6K/BBqGDYiIfoUzrKlFzXnC7sq 6gdRaSN8IfHdmUxowZjDt5TCZtK0lhUKCVpm4Gxa9oKm5GqS5XZn9O33f57//znnORyaFDfy Quic/CJGk69SS/lCquPyg+Io3ckFZcyfrtA411YdGbe2WEclEgqj8RehaBoY518kUoWnMxl1 TgmjiY6/JszuebVMFvZHlPaY7wsq0VB4DfKnAZ8Au87Iq0FCWownEOxU6RAnfiDYsrTz/4ml mWWCE3cJGLd/JT2Cwg0kGN48JTzDxLiRgMl5OedyIBj/9Iz0NPg4BrqslXwPB+KzsDa1QXn4 EE6AkdEB3l59+FEjybEMfo4OIg9TOBzc/TqvR7TrH+4Y9GYRPgyuFxbvwSQOhnmngeA2wmC0 TpMcB8Hqhx1vNghHg2HxFo+rS+DlY5PPEwavDbXepQHP8sG1UuUzRcF6S4vPlAIbY1qKM9kR bFqdAq4RCdWWWYK70RXQatt84VwYqV9CHKeBzVLlG3QEzPUOimM7uRugG5Bc/98SekTv8jHo G4nmygrQOkwExxJornUI9N63OAiTHU6qG/HMKIhlWDYvK/a4jNHkZLBsQb4snykaRLs/5cnQ dtRD1PPljA1hGkn3iy5IFpRinqqELcuzIaBJaaAoee2dUizKVJWVM5qCdE2xmmFtKJSmpMEi mdmaKsZZqiIml2EKGc1el6D9QyqRxRwWkDiXdD2tV9XpLEi6ZFJ22doSPn+v8ANjU9PmRqn1 nGty1g/r96m3W9+uXJWn3hzlVbTfmAoGxdHqVklsdZt7hx6zuUTuOkHjNPW7sw/HL6StRnwk TN9up3dPnJpKPl/rfn4g4J5i/X3kXMrAHedMXH/vUsZCefOmtE9KsdkqeSSpYVV/AVXCxUYl AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/stc2trqRPAyg4O0Q_J3_gs6iWQ0>
Subject: [Ace] Minimizing overhead of certificates in constrained IoT
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 11:31:23 -0000

Hi,

We recently submitted https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-00, which build on research done by Research Institutes of Sweden, Royal Institute of Technology in Stockholm, and Nexus:

https://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf
https://doi.org/10.1007/978-3-319-93797-7_14

The mechanism in the draft aims to reduce message overhead with the approach to start with a heavily profiled X.509 certificate and encode it to CBOR, resulting in around 50% savings in message overhead and storage. A major reason for submitting this early draft is to start a discussion on how to minimize the overhead (message size, code size, memory, storage, processing, etc.) caused by certificates in IoT deployments.

Current X.509 certificates are demanding in several ways (message, code size, memory, processing, etc. and are not designed for constrained IoT environments. The quite large sizes of even well profiled X.509 certificates mean that they take up a large part of the total number of bytes when used in protocols. Transmitting, receiving, or even listening for radio is relatively expensive in terms of power consumption and as the radio resources are often constrained, large messages lead to interference and therefore more latency than just the message sizes would infer.

That fact that certificates are sent encrypted in new protocols (TLS 1.3, DTLS 1.3, EDHOC) means that compression in intermediaries will not work in the future. TLS 1.3 and DTLS 1.3 are currently looking at certificate compression, but these mechanisms are not optimal for constrained IoT. The use of general lossless compression algorithms are quite heavy, and they do not compress things optimally.

With the submission of raft-raza-ace-cbor-certificates we would like to start a discussion on how to minimize the overhead caused by certificates.

- Which aspects do the community prioritise the most? i.e. message size, code size, memory, processing, etc. And how should trade-offs between these aspects look like?

- For how long time is people planning to use older protocols that do not encrypt certificates? Is it worth specifying gateway type of compression for these protocols?

draft-raza-ace-cbor-certificates does currently take the approached to start with a heavily profiled X.509 certificate and encode it to CBOR. Another approach is to not start with X.509 and do certificates in CBOR directly. This can be even more optimal from a theoretical point of view but may never deployed. Previous attempts to introduce new certificate types seem to have failed. On the other hand the current mechanism increases code size and processing for the part verifying the certificate.

- How should new IoT CBOR certificates be introduced in protocols? As a new type of certificate or a new compression/encoding algorithm for certificates? Is compression/encoding done inside the protocol or outside of the protocol?

- Is CBOR the correct choice if a new encoding is specified? We certainly think so.

- What are peoples’ opinions on general lossless compression algorithms?

- Which protocols would the IoT community want to use with new certificates/encoding/compression?

I think that a good place to start a discussion about these topics would be in T2TRG. If people find this interesting, I suggest having a quick introduction on the Friday plenary session and then further discussions in the security breakout.

Cheers,
John