IETF Logo Mail Archive

[Cfrg] Crypto-panel review of draft-selander-ace-cose-ecdhe-12

Russ Housley <housley@vigilsec.com> Tue, 26 February 2019 22:59 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3471130EAB for <cfrg@ietfa.amsl.com>; Tue, 26 Feb 2019 14:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEcZCN9LSQRd for <cfrg@ietfa.amsl.com>; Tue, 26 Feb 2019 14:59:24 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F14E1279E6 for <cfrg@irtf.org>; Tue, 26 Feb 2019 14:59:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7A66A3004E7 for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:06 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id s2hOM904f2nI for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:04 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id BC848300474 for <cfrg@irtf.org>; Tue, 26 Feb 2019 17:41:04 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 26 Feb 2019 17:59:21 -0500
References: <5e587cf8-2275-b682-e390-e83529a8d0d8@isode.com>
To: IRTF CFRG <cfrg@irtf.org>
In-Reply-To: <5e587cf8-2275-b682-e390-e83529a8d0d8@isode.com>
Message-Id: <57C131DC-1DDD-4F23-A9E8-FA822874465D@vigilsec.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6WN2C2RYGTIAInE2jIUco6L9pO8>
Subject: [Cfrg] Crypto-panel review of draft-selander-ace-cose-ecdhe-12
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 22:59:27 -0000

Document: draft-selander-ace-cose-ecdhe-12
Reviewer: Russ Housley
Review Date: 2019-02-26


The CFRG Chairs asked the Crypto Panel to review this document.
I am providing one review.  There may be others.


Summary:

The protocol seems to be as advertised, but the security considerations
need to be expanded as described below.  In addition, I raise a concern
about the connection identifiers, but I do not think that is hard to
address.

I did not look at the formal analysis in [1].  It is behind a paywall.

I did not review the appendices.

[1] https://link.springer.com/content/pdf/10.1007%2F978-3-030-04762-7_2.pdf



Major Concerns:

I do not think the protocol provides mutual authentication when more
than one party knows the signature private key.  This applies to both
the raw public keys (RPK) and public key certificates.  I expected to
see the protection requirements for the private key in Section 4.  I
also expected the consequences for disclosure of the private key be
discussed in Section 9.

I do not think the protocol provides mutual authentication when
symmetric keys are used for authentication unless the PSK is only known
to the two parties involved in the protocol.  I expected to see the need
for a pairwise PSK to be highlighted in Section 5.  I also expected the
consequences for using a group PSK to be discussed in Section 9.

Section 4.3.1 says:

   C_U : bstr / nil,

And then, Sections 4.3.3 says:

   Retrieve the protocol state using the connection identifier C_U

It seems odd to have the complexity of two options here.  I think it
would be better to always send C_U or never send it.  Section 4.3.3
needs to say how to process Message 2 if C_U is omitted.  Given the
flexibility claimed in the Introduction, I am assuming that a
connection-oriented transport is not required.  If this protocol is
on top of a connectionless transport, I think C_U is required.

Section 4.4.1 says:

   C_V : bstr / nil,
   
And then, Sections 4.4.3 says:

   Retrieve the protocol state using the connection identifier C_V

I have the same comments as above regarding C_U.


Minor Concerns:

Section 2 includes Figure 1.  Next, it explains the elements used in the
figure, which includes AEAD.  Next, it lists the things that need to be
added to get a "full-fledged" protocol, which again includes AEAD.  AEAD
should be removed from the second list.

Section 3.2 says "... but only a subset of the parameters is included in
the EDHOC messages."  Please list the subset or provide a pointer to the
place where that can be found.

Section 3.3 says:

   For message_i the key, called K_i, SHALL be derived using other =
   aad_i, where i = 2 or 3.

Since there are only two cases, it would be clearer to say:

   For message_2 and message_3, the keys SHALL be derived using other
   set to aad_2 and aad_3, respectively.

In addition, it would help the reader to provide a forward pointer to
the sections define the aad_2 and aad_3 structures.

The paragraph that follows talks about the IV_i.  Again, I think this
simpler language would help the reader.

Section 4.1, please avoid "for x = U or V" the first time it is used.
I suggest: "where ID_CRED_U and ID_CRED_V are encoded in a COSE map."

Section 4.3.1 says:

   C_U : bstr / nil,

And then, Sections 4.3.3 says:

   Retrieve the protocol state using the connection identifier C_U

It seems odd to have the complexity of two options here.  I think it
would be better to always send C_U or never send it.  Section 4.3.3
needs to say how to process message_2 if C_U is omitted.  Given the
flexibility claimed in the Introduction, I am assuming that a
connection-oriented protocol is not required.


Nits:

The point that EDHOC makes use of CBOR, CoAP, and COSE is repeated too
many times.

Both "perfect forward secrecy" and "perfect-forward secrecy" are used.
Please pick one and use it everywhere.  I prefer the first spelling.

Section 1: it seems better to end the first sentence as, "... or where
the protection needs to work over a variety of underlying protocols."

Section 1.1: s/systems often deals with/systems often deal with/

Section 1.2: s/(CDDL) to express CBOR/(CDDL) is used to express CBOR/

Section 7.1: s/It is recommended is to/It is recommended to/

Section 9.2: s/provide aliveness/provide liveness/


Prediction:

The mandatory-to-implement algorithm will probably get debated if this
document is adopted into a working group.

v2.23.0 | Report a Bug | By Email