Re: [Ace] [EXTERNAL] Re: EST over CoAP: Randomness

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 15 May 2019 15:12 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBDF120099 for <ace@ietfa.amsl.com>; Wed, 15 May 2019 08:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=LXkUbrJ3; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=bSJBuHhp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHQGCL3wbe6W for <ace@ietfa.amsl.com>; Wed, 15 May 2019 08:12:16 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D551200FB for <ace@ietf.org>; Wed, 15 May 2019 08:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11400; q=dns/txt; s=iport; t=1557933135; x=1559142735; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=/XN6gaz1dd+EdVPmfGSjA8rTyBOJLl95R8Cp1mlEcQw=; b=LXkUbrJ394IAJLI2RkCWJQa/eF0xXhEknu4GFn+QQ4xvKxEJtOLzrpVs QXgJ+CrkUup8el+w1HMQZbRLGC4VwJHOXOAkKS6YKSMoHrSTGQQ9GogiO 9ZGBGFiweG4oAiRP6ip7nLaBiC8W/nNSprRV68fhaFog7fMvXDZH5KSOh I=;
IronPort-PHdr: =?us-ascii?q?9a23=3A5hJPjBYOHsQigsm8/1tGVlr/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavybCU/BM1EXXdu/mqwNg5eH8OtL1A=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AlAAA+K9xc/5JdJa1hAxsBAQEBAwE?= =?us-ascii?q?BAQcDAQEBgVIFAQEBCwGBDi8kBScDaVUgBAsoCodOA45ySoINkliETYEuFIE?= =?us-ascii?q?QA1QJAQEBDAEBIAkEAgEBhEACgisjNQgOAQMBAQQBAQIBBG0cDIVKAQEBBBI?= =?us-ascii?q?bEwEBLAIKCwQCAQgRBAEBAScHMhQJCAIEARIIEwQDgwGBHU0DHQEOoS8CgTW?= =?us-ascii?q?IX4IggnkBAQWEfhiCDwmBMwGFQoJvgX+BHheBQD8mgTGCTD6CYQQYgRQBEgE?= =?us-ascii?q?hBQcTCwEJAg+CdYImiwmHKpUqCQKCCYYhhDqDYoQ8ghQuN4VnjQ6LHIEYhli?= =?us-ascii?q?OMgIEAgQFAg4BAQWBUQI0ZnFwFTuCbAmCBoEkAQKCSIpTcgEBE4EUjQOBIgG?= =?us-ascii?q?BIAEB?=
X-IronPort-AV: E=Sophos;i="5.60,472,1549929600"; d="scan'208,217";a="560112734"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 May 2019 15:12:11 +0000
Received: from XCH-ALN-006.cisco.com (xch-aln-006.cisco.com [173.36.7.16]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x4FFCBnB015948 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 15 May 2019 15:12:11 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-006.cisco.com (173.36.7.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 May 2019 10:12:11 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 May 2019 10:12:10 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 15 May 2019 10:12:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=inla9QtjG3psr+la7fQRvxDuvV9Imvp3CwBAEwic10k=; b=bSJBuHhpJuGFOq4mgGsPvkGI4bXaWo7VWVH35JojtV+IsIqD280obx6/hRvG3DxdWIv6iFoyS78PzH+Yk5Odhmx/g9HJ3BZi3jpNZpMHhnZuXTr2+zDOnr8qFmwNIpLz4+qUz+rQeqhbOQd2tJqx+sXMMy4LkAutKnLFoBbmYxk=
Received: from MWHPR11MB1838.namprd11.prod.outlook.com (10.175.53.141) by MWHSPR00MB242.namprd11.prod.outlook.com (10.169.207.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.16; Wed, 15 May 2019 15:12:09 +0000
Received: from MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12]) by MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12%7]) with mapi id 15.20.1900.010; Wed, 15 May 2019 15:12:09 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: "Damm, Benjamin" <Benjamin.Damm@itron.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] [EXTERNAL] Re: EST over CoAP: Randomness
Thread-Index: AQHVCyqVf0ZF4bvDnUOipNZ8LdEfhaZsSa3Q
Date: Wed, 15 May 2019 15:12:09 +0000
Message-ID: <MWHPR11MB1838D7AC91CD71DD65B46764C9090@MWHPR11MB1838.namprd11.prod.outlook.com>
References: <DBBPR08MB45393CDF71E7DB02F6C6938CFA330@DBBPR08MB4539.eurprd08.prod.outlook.com> <0a75faf6-0968-d266-b99e-cf400b311477@cisco.com>, <fac2c92b-ca2b-492f-82ee-82b67cfda10e@sjc-ex16-04.silverspringnet.com> <SN6PR04MB516505FF98223DDEFC4FC256F8090@SN6PR04MB5165.namprd04.prod.outlook.com>
In-Reply-To: <SN6PR04MB516505FF98223DDEFC4FC256F8090@SN6PR04MB5165.namprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [173.38.117.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 72655b8d-cdd8-4846-feaa-08d6d947b34b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:MWHSPR00MB242;
x-ms-traffictypediagnostic: MWHSPR00MB242:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <MWHSPR00MB242484D4AEB26BB9E2F923EC9090@MWHSPR00MB242.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0038DE95A2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(136003)(376002)(366004)(346002)(189003)(13464003)(40434004)(199004)(478600001)(8936002)(966005)(76116006)(6506007)(110136005)(66946007)(68736007)(186003)(5660300002)(53936002)(7736002)(486006)(790700001)(6116002)(102836004)(81166006)(14454004)(3846002)(8676002)(81156014)(53546011)(52536014)(6246003)(66476007)(73956011)(7696005)(64756008)(66556008)(66446008)(71200400001)(71190400001)(76176011)(99286004)(446003)(26005)(11346002)(6306002)(5024004)(9686003)(236005)(14444005)(25786009)(256004)(86362001)(2906002)(476003)(33656002)(66066001)(606006)(54896002)(55016002)(229853002)(6436002)(2501003)(74316002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHSPR00MB242; H:MWHPR11MB1838.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZIIcRHHYberjIzISwb6YvPNQcppe9s+0idg0AAuyptkYH2JaYTvwBRZQPdLglo8vcOQ1h+qWMrS95bK0rYc0Db86KNqNct3fqA3QtTIWn2axeV8wPAE20tn6N5LgdfMMfdx7ZouFBwg1g4TxZa0e0Jylbcau553/bRYju5shu93Cy62pzc4bjWMttpfSAF6UACpXvgYWmdNOi5/A/Ba2I4GWWF5l8q8sPkM5Ja1UqIebpEs3p+8ezBCz/KFE2F59IEBkPfBokoAVW9eX4pbTaCl498cTaYabm3kdDODQkSge/MjHHsro21zYlol+3GGr5Z+TRA0RkhuG6XpkAodcUlv5Bph4kLUU/hnieakiitevLAhHn9oa34+WwyrFqNKG8cM7ZEvh03HHZbk/FLyeBWsHHtK6IFEBPSJLrPa3Se0=
Content-Type: multipart/alternative; boundary="_000_MWHPR11MB1838D7AC91CD71DD65B46764C9090MWHPR11MB1838namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 72655b8d-cdd8-4846-feaa-08d6d947b34b
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2019 15:12:09.2940 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHSPR00MB242
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.16, xch-aln-006.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/vc_hzUWFl5Y60HU_qjeU1YcBt9o>
Subject: Re: [Ace] [EXTERNAL] Re: EST over CoAP: Randomness
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 15:12:20 -0000

The draft is not recommending against RNGs in any way and hopefully there will be no room for such misunderstandings in the updated text.
Panos


From: Ace <ace-bounces@ietf.org> On Behalf Of Damm, Benjamin
Sent: Wednesday, May 15, 2019 10:29 AM
To: Hannes Tschofenig <hannes.tschofenig@arm.com>om>; Paul Duffy (paduffy) <paduffy@cisco.com>om>; ace@ietf.org
Subject: Re: [Ace] [EXTERNAL] Re: EST over CoAP: Randomness

Low-throughput RNG should be a must for IoT. Certainly in our environment devices that are unable to generate keys would be unacceptable. Hopefully we won't codify such an abomination in any protocol.
-Ben


Benjamin Damm
Cell: +1-415-297-5474
Web: https://Itron.com

________________________________
From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> on behalf of Hannes Tschofenig <hannes.tschofenig@arm.com<mailto:hannes.tschofenig@arm.com>>
Sent: Tuesday, May 14, 2019 4:29 PM
To: Paul Duffy; ace@ietf.org<mailto:ace@ietf.org>
Subject: [EXTERNAL] Re: [Ace] EST over CoAP: Randomness

Hi Paul,

My understanding from reading the draft text was that the "cost" was actually talking about "energy cost" rather than "monetary cost".
The monetary cost may also be interesting.

It is difficult to judge the extra cost of a RNG in an MCU because
(a) you rarely find an MCU with and without MCU (keeping all other features the same),
(b) even if you find one there are other factors that impact the cost (such as popularity of a particular MCU),
(c) RNG features are often provided with other features (such as SHA256 and AES in hardware), and
(d) cost and price of an MCU are different aspects.

Ciao
Hannes

-----Original Message-----
From: Paul Duffy <paduffy@cisco.com<mailto:paduffy@cisco.com>>
Sent: Dienstag, 14. Mai 2019 15:08
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>; ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] EST over CoAP: Randomness


On 5/9/2019 10:42 AM, Hannes Tschofenig wrote:
> I believe we should encourage developers to pick the correct hardware for the task rather than making them believe we have come up with solutions that allow them to get away without a hardware-based RNG.
>
> I also do not believe the statement that random number key generation is costly. Can you give me some number?

Strong agreement. The added cost for hw based RNG is ever decreasing. Last time I checked it was on the order of 50 cents @ Q 10k? It has likely fallen since. Confirm with Atmel etc.

Cheers


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_ace&d=DwICAg&c=pqcuzKEN_84c78MOSc5_fw&r=GYGBKg0XeEBnyXmKSs4zZ6DBOYB5tLwwWSrFtYahCvs&m=dH_774yB0_IzrwFvyY1Iio9qthZz-eV34lbAEv3Y3kY&s=WChHRMoeN8IO06GYZPU1yk3uh76KEHoR7q9Hx7nhGcs&e=