IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

"Jim Schaad" <ietf@augustcellars.com> Wed, 08 July 2015 17:37 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C4D1A1BB8 for <cose@ietfa.amsl.com>; Wed, 8 Jul 2015 10:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yE3BhT5rCjpT for <cose@ietfa.amsl.com>; Wed, 8 Jul 2015 10:37:17 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503841A1BD1 for <cose@ietf.org>; Wed, 8 Jul 2015 10:37:17 -0700 (PDT)
Received: from hebrews (174-21-18-91.tukw.qwest.net [174.21.18.91]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 4551D38F11; Wed, 8 Jul 2015 10:37:16 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Derek Atkins' <derek@ihtfp.com>, 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <sjm380ya9ay.fsf@securerf.ihtfp.org>
In-Reply-To: <sjm380ya9ay.fsf@securerf.ihtfp.org>
Date: Wed, 08 Jul 2015 10:37:33 -0700
Message-ID: <00b301d0b9a4$c62234d0$52669e70$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQGMo9E7lz5K1VbQVek9kTd0WZ5EKwIS9FwIAZ9xFnKePG4f4A==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/iCriaJlLa_kS03_-o6LOGqKXV_o>
Cc: cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 17:37:19 -0000

I will freely admit that I do not know what the sizes of constrained devices
are today.  Based on the talks that I have heard on what is a constrained
device, I generally think of a range starting with a Z80 plus some side
hardware for AES and work up from there.  I generally don't think of 286's
as being all of that constrained let alone something that can actually do
64-bit natively.  At that point all one is looking at is power supply
constraints.

Jim


> -----Original Message-----
> From: Derek Atkins [mailto:derek@ihtfp.com]
> Sent: Wednesday, July 08, 2015 9:44 AM
> To: Hannes Tschofenig
> Cc: Brian Campbell; Jim Schaad; Mike Jones; cose@ietf.org
> Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> schaad-cose-msg-01)
> 
> Hannes Tschofenig <hannes.tschofenig@gmx.net> writes:
> 
> >> Particularly for constrained devices, it is unlikely that
> >> applications will want to pay the performance penalty of generating
> >> and encrypting a key management key to perform a MAC operation.
> >> Heck, they may not have credible random number generation in the
> >> first place!  And they are likewise unlikely to want to pay the
> >> message size penalty of carrying the encrypted key.
> >
> > It would be good to know what devices you have in mind in this
> discussion.
> >
> > I personally don't think we should target devices that cannot even do
> > key management for symmetric cryptography. I would even argue that we
> > should aim for devices that support a random number generator and are
> > also able to do public key crypto.
> 
> I agree with all of this except for the RNG.  You don't need an RNG for
many
> use cases and can perform good security.  But of course it does depend on
> the use-case.
> 
> > We are not doing ourselves a flavor if we place artificial constraints
> > on our protocols that make them pretty insecure in practice. We
> > already have enough insecure IoT devices in the market.
> 
> Sure.. Many IoT devices don't even try :)
> 
> > Here is the slide deck I presented in the LWIG group at the last IETF
> > meeting; it explains the performance of state-of-the-art crypto on
> > common Cortex M class MCUs.
> 
> I would quickly argue it's not "state-of-the-art" crypto.  It's ECC.
> There are ... better... key agreement algorithms out there for IoT.
> 
> > https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
> 
> :)
> 
> > Ciao
> > Hannes
> 
> -derek
> --
>        Derek Atkins                 617-623-3745
>        derek@ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email