IETF Logo Mail Archive

Re: [Lake] Ways forward on MTI cipher suite text

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 24 January 2022 15:07 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 020E73A0D62 for <lake@ietfa.amsl.com>; Mon, 24 Jan 2022 07:07:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mESiyL2ORaJ for <lake@ietfa.amsl.com>; Mon, 24 Jan 2022 07:07:20 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15AE23A0D64 for <lake@ietf.org>; Mon, 24 Jan 2022 07:07:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 5531F38A08; Mon, 24 Jan 2022 10:13:49 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id iYi7wdRkpsQf; Mon, 24 Jan 2022 10:13:48 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 290A438A05; Mon, 24 Jan 2022 10:13:48 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1643037228; bh=oyGb45oWAZ/pRAm8Xxq0lMeGELETHWBBo76GzKfPa1U=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=DB2nFKvkRKmZcNikwCUR0QzsDC9J/zaXcVbE8HjIE/E2PP+XsWINqzyZpprxh2WP7 gNwVfrjHb2rQbgnDljkqyCCxMIdKVgC46vuet7r2QnI188wxRQnqm+al4x+AJbMiKi zCiQvKU3ADWj/XuViFQGCyaVRy/8fGpRgiQUAAXnZbLmnMfOQrlxIGX27ErJ+ADxdO svmyoJiTyjKrVNAEwAXrJbEVQoKLa8m5yZADzgUyXleYTWxUMXVsLDFRd2aNpUICWz PzaNr5PWJhJOezOptmHsmvAaAidjGH66bCHFachskmkB7GKzA+P1XRv9YCPDvERucx fty31PkCGQwqQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id F1951725; Mon, 24 Jan 2022 10:07:06 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <malisa.vucinic@inria.fr>
cc: lake@ietf.org
In-Reply-To: <2A2081E4-BAAF-4292-925E-0B683AA6CD23@inria.fr>
References: <2A2081E4-BAAF-4292-925E-0B683AA6CD23@inria.fr>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 24 Jan 2022 10:07:06 -0500
Message-ID: <24192.1643036826@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/3E4-rmLpxYhHY4eR71uw8VSYn1w>
Subject: Re: [Lake] Ways forward on MTI cipher suite text
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 15:07:25 -0000

Mališa Vučinić <malisa.vucinic@inria.fr> wrote:
    > crypto primitives. Existing devices can be expected to support either
    > ECDSA or EdDSA.
    > Cipher suites 0
    > (AES-CCM-16-64-128, SHA-256,8, X25519, EdDSA, AES-CCM-16-64-128,SHA-256)
    > and 1
    > (AES-CCM-16-128-128,SHA-256,16,X25519, EdDSA, AES-CCM-16-64-128,SHA-256)
    > only differ in size of
    > the MAC length, so supporting one or both of these is no essential
    > difference.

If it differs only in how many bytes are kept of the MAC length,
which means essentially no code differences, but 8 bytes on the wire,
I'd like to ask if we actually need both, period.

    > Similarly for cipher suites 2
    > (AES-CCM-16-64-128, SHA-256,8,  P-256, ES256, AES-CCM-16-64-128, SHA-256)
    >and 3
    > (AES-CCM-16-128-128,SHA-256,16, P-256, ES256, AES-CCM-16-64-128, SHA-256).

    > To enable as
    > much interoperability as possible, less constrained devices SHOULD
    > implement all four cipher suites 0-3. Constrained endpoints SHOULD
    > implement cipher suites 0 and 1, or cipher suites 2 and
    > 3. Implementations only need to implement the algorithms needed for
    > their supported methods.”

I want to suggest that Constrained endpoints implement:
  (0 xor 1)
  -xor-
  (2 xor 3)

either eat more bytes, or don't.
The device presumably knows what it's Tx power budget needs to be.
Beyond that, it's ECDSA vs EdDSA here, right?

If we wanted a spare suite "in case", then I'd prefer to have Chacha/Poly.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email