[Lake] FW: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt

John Mattsson <john.mattsson@ericsson.com> Thu, 12 September 2019 11:39 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A701200CD; Thu, 12 Sep 2019 04:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5l4FArJgXtv; Thu, 12 Sep 2019 04:39:51 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40083.outbound.protection.outlook.com [40.107.4.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8794120091; Thu, 12 Sep 2019 04:39:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b3s+hibVGSFec1f0iJ9dN03KDwOzVPiq2HhhouaYyOC53WFf3sK+cw9OUGB82yg3ImW6Nf9R5prob63i04Bsz4JPzdn1dXi70l85KSwq1ebxAThaOBynNHTnv2nh6Ab0EJIU3S1pOO1nxjXUZ/bvSKSM9Jbo6o/GO4USvTknnvXcXOovruvIBqbtv/QMdO85u8gVftKS8Vb4uO9vNA5FFNHsSLwkWl3DFZYkSq9woOCZJ8goFzcY4bo7I8I3y2ZEp9Yb7qQnyW53vbIwTOXrejF1hneJ3DSXG2TVeOg7y//Scr0o7FaWEaDZ0XIBUBSxoUbhuaYY9q8CQDTtggNpeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LLAm6W/YHSq7rGDb0pDPYohb4+EQvb2LyVYd9+Dlbek=; b=X6EpTKXKq+Bkxd8XbwsL6zrosEk0WXRJ6UaDWyL823tRPPfBIJqJ6TG3UAbM3cXatda6Wt60aexpPLvxEwn7Oo0Mivjzcb0iUTe198ezZdezMeLL7XUFp13PCuClapuJmCKhJJrHraretnMzeUVu931Yq3XY4zs+DtgBI/Lrus57r+1tfYm5H6eml0Odx1TyKSdQuUYACB6g2lx/Ez7DnkKb3T9ctNstabuxB3f14CqbEWWQm9NbKYB6SFChmMGUqR3d6s+vfh7uAQgJaSy5vvu34wF1JVzkOWEEHPiYEUBzOkxclCGfSfkE0VTL8Qry+4ccVyNhW1Mb5jjozZknGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LLAm6W/YHSq7rGDb0pDPYohb4+EQvb2LyVYd9+Dlbek=; b=cCWfiAj0vLhJimKrmHnhv++nH8voH42BhN2eKKA9eVurHY0cyJVwi+F6APonV/ml9HAOwWLe8A7ZtvRyvc/U/V19gfwpKLnIaCHKnZkqwiK5NuTnKvDLOjz9Vu+KdzUho3jm2q1a1+rANZ0C2wr2V6QO/DxWhYH8rReuJjuO5IQ=
Received: from DB6PR07MB4165.eurprd07.prod.outlook.com (10.168.23.22) by DB6PR07MB3335.eurprd07.prod.outlook.com (10.170.220.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.10; Thu, 12 Sep 2019 11:39:48 +0000
Received: from DB6PR07MB4165.eurprd07.prod.outlook.com ([fe80::b0f8:f704:829a:10ea]) by DB6PR07MB4165.eurprd07.prod.outlook.com ([fe80::b0f8:f704:829a:10ea%6]) with mapi id 15.20.2263.005; Thu, 12 Sep 2019 11:39:48 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "ace@ietf.org" <ace@ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt
Thread-Index: AQHVaKdB7HktCRHE/UuzI3Aw0uY8nqcoDceA
Date: Thu, 12 Sep 2019 11:39:48 +0000
Message-ID: <B0500775-6C1E-4766-8095-7E867D161AB1@ericsson.com>
References: <156820955677.13183.3003739218318787567.idtracker@ietfa.amsl.com>
In-Reply-To: <156820955677.13183.3003739218318787567.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f028e920-8df7-4cca-ad44-08d73775eab1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR07MB3335;
x-ms-traffictypediagnostic: DB6PR07MB3335:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DB6PR07MB33356257E1A903BCAFD3F39589B00@DB6PR07MB3335.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(376002)(396003)(346002)(13464003)(199004)(189003)(476003)(450100002)(53546011)(3846002)(66066001)(6506007)(6306002)(486006)(6512007)(71190400001)(71200400001)(86362001)(229853002)(478600001)(6486002)(33656002)(561944003)(66556008)(81166006)(8676002)(7736002)(64756008)(66446008)(76116006)(316002)(305945005)(91956017)(15650500001)(256004)(66476007)(81156014)(2906002)(66946007)(6436002)(966005)(2501003)(36756003)(58126008)(99286004)(110136005)(2473003)(76176011)(8936002)(53936002)(44832011)(2616005)(6116002)(446003)(14454004)(11346002)(66574012)(5660300002)(26005)(102836004)(25786009)(14444005)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR07MB3335; H:DB6PR07MB4165.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JlWMdL8h1t1DE1n784RN//ChC0IR+fM10JYQCYAKSI0NU+AuVeUl8MPEsC/iJfxpYQUiqWVQjgie4+NCp5CbDw1W/BuX55bCQewQoVbrj2Cp+yAkB2KFA1RuYn/95IRVFZkvtR2GJR0cOnq4TaxvxoDaZIjNzAtQe4D1JzYPVmsOqNtz8ZrIGwK7jL5ETbcpoB7ByzX5T5iuRSVNCtQUAnpHBtO5MhyuOq6DrjKKDO+fkI7gt64gMvU7i/Qq/HHmZRK0Ifk01e9D4UxrYOwNIMZAjton/12yqhv6jthshn/dSym4v5aBpx6DRxtqE1OwJskmf+CnjQFnyBjAwtBnZ58sPVttbc597o8KQlS0SqA7igF29Mu5L78+2kTOuqg/uW8fU/eOfdoawutHiQjEG7onGtmzYUBfpW+3WpBAMQI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <DC9AB5154610F74EA37FE5A5C1884DCF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f028e920-8df7-4cca-ad44-08d73775eab1
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 11:39:48.3679 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HHyQ8n6Arb60oaDC3tGQIc96kvZ1QgEduSqL3OcUrkBorSfrp4nWVUZ5dtHIN3NuGI3wqebGJCjDH37ttRoAg+dzt2scN+3SIH/PVoznDSE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB3335
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/-k6s_0T3kec11fcXpyF8rTtbuNc>
Subject: [Lake] FW: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 11:39:54 -0000

Hi,

We have submitted a new version 14 of EDHOC. Most of the changes are based on comments from people implementing version 13 of EDHOC.

- The major change in version 14 is the inclusion of test vectors for both RPK and PSK authentication. Since the last submission, there has been two new implementations of EHDOC (-13) as well as a limited script that generates test vectors. The included test vectors has been verified by an independent implementation done by Martin Disch from University of Fribourg.

- With actual test vectors, the appendix with example messages is not needed and has been removed.

- Based on comments from developers, the appendix explaining parts of COSE has been integrated in the body of document.

- Text has been added to the IANA sections for cipher suite and method registries including expert review considerations.

- New security consideration on Party U and Party V sending message_1 in parallel to each other. The new considerations also mitigates so called reflection attacks when PSK authentication is used.

- EDHOC now use COSEs HMAC algorithms in cipher suites, this should make it easier for developers to understand and enables use of more algorithms. EDHOC can now e.g. be made compliant with the CNSA suite.

- The error message now includes a connection identifier so that the receiving endpoint can always map the error message to the correct protocol run.

- EDHOC now specifies an exact encoding of the COSE_Keys when they are included in the signatures, this was missing in earlier versions.

- Based on implementation comments, a lot of smaller changes has been made to text describing encoding, especially regarding byte string (non-CBOR byte strings vs. encodings of CBOR byte string where the encoding itself is a byte string). The goal has been to make the specification correct and easier to understand.

Future plans:

- While the EDHOC message encoding is quite optimized there are some more bytes that could be shaved off based on the known lengths of CoAP payload, plaintext, PSK ciphertext, signature, ephemeral keys, etc. The plan is to analyze how many bytes could be saved and if changes would complicate implementations. 

- We think it is worth investigating the use of OPTLS-style authentication in EDHOC, i.e. authentication provided by a MAC computed from an ephemeral-static ECDH shared secret. Instead of signature authentication keys, U and V would have Diffie-Hellman authentication keys G_U and G_V, respectively.  This type of authentication keys could easily be used with RPK and would provide significant reductions in message sizes as the 64 bytes signature would be replaced by an 8 bytes MAC. While the OPTLS proposal by Krawczyk et.al was not chosen for TLS 1.3, there are currently two different individual drafts in the TLS working group suggesting use of this type of authentication. Version 14 of the draft already includes an appendix a high level description.

Cheers,
John

-----Original Message-----
From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Date: Wednesday, 11 September 2019 at 15:46
To: Göran Selander <goran.selander@ericsson.com>, Göran Selander <goran.selander@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>, Francesca Palombini <francesca.palombini@ericsson.com>
Subject: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt

    
    A new version of I-D, draft-selander-ace-cose-ecdhe-14.txt
    has been successfully submitted by John Mattsson and posted to the
    IETF repository.
    
    Name:		draft-selander-ace-cose-ecdhe
    Revision:	14
    Title:		Ephemeral Diffie-Hellman Over COSE (EDHOC)
    Document date:	2019-09-11
    Group:		Individual Submission
    Pages:		71
    URL:            https://www.ietf.org/internet-drafts/draft-selander-ace-cose-ecdhe-14.txt
    Status:         https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe/
    Htmlized:       https://tools.ietf.org/html/draft-selander-ace-cose-ecdhe-14
    Htmlized:       https://datatracker.ietf.org/doc/html/draft-selander-ace-cose-ecdhe
    Diff:           https://www.ietf.org/rfcdiff?url2=draft-selander-ace-cose-ecdhe-14
    
    Abstract:
       This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a
       very compact, and lightweight authenticated Diffie-Hellman key
       exchange with ephemeral keys.  EDHOC provides mutual authentication,
       perfect forward secrecy, and identity protection.  EDHOC is intended
       for usage in constrained scenarios and a main use case is to
       establish an OSCORE security context.  By reusing COSE for
       cryptography, CBOR for encoding, and CoAP for transport, the
       additional code footprint can be kept very low.
    
                                                                                      
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    The IETF Secretariat