Re: [Emu] [Lake] EDHOC rekey
Rafa Marín López <RAFA@UM.ES> Sun, 29 January 2023 12:41 UTC
Return-Path: <RAFA@UM.ES>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE73C14F720; Sun, 29 Jan 2023 04:41:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.013
X-Spam-Level:
X-Spam-Status: No, score=-6.013 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, PDS_RDNS_DYNAMIC_FP=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4jK_V0eJEku; Sun, 29 Jan 2023 04:41:33 -0800 (PST)
Received: from mx08-006a4e02.pphosted.com (mx08-006a4e02.pphosted.com [143.55.148.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CF21C14EAA3; Sun, 29 Jan 2023 04:41:31 -0800 (PST)
Received: from pps.filterd (m0316694.ppops.net [127.0.0.1]) by m0316694.ppops.net (8.17.1.19/8.17.1.19) with ESMTP id 30TC19Ab022948; Sun, 29 Jan 2023 13:41:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=um.es; h=content-type : mime-version : subject : from : in-reply-to : date : cc : message-id : references : to; s=dkim3; bh=PxsHpxvhBVDsMn3PfJq/Z483k3qjQMGuHTehIp6VoB8=; b=DoutV23tvzvvFsk6fqBImaKG/h2WaDC7ekrxzKeF3ZWUKs0hfpJkV2awdjBb/LiahwU2 gFxw2zw+bgEAKj4Hk4udNpabw/Cwqpl7bb3EKEAiXRZMP71C3T1jMTbKwrORVmherRdk P1XfQo+6UrBoinnKKTmnkiDjL+rDcxuarZeMr9Z4nJKtz0tR5CsgMew1bUuJg+A0hjHC a5lqK+cR+FJlSno0v8FufrnJuZVSI5pmpd4zySzopN10TmaLacXp87oZbPCOiVbRhhIM A7yYiUM2byFhWmuHCxb/TKf2Qd8tMCa6M1c2AGNd6+1qQ+bHvHLu2nLhFuPk7+aJdPJe zw==
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by m0316694.ppops.net (PPS) with ESMTP id 3ndg0da8nm-1; Sun, 29 Jan 2023 13:41:29 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id A8D25203B0; Sun, 29 Jan 2023 13:41:28 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tSGQsPMr3NSl; Sun, 29 Jan 2023 13:41:28 +0100 (CET)
Received: from smtpclient.apple (239.red-88-20-237.staticip.rima-tde.net [88.20.237.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id A78231FFA2; Sun, 29 Jan 2023 13:41:27 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DF7191AC-7B05-417E-BB7B-6D5E74594A40"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Rafa Marín López <RAFA@UM.ES>
In-Reply-To: <HE1PR0701MB305059976C43A3A6B30FB1A289CE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Sun, 29 Jan 2023 13:41:26 +0100
Cc: Rafa Marín López <rafa@um.es>, "lake@ietf.org" <lake@ietf.org>, EMU WG <emu@ietf.org>
Message-Id: <3983E5AF-ED26-418A-AF07-72DEC8382DE8@UM.ES>
References: <4C655655-89F2-4274-81BC-BCF8C159136B@um.es> <HE1PR0701MB305059976C43A3A6B30FB1A289CE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Proofpoint-ORIG-GUID: Bk4cjCMpG13ishFlzq-LQmsCAUXDDiFf
X-Proofpoint-GUID: Bk4cjCMpG13ishFlzq-LQmsCAUXDDiFf
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-29_09,2023-01-27_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbounddefault_notspam policy=outbounddefault score=0 mlxlogscore=999 spamscore=0 impostorscore=0 malwarescore=0 mlxscore=0 adultscore=0 bulkscore=0 phishscore=0 clxscore=1011 priorityscore=1501 lowpriorityscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301290124
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/v_7-sTzpEyJR_MFFrifYttlQOzA>
Subject: Re: [Emu] [Lake] EDHOC rekey
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 12:41:38 -0000
Hi John: > El 26 ene 2023, a las 0:25, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> escribió: > > Hi Rafa, > > Thanks for bringing up this question. I think this is a very good discussion to have at this point. > > First discussion is probably why resumption is needed. I think there are three things that can be more optimized in a resumption. > > - A) Message sizes in the protocol. > - B) Less asymetric operations in the protocol > - C) External things like fetching credentials from a database, revocation, path validation, Correct. Thanks for the summary. Those are the main reason of providing resumption. > > I think there are four ways to do this > > - 1) EHDHOC is lightweight enough. Just redo full EDHOC. (similar to full handshake in TLS) Yes, we have always this option. > - 2) Use PSK with ECDHE (similar to psk_dhe_ke in TLS) Let me also add here, as a reference, IKEv2. Basically, section 1.3.2 in RFC 7296 shows a 1-RTT exchange including DH exchange and nonces to regenerate the IKE security association. > - 3) Use PSK with exchanged random values (similar to psk_ke in TLS) Curiously, when IKEv2 tries to generate key material for the IPsec security associations (and not for the IKEv2 SA) allows just sending nonces (see section 1.3.3 in RFC 7296), though there is also the possibility to include a DH exchange. I mention this because EDHOC can be used to regenerate OSCORE contexts. > - 4) Derive from PSK without new radnomness (similar to key update in TLS) Yes. > > I don't think 4) is needed. No good in terms of security > 2) or 3) provides nice optimizations. I agree. > 2) provides significantly better security than 3) Indeed > KUDOS in CORE WG alrady provides 3) when EHDOC is used to key OSCORE. We should take into account that OSCORE might no be used in certain uses cases, such as EAP-EDHOC. > > I would suggest going 2) I think that is lightweight enough with a total of around 100 bytes for the three flights, a single asymmetric operation, and no need to fetch external authentication material. Not sure if we need 3 flights but only 2 flights 1-RTT > > 3) would be ok to use for a short while, but then the recommendation would have to be to rerun 1). That is precisely what IKEv2 does. But moreover, IKEv2 allows flexibility between 2) and 3), which is something might be considered also here. > 2) you can rerun for a much longer time. This implies ECDH key generation each time > All things considered 2) might therefore be more lightweight than 3). Not sure about this. It might depend on the number of exchanges with 3) you allow before running 1) VS constantly running 2). This can be controlled with two lifetimes: “reauth" lifetime ( after the expiration you should run 1)) and rekey time where you should run 3) after the expiration. > > PSK authentication suffers from tracking and fingerprinting when the psk identifier is reused. If 2) or 3) is is done there should be a good solution for how to provide client identity protection. Correct. > One option is to derive a new random psk identifier in the full EDHOC as well as in the resumption: > > PSK = EDHOC-KDF( PRK_4e3m, 10, TH_4, psk_length ) > PSK_ID = EDHOC-KDF( PRK_4e3m, 11, TH_4, psk_id_length ) > > The Resonder could alternatively send an encrypted PSK_ID to the Initiator Also possible, yes. Best Regards and thanks for your feedback. > > Cheers, > John > > From: Lake <lake-bounces@ietf.org> on behalf of Rafa Marin-Lopez <rafa@um.es> > Date: Sunday, 22 January 2023 at 19:08 > To: lake@ietf.org <lake@ietf.org>, EMU WG <emu@ietf.org> > Cc: Rafa Marin-Lopez <rafa@um.es> > Subject: [Lake] EDHOC rekey > > Dear LAKE WG, EMU WG members: > > We are in the process of updating EAP-EDHOC I-D, which uses EDHOC inside an EAP authentication. > > https://datatracker.ietf.org/doc/draft-ingles-eap-edhoc/ <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ingles-eap-edhoc/__;!!D9dNQwwGXtA!QEvNWG8GBAZkd9-alz_icUnIYUrnlVg5c9hdyzvwXRnc61EmxClQ2wipFz7khv254AK9ZwA-UKmhX2tupcWjZpIoJQ$> > > We have been discussing internally about a resumption mechanism. A simple way to define this is doing it in the context of EAP-EDHOC by using Appendix J EDHOC-KeyUpdate. Having said this, I think it would be worth considering an EDHOC rekey exchange (i.e. involving 1 RTT), as something similar as, for example, IKEv2 does. This has the advantage that can be used in contexts different than EAP-EDHOC. > > Thus, it is not clear whether we should design this in the context of EAP-EDHOC or, on the contrary, LAKE WG could discuss this in the future. In my humble opinion, discussing this in LAKE WG could allow defining this EDHOC rekey protocol in such a way that could be used in different uses cases as a generic contribution, not just in EAP-EDHOC. > > I would be willing to discuss (and contribute) if LAKE WG is in favor of considering this in the future. > > Best Regards. > ------------------------------------------------------- > Rafa Marin-Lopez, PhD > Dept. Information and Communications Engineering (DIIC) > Faculty of Computer Science-University of Murcia > 30100 Murcia - Spain > Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es <mailto:rafa@um.es> > ------------------------------------------------------- > > > > > -- > Lake mailing list > Lake@ietf.org <mailto:Lake@ietf.org> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/lake__;!!D9dNQwwGXtA!QEvNWG8GBAZkd9-alz_icUnIYUrnlVg5c9hdyzvwXRnc61EmxClQ2wipFz7khv254AK9ZwA-UKmhX2tupcXLaq_q4g$ <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/lake__;!!D9dNQwwGXtA!QEvNWG8GBAZkd9-alz_icUnIYUrnlVg5c9hdyzvwXRnc61EmxClQ2wipFz7khv254AK9ZwA-UKmhX2tupcXLaq_q4g$> ------------------------------------------------------ Rafa Marin-Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- [Emu] EDHOC rekey Rafa Marin-Lopez
- Re: [Emu] [Lake] EDHOC rekey John Mattsson
- Re: [Emu] [Lake] EDHOC rekey Rafa Marín López
- Re: [Emu] [Lake] EDHOC rekey Tero Kivinen
- Re: [Emu] [Lake] EDHOC rekey John Mattsson
- Re: [Emu] [Lake] EDHOC rekey Tero Kivinen
- Re: [Emu] [Lake] EDHOC rekey Rafa Marin-Lopez
- Re: [Emu] [Lake] EDHOC rekey John Mattsson
- Re: [Emu] [Lake] EDHOC rekey Rafa Marín López