[Cfrg] Crypto-panel review of draft-selander-ace-cose-ecdhe-12
Russ Housley <housley@vigilsec.com> Tue, 26 February 2019 22:59 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3471130EAB for <cfrg@ietfa.amsl.com>; Tue, 26 Feb 2019 14:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEcZCN9LSQRd for <cfrg@ietfa.amsl.com>; Tue, 26 Feb 2019 14:59:24 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F14E1279E6 for <cfrg@irtf.org>; Tue, 26 Feb 2019 14:59:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7A66A3004E7 for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:06 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id s2hOM904f2nI for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:04 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id BC848300474 for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:04 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 26 Feb 2019 17:59:21 -0500
References: <5e587cf8-2275-b682-e390-e83529a8d0d8@isode.com>
To: IRTF CFRG <cfrg@irtf.org>
In-Reply-To: <5e587cf8-2275-b682-e390-e83529a8d0d8@isode.com>
Message-Id: <57C131DC-1DDD-4F23-A9E8-FA822874465D@vigilsec.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6WN2C2RYGTIAInE2jIUco6L9pO8>
Subject: [Cfrg] Crypto-panel review of draft-selander-ace-cose-ecdhe-12
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 22:59:27 -0000
Document: draft-selander-ace-cose-ecdhe-12 Reviewer: Russ Housley Review Date: 2019-02-26 The CFRG Chairs asked the Crypto Panel to review this document. I am providing one review. There may be others. Summary: The protocol seems to be as advertised, but the security considerations need to be expanded as described below. In addition, I raise a concern about the connection identifiers, but I do not think that is hard to address. I did not look at the formal analysis in [1]. It is behind a paywall. I did not review the appendices. [1] https://link.springer.com/content/pdf/10.1007%2F978-3-030-04762-7_2.pdf Major Concerns: I do not think the protocol provides mutual authentication when more than one party knows the signature private key. This applies to both the raw public keys (RPK) and public key certificates. I expected to see the protection requirements for the private key in Section 4. I also expected the consequences for disclosure of the private key be discussed in Section 9. I do not think the protocol provides mutual authentication when symmetric keys are used for authentication unless the PSK is only known to the two parties involved in the protocol. I expected to see the need for a pairwise PSK to be highlighted in Section 5. I also expected the consequences for using a group PSK to be discussed in Section 9. Section 4.3.1 says: C_U : bstr / nil, And then, Sections 4.3.3 says: Retrieve the protocol state using the connection identifier C_U It seems odd to have the complexity of two options here. I think it would be better to always send C_U or never send it. Section 4.3.3 needs to say how to process Message 2 if C_U is omitted. Given the flexibility claimed in the Introduction, I am assuming that a connection-oriented transport is not required. If this protocol is on top of a connectionless transport, I think C_U is required. Section 4.4.1 says: C_V : bstr / nil, And then, Sections 4.4.3 says: Retrieve the protocol state using the connection identifier C_V I have the same comments as above regarding C_U. Minor Concerns: Section 2 includes Figure 1. Next, it explains the elements used in the figure, which includes AEAD. Next, it lists the things that need to be added to get a "full-fledged" protocol, which again includes AEAD. AEAD should be removed from the second list. Section 3.2 says "... but only a subset of the parameters is included in the EDHOC messages." Please list the subset or provide a pointer to the place where that can be found. Section 3.3 says: For message_i the key, called K_i, SHALL be derived using other = aad_i, where i = 2 or 3. Since there are only two cases, it would be clearer to say: For message_2 and message_3, the keys SHALL be derived using other set to aad_2 and aad_3, respectively. In addition, it would help the reader to provide a forward pointer to the sections define the aad_2 and aad_3 structures. The paragraph that follows talks about the IV_i. Again, I think this simpler language would help the reader. Section 4.1, please avoid "for x = U or V" the first time it is used. I suggest: "where ID_CRED_U and ID_CRED_V are encoded in a COSE map." Section 4.3.1 says: C_U : bstr / nil, And then, Sections 4.3.3 says: Retrieve the protocol state using the connection identifier C_U It seems odd to have the complexity of two options here. I think it would be better to always send C_U or never send it. Section 4.3.3 needs to say how to process message_2 if C_U is omitted. Given the flexibility claimed in the Introduction, I am assuming that a connection-oriented protocol is not required. Nits: The point that EDHOC makes use of CBOR, CoAP, and COSE is repeated too many times. Both "perfect forward secrecy" and "perfect-forward secrecy" are used. Please pick one and use it everywhere. I prefer the first spelling. Section 1: it seems better to end the first sentence as, "... or where the protection needs to work over a variety of underlying protocols." Section 1.1: s/systems often deals with/systems often deal with/ Section 1.2: s/(CDDL) to express CBOR/(CDDL) is used to express CBOR/ Section 7.1: s/It is recommended is to/It is recommended to/ Section 9.2: s/provide aliveness/provide liveness/ Prediction: The mandatory-to-implement algorithm will probably get debated if this document is adopted into a working group.
- [Cfrg] Crypto-panel review of draft-selander-ace-… Russ Housley
- Re: [Cfrg] Crypto-panel review of draft-selander-… John Mattsson
- Re: [Cfrg] Crypto-panel review of draft-selander-… Russ Housley