IETF Logo Mail Archive

Re: [COSE] Multicast Use Case

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 05 September 2015 12:04 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9521B53E4 for <cose@ietfa.amsl.com>; Sat, 5 Sep 2015 05:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBUp15cWcGRZ for <cose@ietfa.amsl.com>; Sat, 5 Sep 2015 05:04:24 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A641B53E5 for <cose@ietf.org>; Sat, 5 Sep 2015 05:04:24 -0700 (PDT)
Received: from [192.168.10.167] ([203.118.14.76]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MQvDO-1Z66g93anO-00ULHW; Sat, 05 Sep 2015 14:04:20 +0200
To: Jim Schaad <ietf@augustcellars.com>, cose@ietf.org
References: <55E400AC.7090507@gmx.net> <064c01d0e428$047d2700$0d777500$@augustcellars.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <55EADA3F.9010807@gmx.net>
Date: Sat, 05 Sep 2015 14:04:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <064c01d0e428$047d2700$0d777500$@augustcellars.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="vMwsMGMuoLcW8C1EFH4S1lvFmUlh3NSFL"
X-Provags-ID: V03:K0:au5gS+UczYcZYBo0wsLTpeE7ULqq9gUiKBIGbOsihSegWIQZtcQ NLO7NVm5baZdd/Gr7z+2VsqwjXH0sAaLT6mVu3XS4tDW2L1KLHEgOlSPPFiXhyZSlYFG02a irR7XH43RHPf5BSQaBXQnw0efCcoUTri5wxIOiiiPIyvb/s5p3U350qEcq26Fkx9khrJE6S ioaihGrT6V2NNwOx+Xmrw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:uTq+0bGFBbs=:CtJSP1Jdvi8OzPkmd2iQei zydK3bUefsFQuJb4NGIZ8ZbA0+y3YgE2e7k5TbO8Y7upjiJgoQoXRYBfC9QgdbbbSRU9J+fmg ltIeU0+/qOMC3xqHesXdEx1n+35/G/ssrxDm/Pgv0dZuhQqoSVB/6BSNKGEl+FVJ+bzfAH8JE HxPku/oJOM7/H7Vq+e5dLxxBeCsYI1V3qo/2TL+g5im/QXScwkMlcsGDha6Co2rcgEVJbePAQ VkflF33rEM1NCUCp2tmGo1IFSj34UYYDzWP5nylbMLaVkP81dENdjvy/LkJVoHnPSwgK3H3+K hWSAnX2Kelsv6geq9uXOCjEsGvKDpNTixVgQ+6UhFQLrub6yW3i7iDQS/hu12s0kamp7kIBJb DqN7TCmOz9SVoumpwkwXPIqXPyMJ6XiSEHlXlBVdETl0HLsmHGw0OD9nBWP3OeZjvHM3CzrGY UB0NufSCG+lNHJkSw/ftLP3KgpdPxGOnJiLBqWLGMdBKqvdn5EldUJuTvOcY0YwWRm5Xzt5i2 6owoQYVorfhgA0NLuHwulh3jR/yw2WadbnAQPv9CHoLFqZaP0zfjaNKLD7CfBBQZlC4AhCT3X WYWPxKcUKA/oPVvtM6qp+jrMRszAB5P3rXEx3DuuNBYbxIdh/dDmMtuXiNIL7YiXgHVMHpoPG 5KdkeQADRdKpSVEBW5TBJqjmMHdR58B6xnoGdVJlplqPUidp2tjoNfzw7Iau2L9+T5LQ2as8h JwGpzFfqhszQtzCrI+CN1dIkv4iafLZOXgPXlw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/dfHducZyGV4qqRNTk6xSScXvA7U>
Subject: Re: [COSE] Multicast Use Case
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Sep 2015 12:04:26 -0000

Hi Jim,

thanks for looking this topic.

The correct figure to look at is in
http://tools.ietf.org/html/draft-keoh-dice-multicast-security-08

         +---------+---------+--------+--------+-----------+--------+
         | 1 Byte  | 2 Byte  | 2 Byte | 1 Byte | 5 Byte    | 2 Byte |
         +---------+---------+--------+--------+-----------+--------+
         | Content | Version | Epoch  | Sender | trunc_seq_| Length |
         |   Type  | Ma | Mi |        |   ID   | number    |        |
         +---------+---------+--------+--------+-----------+--------+


              Figure 4: The adapted DTLS record layer header

Whether 'DTLS multicast' is a good name for this solution is something I
don't want to comment on but what it aims to do is to offer security via
a modified version of the DTLS record layer. The handshaking protocol is
not used for the establishment of the necessary keying material but we
envision something like the stuff developed in ACE could be a candidate.

Based on the feedback we had gotten in the past we are now looking at
replicating the same functionality at the application layer and the work
here in COSE seems like a useful candidate.

Of course, we want to copy the features while keeping the complexity /
overhead as low as possible.

Thanks for the updated example.

Ciao
Hannes

On 08/31/2015 10:02 PM, Jim Schaad wrote:
> Hannes,
> 
> I think that characterizing draft-kumar-dice-multicast-security as
> some type of DTLS may be a huge misnomer.  On first read it is not
> matching a great deal of what I think of as being TLS/DTLS.   For
> example, all of the record layering that is present in DTLS does not
> appear to be here, and I would assume that none of the starting
> handshaking is going to be present here.
> 
> Looking at the figure 2 in that document appears to have an overhead
> of 13 bytes, but I am not seeing the sender ID that you are talking
> about so I am unsure that your analysis of the sizes is going to be
> correct for this.  It is definitely not true if the multiple layering
> of TLS is going to be used.
> 
> I am having a hard time with the example you gave, I put it into
> cbor.me (after removing comments) and it generated a syntax error.
> After generating it on my own, I came up with:
> 
> [ 2,  // encrypted message h'a2010a0547089f52fa000000', //  Protected
> headers //  {1: 10, - algorithm AES-CCM-16-64-128 //   5:
> h'089f52fa000000' - nonce of 7 bytes} {     },  // Unprotected
> headers (none) 
> h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0', //
> encrypted message + authentication tag [ [ h'',  // Protected header
> - none { //  Unprotected headers 1: -6,  // Algorithm direct 4: h'01'
> // sender ID }, h'' // No cipher text ] ] ]
> 
> Which maps to 56 bytes with a 28 byte message, using my best guess
> from what you are saying you get a 42 byte message with you "DTLS"
> message.  The current difference in overhead thus being 14 bytes
> rather than the 19 bytes you have below.   I expect that this
> difference will decrease as time goes by.  We have a proposals on the
> table which would reduce the size of the COSE message for handling of
> single recipient messages, but it is not clear which, if any, are
> going to be incorporated into the document.  Part of this is a
> question of what the implementation sizes are going to be.
> 
> Although the kumar document says that there should be significant
> code reuse between it and DTLS, I am not sure that I would agree with
> this.  It seems to be that it is just reusing small portions but it
> would be a significant re-write and would need to  have a
> corresponding complete security review.
> 
> Jim
> 
> 
> 
>> -----Original Message----- From: COSE
>> [mailto:cose-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent:
>> Monday, August 31, 2015 12:22 AM To: cose@ietf.org Subject: [COSE]
>> Multicast Use Case
>> 
>> Hi Jim, Brian, all,
>> 
>> I am trying to compare the work on multicast security done by
>> Sandeed & co against an application layer solution using
>> CBOR/COSE.
>> 
>> The DTLS multicast includes the following relevant components: -
>> Epoch: 2 Byte - Sender ID: 1 Byte - Sequence Number: 5 Byte
>> 
>> The combination of epoch, sender id and sequence number are used as
>> a nonce for the cipher and the use of the sender id ensures that no
>> member of the group accidentally selects values that will cause
>> re-use.
>> 
>> The 1 byte sender id is chosen small to reflect the expected size
>> of a group in the professional lighting environment, as explained
>> in the DTLS multicast document.
>> 
>> Ciphersuite related information includes: - Encrypted Content
>> (variable length) - MAC (variable length)
>> 
>> Content Type, Version and Length are DTLS-specific aspects that
>> cannot be removed without re-design of the record layer.
>> 
>> Data based on Figure 4 of 
>> http://tools.ietf.org/html/draft-keoh-dice-multicast-security-08.txt.
>>
>>
>> 
Since there is no sequence number defined in COSE I put the epoch and the
>> sequence number together into the nonce field.
>> 
>> Here is the commented version of the COSE message I came up with:
>> 
>> [ 2, // Encrypted COSE message { 1: 10, // Algorithm -
>> AES-CCM-16-64-128 5: h'89f52fa' // 7-byte nonce }, 
>> h'7b9dcfa42c4e1d3182c402dc18ef8b5637de4fb62cf1dd156ea6e6e0', //
>> encrypted payload. [ [ h'', { 1: -6, // Direct use of CEK 4: h'01'
>> // Key ID - 0x01 }, h'' ] ] ]
>> 
>> According to cbor.me the resulting COSE encoding has 59 bytes
>> whereby 28 bytes are purely used for message encryption.  This
>> means that there is 31 bytes overhead with COSE compared to 12
>> bytes [= 8 for Epoch + Sequence Number + Sender ID, 3 bytes for
>> Content Type and Version fields].
>> 
>> Ciao Hannes
> 
> 
> _______________________________________________ COSE mailing list 
> COSE@ietf.org https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email