Re: [COSE] Multicast Use Case
"Jim Schaad" <ietf@augustcellars.com> Mon, 31 August 2015 20:05 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232F71B5D8E for <cose@ietfa.amsl.com>; Mon, 31 Aug 2015 13:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5X3i60AwtQJ for <cose@ietfa.amsl.com>; Mon, 31 Aug 2015 13:05:02 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 070CB1B5D8F for <cose@ietf.org>; Mon, 31 Aug 2015 13:05:01 -0700 (PDT)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 95E012CA22; Mon, 31 Aug 2015 13:05:00 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, cose@ietf.org
References: <55E400AC.7090507@gmx.net>
In-Reply-To: <55E400AC.7090507@gmx.net>
Date: Mon, 31 Aug 2015 13:02:50 -0700
Message-ID: <064c01d0e428$047d2700$0d777500$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQFOSJy01QpTkZygPNqMOVMY93IQJJ8rpxFg
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/Ul8rWNlpXN4CeZ6Yw0Y7oiUq9eY>
Subject: Re: [COSE] Multicast Use Case
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2015 20:05:05 -0000
Hannes,
I think that characterizing draft-kumar-dice-multicast-security as some type of DTLS may be a huge misnomer. On first read it is not matching a great deal of what I think of as being TLS/DTLS. For example, all of the record layering that is present in DTLS does not appear to be here, and I would assume that none of the starting handshaking is going to be present here.
Looking at the figure 2 in that document appears to have an overhead of 13 bytes, but I am not seeing the sender ID that you are talking about so I am unsure that your analysis of the sizes is going to be correct for this. It is definitely not true if the multiple layering of TLS is going to be used.
I am having a hard time with the example you gave, I put it into cbor.me (after removing comments) and it generated a syntax error. After generating it on my own, I came up with:
[
2, // encrypted message
h'a2010a0547089f52fa000000', // Protected headers
// {1: 10, - algorithm AES-CCM-16-64-128
// 5: h'089f52fa000000' - nonce of 7 bytes}
{ }, // Unprotected headers (none)
h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0', // encrypted message + authentication tag
[
[
h'', // Protected header - none
{ // Unprotected headers
1: -6, // Algorithm direct
4: h'01' // sender ID
},
h'' // No cipher text
]
]
]
Which maps to 56 bytes with a 28 byte message, using my best guess from what you are saying you get a 42 byte message with you "DTLS" message. The current difference in overhead thus being 14 bytes rather than the 19 bytes you have below. I expect that this difference will decrease as time goes by. We have a proposals on the table which would reduce the size of the COSE message for handling of single recipient messages, but it is not clear which, if any, are going to be incorporated into the document. Part of this is a question of what the implementation sizes are going to be.
Although the kumar document says that there should be significant code reuse between it and DTLS, I am not sure that I would agree with this. It seems to be that it is just reusing small portions but it would be a significant re-write and would need to have a corresponding complete security review.
Jim
> -----Original Message-----
> From: COSE [mailto:cose-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Monday, August 31, 2015 12:22 AM
> To: cose@ietf.org
> Subject: [COSE] Multicast Use Case
>
> Hi Jim, Brian, all,
>
> I am trying to compare the work on multicast security done by Sandeed & co
> against an application layer solution using CBOR/COSE.
>
> The DTLS multicast includes the following relevant components:
> - Epoch: 2 Byte
> - Sender ID: 1 Byte
> - Sequence Number: 5 Byte
>
> The combination of epoch, sender id and sequence number are used as a nonce
> for the cipher and the use of the sender id ensures that no member of the group
> accidentally selects values that will cause re-use.
>
> The 1 byte sender id is chosen small to reflect the expected size of a group in the
> professional lighting environment, as explained in the DTLS multicast document.
>
> Ciphersuite related information includes:
> - Encrypted Content (variable length)
> - MAC (variable length)
>
> Content Type, Version and Length are DTLS-specific aspects that cannot be
> removed without re-design of the record layer.
>
> Data based on Figure 4 of
> http://tools.ietf.org/html/draft-keoh-dice-multicast-security-08.txt.
>
> Since there is no sequence number defined in COSE I put the epoch and the
> sequence number together into the nonce field.
>
> Here is the commented version of the COSE message I came up with:
>
> [
> 2, // Encrypted COSE message
> {
> 1: 10, // Algorithm - AES-CCM-16-64-128
> 5: h'89f52fa' // 7-byte nonce
> },
> h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0',
> // encrypted payload.
> [
> [
> h'',
> {
> 1: -6, // Direct use of CEK
> 4: h'01' // Key ID - 0x01
> },
> h''
> ]
> ]
> ]
>
> According to cbor.me the resulting COSE encoding has 59 bytes whereby 28
> bytes are purely used for message encryption. This means that there is
> 31 bytes overhead with COSE compared to 12 bytes [= 8 for Epoch + Sequence
> Number + Sender ID, 3 bytes for Content Type and Version fields].
>
> Ciao
> Hannes
- [COSE] Multicast Use Case Hannes Tschofenig
- Re: [COSE] Multicast Use Case Jim Schaad
- Re: [COSE] Multicast Use Case Sandeep Kumar
- Re: [COSE] Multicast Use Case Jim Schaad
- Re: [COSE] Multicast Use Case Kumar, Sandeep
- Re: [COSE] Multicast Use Case Carsten Bormann
- Re: [COSE] Multicast Use Case Stephen Farrell
- Re: [COSE] Multicast Use Case Göran Selander
- Re: [COSE] Multicast Use Case Hannes Tschofenig
- Re: [COSE] Multicast Use Case Hannes Tschofenig
- Re: [COSE] Multicast Use Case Hannes Tschofenig
- Re: [COSE] Multicast Use Case Somaraju Abhinav
- Re: [COSE] Multicast Use Case Jim Schaad