Re: [Cfrg] Identity-based Crypto & Devices
KATO Akihiro <kato.akihiro@po.ntts.co.jp> Tue, 10 November 2015 08:50 UTC
Return-Path: <kato.akihiro@po.ntts.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4C11A88F0 for <cfrg@ietfa.amsl.com>; Tue, 10 Nov 2015 00:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.298
X-Spam-Level: *
X-Spam-Status: No, score=1.298 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCj62U7VOJAV for <cfrg@ietfa.amsl.com>; Tue, 10 Nov 2015 00:49:58 -0800 (PST)
Received: from mail12.ics.ntts.co.jp (mail12.ics.ntts.co.jp [210.232.35.65]) by ietfa.amsl.com (Postfix) with ESMTP id EA1361A88EB for <cfrg@irtf.org>; Tue, 10 Nov 2015 00:49:57 -0800 (PST)
Received: from sadoku34.silk.ntts.co.jp (sadoku34 [10.7.18.34]) by mail12.ics.ntts.co.jp (unknown) with ESMTP id tAA8nl2e016566; Tue, 10 Nov 2015 17:49:47 +0900 (JST)
Received: (from root@localhost) by sadoku34.silk.ntts.co.jp (unknown) id tAA8nlZm010051; Tue, 10 Nov 2015 17:49:47 +0900 (JST)
Received: from unknown [10.107.0.33] by sadoku34.silk.ntts.co.jp with SMTP id TAA10050; Tue, 10 Nov 2015 17:49:47 +0900
Received: from mail225.silk.ntts.co.jp (ccmds33.silk.ntts.co.jp [127.0.0.1]) by ccmds33.silk.ntts.co.jp (unknown) with ESMTP id tAA8nlUi030953; Tue, 10 Nov 2015 17:49:47 +0900
Received: from mail137.silk.ntts.co.jp (localhost [127.0.0.1]) by mail225.silk.ntts.co.jp (unknown) with ESMTP id tAA8nk3e029673; Tue, 10 Nov 2015 17:49:46 +0900
Received: from ccmds33 ([10.107.0.135]) by mail137.silk.ntts.co.jp (unknown) with SMTP id tAA8nkkC029670; Tue, 10 Nov 2015 17:49:46 +0900
From: KATO Akihiro <kato.akihiro@po.ntts.co.jp>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <56370E32.3040703@gmx.net>
Message-ID: <5641AF9E.1090208@po.ntts.co.jp>
Date: Tue, 10 Nov 2015 17:49:34 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56370E32.3040703@gmx.net>
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: No
X-CC-Mail-RelayStamp: CC-Mail-V4.3-Client
X-CC-Mail-RelayStamp: CC-Mail-V4.3-Server
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/LZCcIVmrYOoRL5LyulRyVBDbWco>
Subject: Re: [Cfrg] Identity-based Crypto & Devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 08:50:00 -0000
Hi Hannes, Thank you for your question. I'm going to answer your question by in-line. On 2015/11/02 16:18, Hannes Tschofenig wrote: > Hi Akihiro, > > I had a few questions during the meeting in context of your > presentation, > https://www.ietf.org/proceedings/94/slides/slides-94-cfrg-0.pdf, about > identity-based crypto on devices. > > I wanted to repeat them on the mailing list: > > a) What type of devices do you envision these mechanisms to be used? > Related to this is the question about performance? Is there some > performance data available? We have implementations of BN-curve and Optimal Ate Pairing. And there are some open source code of pairing; Tepla : http://www.cipher.risk.tsukuba.ac.jp/tepla/index_e.html Miracl: https://github.com/CertiVox/MIRACL T. Unterluggauer and E. Wenger computed the run time of optimal ate paring on an ARM Coretex-M0+ that is small and energy efficient microprocessor. https://eprint.iacr.org/2014/800.pdf By their result, optimal ate pairing's runtime on Coretex-M0+ is 1 sec. As next step of pairing, now we are coding open source FSU. By Unterluggauer and Wenger's result, FSU's runtime is estimated about 4 sec on Coretex-M0+. > b) What is the IPR status? Are you aware of IPRs on the presented scheme? We have the patent of FSU. And we are discussing the claim of the intellectual property rights for the protocol of IETF. We offer the claim of intellectual property rights for the ISO by an RAND. > c) What are the main benefits compared to a classical PKI-based approach > where certificates are provisioned to devices during the manufacturing > process? It's high-security! FSU has provable security for keeping secret session key against following incidents: 1. KGC as trusted 3rd party is hijacked by malicious attacker and attacker get KGC's secret key. FSU has master key forward security. 2. Random number generator is weak like the case of B-safe. For epemeral random number leakage in other key exchange protocol, attacker is able to get session key. > e) What are the key management you see with the devices? Slide #2 > says "A management of credentials will be one of problem." but it does > not say what you believe the problem is. Asked differently, what problem > do you think needs to be solved that has not been solved by other > mechanisms previously? > > It seems from the slide deck that you are claiming that the server > storage overhead for device credentials is less with identity-based > crypto than with a PKI-based approach. Could you be a bit more precise > about the number of bits that you optimize? The problem on slide #2 is that it is hard to keep huge password management because the number of passwords of N devices increases in proportion to N. As you pointed out, we can resolve password management problem with PKI-Based approach. But in PKI-Based case there are following troubles: 1. "Who generate secret and public key pair of IoT device." 2. "What is the process that issue certificate for authenticate of ID for IoT device." ID-Based approach resolve by following use case: KGC generate secret keys for ID "#FACTORY-0001" to ID "#FACTORY-9999" and send to the factory. Then the factory installs the key pair to each devices. ID-Based approach can simplify key derivation operation. > f) What are the disadvantages of the identity-based approach compared to > a pre-shared secret and the PKI-based approach? (Typically, there is a > tradeoff and you only presented the advantages.) The calculation cost and memory usage will take bigger than PKI-Based, because FSU use the pairing. > g) Could you tell us a bit about the background of your work? Are you > provisioning devices using the presented effort, you want to publish > research effort, or something else? Our background is "research background". We invented the most secure id-based authenticated key exchange protocol FSU. FSU is one of good primitive tool for secure IoT world with simple key generation, password-less cryptography or weak RNG. So we hope that you use FSU in the Internet world. Please refer: ISO/IEC 11770-3:2014 Information technology Security techniques Key management Part 3: Mechanisms using asymmetric techniques. Atsushi Fujioka, Fumitaka Hoshino, Tetsutaro Kobayashi, Koutarou Suzuki, Berkant Ustaoglu, Kazuki Yoneyama: id-eCK Secure ID-Based Authenticated Key Exchange on Symmetric and Asymmetric Pairing. IEICE Transactions 96-A(6): 1139-1155 (2013). Regards. > Ciao > Hannes >
- [Cfrg] Identity-based Crypto & Devices Hannes Tschofenig
- Re: [Cfrg] Identity-based Crypto & Devices KATO Akihiro