IETF Logo Mail Archive

Re: [COSE] Multicast Use Case

Sandeep Kumar <ietf@sandeep.de> Mon, 31 August 2015 21:28 UTC

Return-Path: <ietf@sandeep.de>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8742F1B63CC for <cose@ietfa.amsl.com>; Mon, 31 Aug 2015 14:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.427
X-Spam-Level:
X-Spam-Status: No, score=-0.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZiuzSrzp6a4m for <cose@ietfa.amsl.com>; Mon, 31 Aug 2015 14:28:16 -0700 (PDT)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A1411B63C7 for <cose@ietf.org>; Mon, 31 Aug 2015 14:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1441056492; l=13658; s=domk; d=sandeep.de; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=/VzHsgLFLWKsRtDRtMmf0AQYVShsrRvIkHf8Zl9ebbQ=; b=wB4Qo6Xpv8EPCZhRE9VzUU17YCVGo1ygHmVkhMDaDHkDbJUtkDem2e1s3LmCv8DG9T5 WvQYscRpmxgw7tNd5c2M1rzRpd6ifdvBLklmXFzDW6UjoU3EMz6LdVSsKj+lUYk63oQDC 1vNGue3BJrZ4ErgMoyot8npoOnj5WCTAJ4U=
X-RZG-AUTH: :JWkQc2C7evFfytIRBe7p82UYMzBqkr+YiXEkNEKLhUifTGQRFYQZmyOG
X-RZG-CLASS-ID: mo00
Received: from mail-qk0-f169.google.com ([209.85.220.169]) by smtp.strato.de (RZmta 37.11 AUTH) with ESMTPSA id 60166br7VLSARSD (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verification FAILED - unable to get local issuer certificate)) (Client hostname not verified) for <cose@ietf.org>; Mon, 31 Aug 2015 23:28:10 +0200 (CEST)
Received: by qkdv1 with SMTP id v1so18387975qkd.0 for <cose@ietf.org>; Mon, 31 Aug 2015 14:28:10 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.13.221.137 with SMTP id g131mr24467092ywe.84.1441056490050; Mon, 31 Aug 2015 14:28:10 -0700 (PDT)
Received: by 10.37.110.84 with HTTP; Mon, 31 Aug 2015 14:28:10 -0700 (PDT)
In-Reply-To: <064c01d0e428$047d2700$0d777500$@augustcellars.com>
References: <55E400AC.7090507@gmx.net> <064c01d0e428$047d2700$0d777500$@augustcellars.com>
Date: Mon, 31 Aug 2015 23:28:10 +0200
Message-ID: <CAH51uSc2a4V2eccdVSSYxDN+KL1A0ohnXQheegUXoZxQTsd3kA@mail.gmail.com>
From: Sandeep Kumar <ietf@sandeep.de>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="94eb2c06e9e430df41051ea21cb9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/cy2TzWlVa-NelCsKLUFdi81VkGc>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, cose WG <cose@ietf.org>
Subject: Re: [COSE] Multicast Use Case
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2015 21:28:19 -0000

Hi Jim

You seem to be referring to an alternative version of the draft than Hannes
used. The draft Hannes used draft-keoh-dice-multicast-security-08 uses
SenderID to separate the nonce, while draft-kumar-dice-multicast-security
derives new keys per sender (based on a single key and SenderID). the
change was due to a difference is preference in my co-author but should not
change the overhead.

Finally I disagree on your assessment on code reuse, it had been
implemented with minimal changes needed to an existing IoT DTLS library.

regards
Sandeep

On Mon, Aug 31, 2015 at 10:02 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> Hannes,
>
> I think that characterizing draft-kumar-dice-multicast-security as some
> type of DTLS may be a huge misnomer.  On first read it is not matching a
> great deal of what I think of as being TLS/DTLS.   For example, all of the
> record layering that is present in DTLS does not appear to be here, and I
> would assume that none of the starting handshaking is going to be present
> here.
>
> Looking at the figure 2 in that document appears to have an overhead of 13
> bytes, but I am not seeing the sender ID that you are talking about so I am
> unsure that your analysis of the sizes is going to be correct for this.  It
> is definitely not true if the multiple layering of TLS is going to be used.
>
> I am having a hard time with the example you gave, I put it into cbor.me
> (after removing comments) and it generated a syntax error.  After
> generating it on my own, I came up with:
>
> [
>      2,  // encrypted message
>      h'a2010a0547089f52fa000000', //  Protected headers
>         //  {1: 10, - algorithm AES-CCM-16-64-128
>                //   5: h'089f52fa000000' - nonce of 7 bytes}
>      {     },  // Unprotected headers (none)
>      h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0', //
> encrypted message + authentication tag
>      [
>        [
>          h'',  // Protected header - none
>          { //  Unprotected headers
>            1: -6,  // Algorithm direct
>            4: h'01' // sender ID
>          },
>          h'' // No cipher text
>        ]
>      ]
>    ]
>
> Which maps to 56 bytes with a 28 byte message, using my best guess from
> what you are saying you get a 42 byte message with you "DTLS" message.  The
> current difference in overhead thus being 14 bytes rather than the 19 bytes
> you have below.   I expect that this difference will decrease as time goes
> by.  We have a proposals on the table which would reduce the size of the
> COSE message for handling of single recipient messages, but it is not clear
> which, if any, are going to be incorporated into the document.  Part of
> this is a question of what the implementation sizes are going to be.
>
> Although the kumar document says that there should be significant code
> reuse between it and DTLS, I am not sure that I would agree with this.  It
> seems to be that it is just reusing small portions but it would be a
> significant re-write and would need to  have a corresponding complete
> security review.
>
> Jim
>
>
>
> > -----Original Message-----
> > From: COSE [mailto:cose-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> > Sent: Monday, August 31, 2015 12:22 AM
> > To: cose@ietf.org
> > Subject: [COSE] Multicast Use Case
> >
> > Hi Jim, Brian, all,
> >
> > I am trying to compare the work on multicast security done by Sandeed &
> co
> > against an application layer solution using CBOR/COSE.
> >
> > The DTLS multicast includes the following relevant components:
> > - Epoch: 2 Byte
> > - Sender ID: 1 Byte
> > - Sequence Number: 5 Byte
> >
> > The combination of epoch, sender id and sequence number are used as a
> nonce
> > for the cipher and the use of the sender id ensures that no member of
> the group
> > accidentally selects values that will cause re-use.
> >
> > The 1 byte sender id is chosen small to reflect the expected size of a
> group in the
> > professional lighting environment, as explained in the DTLS multicast
> document.
> >
> > Ciphersuite related information includes:
> > - Encrypted Content (variable length)
> > - MAC (variable length)
> >
> > Content Type, Version and Length are DTLS-specific aspects that cannot be
> > removed without re-design of the record layer.
> >
> > Data based on Figure 4 of
> > http://tools.ietf.org/html/draft-keoh-dice-multicast-security-08.txt.
> >
> > Since there is no sequence number defined in COSE I put the epoch and the
> > sequence number together into the nonce field.
> >
> > Here is the commented version of the COSE message I came up with:
> >
> > [
> >      2, // Encrypted COSE message
> >      {
> >        1: 10, // Algorithm - AES-CCM-16-64-128
> >        5: h'89f52fa' // 7-byte nonce
> >      },
> >      h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0',
> >       // encrypted payload.
> >      [
> >        [
> >          h'',
> >          {
> >            1: -6, // Direct use of CEK
> >            4: h'01' // Key ID - 0x01
> >          },
> >          h''
> >        ]
> >      ]
> >    ]
> >
> > According to cbor.me the resulting COSE encoding has 59 bytes whereby 28
> > bytes are purely used for message encryption.  This means that there is
> > 31 bytes overhead with COSE compared to 12 bytes [= 8 for Epoch +
> Sequence
> > Number + Sender ID, 3 bytes for Content Type and Version fields].
> >
> > Ciao
> > Hannes
>
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email