Re: [Ace] [Secdispatch] EDHOC

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 12 February 2019 00:30 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 375F3124B0C; Mon, 11 Feb 2019 16:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0qxfwjSRkHG; Mon, 11 Feb 2019 16:29:58 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 006F912941A; Mon, 11 Feb 2019 16:29:55 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id p48so1036468qtk.2; Mon, 11 Feb 2019 16:29:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BpXF7NfRzj0QudVfRybqQdCSo8HherRjs5i5GsrFJeU=; b=na0X27iTMN3WvBVN+i3jZSqZB3DwJG+TqOitRTTMJW61xinUJ4ULWx0BgRB5ivr3fc /sXvaG+K+DaOLJCZ/mEhlFkOkJvQri5gWH1Czf1pxoFJSm+AaP0Vgn8qPHEZT9LZa9c/ nx02LKajg2+NzOg1QISVkdkIBrESezpwqmQrySmG8RtXL3K4plFu9EBBvnKWMVIigczz 3Qlt/g41ca3Oq67aASjVbbBxm2TxmP0B6r1eZ77MANzT6ptNjCDG+VEO0t7xyQNUr2W5 VqmS2cynDC3rONIA7TvBP0SzccPYN5b0u6n70y+WB5lrLZP+kECfupQtezs1tTPMX19p Pt7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BpXF7NfRzj0QudVfRybqQdCSo8HherRjs5i5GsrFJeU=; b=OlbT/PsCh7rxsBWofPNF48gQN/ZFbHgIKRYkedBixGK9+mov/h9rKdFgdBiiqrzJkk qDJTWD83fqv/96I4XlFD8SN743nq1ShnKwivp6K5PpNQf9j07LiJb3UdOjcmBtHBwkOV P7g2EyRfLs7ci5oSimm/Xup85BJvsv086V7yWzGq6o6vZqRQYzXHyjbANvA6wTnDj6m4 zpS7nP0MwfqeKdIAvDrxWDheJKvYG60mVOdoQQGnFa/stO8cIxaaBK6ldQuljtiCl4Qr 01hJ5v9EgKfXrDK7b/DulozhWT44Pp27XxjyXeVpxb2DitNFGFvv/uGY33rvRIcsp476 7iqg==
X-Gm-Message-State: AHQUAuaLf0dmiDYJc1LJ1KcJ+hyXts56hxykQlm+GGpDNWyq4oYE20Vb gv/LZBVR8aG1TYB4tFf2Adw=
X-Google-Smtp-Source: AHgI3Ia/yeC9VN9vo51OV3UTQsWM1Sj1QHId7qVdQ5B6oCPZTC+HEjUs5DahghkQa14q7QeBK4J2lQ==
X-Received: by 2002:ad4:4210:: with SMTP id k16mr659646qvp.239.1549931394967; Mon, 11 Feb 2019 16:29:54 -0800 (PST)
Received: from [10.111.222.210] (209-6-124-146.s3472.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.124.146]) by smtp.gmail.com with ESMTPSA id y32sm12756984qth.3.2019.02.11.16.29.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 16:29:54 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-1B8AF4FF-E3C6-44AC-8A28-41B38D83F961
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (15E216)
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01857BE125@marathon>
Date: Mon, 11 Feb 2019 19:29:53 -0500
Cc: Richard Barnes <rlb@ipv.sx>, John Mattsson <john.mattsson@ericsson.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Francesca Palombini <francesca.palombini@ericsson.com>, "ace@ietf.org" <ace@ietf.org>, =?utf-8?Q?G=C3=B6ran_Selander?= <goran.selander@ericsson.com>
Content-Transfer-Encoding: 7bit
Message-Id: <284CB223-291D-45EF-A2B7-D49BE876AF94@gmail.com>
References: <D629D980-C059-474F-B259-2700F2EEAE41@ericsson.com> <79FD6563-8ADA-4D73-B8D5-C3D70604CD76@gmail.com> <F72354EF-2FB7-41C0-BCA1-6D4511A410B2@ericsson.com> <47F03C99-68C1-4ADB-873D-F01987D66849@ipv.sx> <20190118172714.GJ81907@kduck.mit.edu> <359EC4B99E040048A7131E0F4E113AFC0185795C45@marathon> <CAL02cgQgoxrxzBHk9pCvWwg8n91gpfK=4kReGfFfb=Av8=CoCw@mail.gmail.com> <05C8AB73-EFD1-4AC8-A795-D3624153F4D2@ericsson.com> <CAHbuEH4JpZV9TeCFjv89oCeQLD21rPdkbjKeLnRPG1V07VCRBQ@mail.gmail.com> <CAHbuEH6MpTowqTFmFejr0xi6a8+SarHjfifMHjP=Vf+if49RXQ@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01857BE125@marathon>
To: Roman Danyliw <rdd@cert.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xUSUF8vYbCG4NqHENQIhsGA5TOw>
Subject: Re: [Ace] [Secdispatch] EDHOC
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 00:30:03 -0000

If I’m reading it correctly, it looks like I will be speaking at RSA during that time slot.  Can the recording be posted?  It’s a tough week for anyone attending, so I suspect attendance will be impacted.

Thank you,
Kathleen 

Sent from my mobile device

> On Feb 11, 2019, at 6:13 PM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi Kathleen!
>  
> Yes.  A doodle poll to determine the most agreeable time the week of March 4 was just sent:
>  
> https://mailarchive.ietf.org/arch/msg/secdispatch/KU3SWW_4UeJ9JMH9abmzaKeXXgc
>  
> Roman
>  
>  
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] 
> Sent: Monday, February 04, 2019 12:30 PM
> To: Göran Selander <goran.selander@ericsson.com>
> Cc: Richard Barnes <rlb@ipv.sx>sx>; Roman Danyliw <rdd@cert.org>rg>; John Mattsson <john.mattsson@ericsson.com>om>; secdispatch@ietf.org; Francesca Palombini <francesca.palombini@ericsson.com>om>; ace@ietf.org
> Subject: Re: [Ace] [Secdispatch] EDHOC
>  
> Will there be an interim for this topic?  
>  
> Thank you,
> Kathleen
>  
> On Thu, Jan 24, 2019 at 2:15 PM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> Thanks for the very helpful message, Goran.  A couple of comments inline.
>  
> On Thu, Jan 24, 2019 at 11:31 AM Göran Selander <goran.selander@ericsson.com> wrote:
> Hi Richard, Roman, all
>  
> Thanks for kind welcome and for progressing the discussion. Apologies for a long email.
> 
>  
> From: Richard Barnes <rlb@ipv.sx>
> 
>  
> Summing up where I believe the conversation stands now, it seems like what folks are asking for is either:
>  
> 1.      An analysis that shows that EDHOC is equivalent to an existing AKE (e.g., IKE or TLS), or
>  
> 2. An argument that a new AKE is necessary (vs. a re-encoding of an existing AKE)
>  
> Göran et al: Do you have thoughts on those points?
>  
> Yes. I’ll get back to this later in this email.
>  
> It seems like it could be a productive use of an hour or two of virtual interim time to help the group understand one of those lines of argument.
>  
> Agree.
>  
> Anything to prevent further hold ups on this work would be appreciated.
>  
>  
> --Richard
>  
> As requested in a previous email, here is a background.
> 
>  
> 
> The work on EDHOC is motivated by the need for an authentication and key exchange protocol for OSCORE (draft-ietf-core-object-security) optimized for constrained-node networks (RFC 7228). OSCORE is applied within the IETF, e.g. in 6TiSCH minimal security (draft-ietf-6tisch-minimal-security), but also requested by other SDOs and industry fora such as OMA Specworks, Open Connectivity Foundation and Fairhair Alliance. The properties of OSCORE motivating its use include: support for CoAP forward proxies, support for change of underlying transports including non-IP, low overhead, low additional footprint and memory to existing CoAP implementations, support for multicast security, security for end-to-end REST. 
> 
>  
> 
> Given the large interest in OSCORE already before it has become an RFC we anticipate a wide range of deployments. For example, we see an interest for OSCORE in Cellular IoT with traffic running over the cellular air interface control channel, where we can have end-to-end CoAP, but not necessarily end-to-end IP between an application server and a cellular device. Or between an application server and a device behind a cellular gateway. Comparing just these two cases, the difference in capabilities of the devices can be significant which makes it difficult to point at some sort of “reference devices” for benchmarking.
> 
>  
> 
> In order to support the low end use cases the AKE must be performant in low bandwidth deployments with battery powered devices restricted in RAM and ROM. Message sizes and round trips have a direct impact on latency, power consumption and battery lifetime, and can be calculated which is the reason for this being a commonly used metric. While it may be more difficult to compare memory and storage requirements, the ability to reuse existing code is an important indication. If a device can support a CoAP stack (in the sense of memory and flash, etc) it is expected to also be able to support OSCORE. Similarly, it is desirable that a device with CoAP and OSCORE implemented should be able to support an additional AKE. Considering that EDHOC reuses CBOR and COSE primitives from OSCORE the additional code for EDHOC can be very limited.
> 
>  
> 
> From a security point of view OSCORE requires that the endpoints have agreed on a Master Secret with a good amount of randomness, and each other’s Sender IDs, and those must be different for a given Master Secret.
> 
>  
> 
> Now returning to the questions.
> 
>  
> 1.      An analysis that shows that EDHOC is equivalent to an existing AKE (e.g., IKE or TLS)
>  
> Considering EDHOC is a new protocol it should be thoroughly analysed and verified against all currently known issues of AKEs. Roman sent a mail to the secdispatch list referencing a paper presented at SSR 2018 which could be used as a starting point. How do folks want to digest this: Do they want to study the model themselves or should we ask the authors if they could present their work at the interim?
> 
>  
> 2. An argument that a new AKE is necessary (vs. a re-encoding of an existing AKE)
>  
> 
> We have done this comparison with TLS/DTLS for some time now, and what once seemed like a reasonable question has turned out to be never ending exercise. I do not want to get into IETF archeology but for those who have not followed the discussion some data points could be relevant.
> 
>  
> 
> Not long ago, the design of security protocols did not take into account constrained IoT devices. With OSCORE we showed that the message overhead could be reduced by a factor 3 compared to DTLS 1.2 records. Before this comparison it was believed that the record layer was performing well, then the difference in overhead was characterized as insignificant, and then finally a compact format was designed for DTLS 1.3.
> 
>  
> 
> With EDHOC we showed that the message overhead of the key exchange can be reduced with up to a factor 4 compared to the current version of DTLS 1.3 (see Appendix E in EDHOC). Before this exercise it was believed that the TLS/DTLS handshake was performing well, then the difference in overhead was characterized as insignificant, and now the discussion has shifted to downsizing the TLS handshake or other protocol.
> 
>  
> 
> We are not against optimizations to the TLS handshake, just as we welcome the more optimal DTLS 1.3 records. But TLS was not designed to be an AKE for OSCORE optimized for constrained environments. As I remember, optimizing for message overhead was an explicit non-requirement of TLS 1.3. Reverting those design decisions seems like the wrong way to go: One reason to use TLS would be to reuse an existing implementation. But existing TLS implementation would most likely not compare favorably in terms of code size and RAM. Adding code for compression or re-encoding of the messages would add to that. Re-specifying the protocol with the new encoding may require a new formal verification. To make a more compact code and processing may involve two incompatible message formats of TLS depending on what is being signed. New implementations would be needed.
> 
>  
> 
> We think we have done our part of the comparison exercise and that the burden of proof should now be reversed. Could we ask those that claim to have a more performant key exchange protocol for OSCORE and are prepared to do the work to make that plausible and provide the numbers? To be clear: if there is another key exchange protocol suitable for OSCORE which outperforms EDHOC in constrained characteristics and then we are very interested.
>  
> I agree with Goran that they have jumped through enough hoops at this point.  However, if alternatives come forward, understanding their timelines is also critical as not to hold up this work for any substantial amount of time. 
>  
>  
> And again, with the statements in this mail we neither want to belittle the considerable effort made on formal verification, nor claim that DTLS is not fit for IoT deployments. It is an important hammer in our IoT security toolbox, but at the moment we don’t need a hammer.
>  
> The class of IoT device seems to be the critical point here and having one protocol that can meet all needs is a nice goal, but not realistic from the comparison numbers provided and the varying requirements in the IoT space.
>  
> Best regards,
> Kathleen
>  
>  
>  
> 
> Göran
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
>  
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> 
>  
> --
>  
> Best regards,
> Kathleen
> 
>  
> --
>  
> Best regards,
> Kathleen