IETF Logo Mail Archive

Re: [Lake] Forward Security with PSK-Only LAKE

John Mattsson <john.mattsson@ericsson.com> Wed, 22 January 2020 10:15 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17FEA120071 for <lake@ietfa.amsl.com>; Wed, 22 Jan 2020 02:15:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afIBPIBgXBeZ for <lake@ietfa.amsl.com>; Wed, 22 Jan 2020 02:15:50 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20628.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::628]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62E2E120043 for <lake@ietf.org>; Wed, 22 Jan 2020 02:15:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aD6SojhYHsoWojyCfxfRysOyPBRD/A12H+2U3O8FhzniuDiolON9fXXKMN/r1fSfQZABMRh8dZRYwP7U4i6WMwQWITji5gIZVDx7Z4OK5TtwniBRM7UKOEM4VrvpH5CTGA7Rabk9aAaYIiz5YSKBSxv4nl5jM/1GW0PgqJxKNlF+Mql84R9/bbvpv0IW7C6if2QMeEL3deISU9fc3xVShqegLZ9WBt1e5ulX8xDj/rrdd7D0tVMyEqW4EWWm7WCbFlJv1yfudZMXKVR/OQrTyF5DWTmounhLFJyEbmRoSizclGVzYzCuF0RIMkySMKHm+A8hDUbeDUor+KqW+PAgYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DeJqRj1vaDZU0Wjnw7DI6Boz9UZRtbFuVz75YwX4+Oo=; b=OwZytNOxubsLsAr+uOUupSg5hzUAtIdH3kpTLgNpsw3mdcI9q2VN2EUazC3KknE839pwVSo6KsHrFkS0f37zsGSXuEqMFASi2LBdOdAyfzyyp63DrJiR6+HdbYdp3bjGpcB330TKBwC0ioNZ5hNGCDuK3BjljU2FuvMHEUXqwpuTuvkGMIHfmjJVUlqbC19h8YZ8Zu+z01+AfOtZQX+9XvZkRlxDEU8QJujD6jylVw46NF3F3AZtzHEsLAYvv8fEUALffiUiRSxLk+ZB+TzFqwbICyBmifBclJjTukhozjM7DWuP9w8M+WSDSlDPjAxtJCAZOqiyH+hDl/2FL53YLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DeJqRj1vaDZU0Wjnw7DI6Boz9UZRtbFuVz75YwX4+Oo=; b=c9XnTw1NWWs/MRrOYajD05IDg7q7BnaQqEk9JBVWCoFB+cFx8Pz9pt+ONFb88Apry6922VL+qthKUBPMbfbQ2iwiiGZ5SCwaoFRAjat7s4b4Lad1ag/VwNWfiD6AYBsXr1jUFYPOnavGePIQvNqu3fVBmEcp7039h/TfkyhGJ8Y=
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com (52.134.114.155) by AM6PR07MB5541.eurprd07.prod.outlook.com (20.178.90.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.11; Wed, 22 Jan 2020 10:15:44 +0000
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::bced:a49c:5050:9358]) by AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::bced:a49c:5050:9358%5]) with mapi id 15.20.2665.017; Wed, 22 Jan 2020 10:15:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
CC: Eric Rescorla <ekr@rtfm.com>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Forward Security with PSK-Only LAKE
Thread-Index: AQHVzSFYbPMUv3vbX0yBDCP44RVSBKfur+qAgADkswCAAGp9AIAAQRAAgAAIlgCAAAFhAIAAIC0AgAYmAgA=
Date: Wed, 22 Jan 2020 10:15:44 +0000
Message-ID: <E21A4A4A-9B45-4CAA-8586-7A07E9C9A769@ericsson.com>
References: <CABcZeBNpDpMGLYCftSXFd+NNG-92VXNPtUjpTMZqkTKjm3Vvuw@mail.gmail.com> <E6714F08-9612-4672-BDB6-AC996A3C1EDC@inria.fr> <4829DF8E-8D73-4C9C-937F-D09F7B81C994@inria.fr> <FE5942D6-D0AD-44A5-998A-C3B2E54B3E7C@inria.fr> <FA678251-0DE3-4016-8FCF-8EE6D3F0C2E2@inria.fr> <94A9B2D4-5C0F-403C-BCFE-937B716D3388@inria.fr>
In-Reply-To: <94A9B2D4-5C0F-403C-BCFE-937B716D3388@inria.fr>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.85]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b460f437-e551-4d39-7d76-08d79f240aeb
x-ms-traffictypediagnostic: AM6PR07MB5541:
x-microsoft-antispam-prvs: <AM6PR07MB554174D9EBA4CD383262F212890C0@AM6PR07MB5541.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 029097202E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(376002)(366004)(136003)(199004)(189003)(6486002)(6512007)(2906002)(36756003)(2616005)(53546011)(6506007)(26005)(186003)(15650500001)(86362001)(44832011)(66446008)(966005)(66946007)(64756008)(66476007)(91956017)(33656002)(76116006)(66556008)(54906003)(110136005)(71200400001)(5660300002)(478600001)(316002)(4326008)(8936002)(8676002)(81156014)(81166006)(21314003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB5541; H:AM6PR07MB4134.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0CmRMe0KD/DBeROJJwhJX3wHbQm6HdIbxIM3h0Tj39Mz0djvoK8OG8ZPT88hJ/94RZaAcW0qdv+rzBojFFqaZpA5YC22l5On+r1T4y/pFfr4NpYMS0BF5qCnShQ0zH5CH19V4wts7y8P9vlcBOGJR7welc/PGgF+r+VAMCvggjDAhoEZyNjsPWsVL5Y/Kf8EULAGwkIPrGxTVO2M7aDjdYK93GhV4ArdR+W1J6eH3fuYxhra277rS+vuRdtaHj0yVm1CzHphD3GWAwL8LPiy70gv+2mHuR3JmVTXmv+91nnQ19aXHUpP8mcV3bCESRMjiJiU6q5lZmPLQh9imkiWhiABNQMio1M4hdW52NDlbrly4THKhJKHBS4ZQSWPSXPFyE6TR9CyB9yC9hLvyfjim8OCGv5fQ7BGCqXHTAqY4F99BUZzAlw6TLDnhbhEm4sALQ04g+UM8wCVfz5r87oE/tbJxRUV+J3Ok17kLVzS+vkiLsASWIJ2qisrayZwjPmNaBr7cLlRwOsKqP1G5wWLsL8FtKYbKjllyxMnbCKXZvCnU5P7WyNXG8NoEj60Om4P
x-ms-exchange-antispam-messagedata: r9gGe+/l6L6gst7FKaK58j7w6Plb6KslDhAiuNJcc1qiV7ghnhYnNGTF2TRdzLUI6HzOpEfqCbonhGCIH7xPDAwCX5cIIT/xt165f6IgN644oO/C/TlM8bA5q0QizUzAdq7S4TrhV7G6o78nf8H1sw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C5FD91A3F6082B41BCB431E8EE8F0166@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b460f437-e551-4d39-7d76-08d79f240aeb
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2020 10:15:44.6259 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ILy+RFjlVT2UItmu3/6bBIwKSG5Ua79CJLrAdfYMump0uYkoa89GBs5Mi1qE/zUxsBxHxd/NGi2rgEHEw/0sjqQWZA0t9yw6VbyTd0cpwm0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5541
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/5DAmN2c7cOXCUej-4XRHxa18MIQ>
Subject: Re: [Lake] Forward Security with PSK-Only LAKE
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 10:15:53 -0000

Hi Karthik,

This is a very good discussion to have. Agree that a lightweight FS mode without ECDHE is a good thing to have if it is significantly more lightweight than PSK-ECDHE and does not introduce synchronization problems.

Your suggestions for PSK-FS mode got me thinking if the AKE is the right layer to do this lightweight FS. Could it not be done more efficient on the OSCORE layer? E.g.

A                                              B
                    XXX-ECDHE
<---------------------------------------------->

A and B derive OSCORE session key K_eA1 and K_eB1 for OSCORE

A use K_eA1 for sequence number 0-(n-1)

A -> B: AEAD(K_eA1, msg_0,…)
A -> B: AEAD(K_eA1, msg_1,…)

A use K_eA2 = H(k_eA1) for sequence number n-(2n-1) and erases k_eA1 from memory

A -> B: AEAD(K_eA2, msg_n,…)
A -> B: AEAD(K_eA2, msg_n+1,…)

A use K_eA3 = H(k_eA2) for sequence number 2n-(3n-1) and erases k_eA2 from memory

A -> B: AEAD(K_eA3, msg_2n,…)
A -> B: AEAD(K_eA3, msg_2n+1,…)

etc....

Note that OSCORE already have a stateless PSK-FS mode defined in Appendix B.

>In practice, we may want devices to e.g.  bootstrap a PSK using SIG-ECDHE and then use
>PSK-FS for some period of time. After some period of time, we may want to throw away the
>PSK and do another SIG-ECDHE from scratch.

We may want to do that. We may also want to bootstrap a PSK using SIG-ECDHE and then use PSK-ECDHE for some period of time. These have different security properties. To discuss these topics further, I think we should discuss reasonable assumptions of what an attacker has access to in a constrained IoT environment and what kind of practical attacks we want to protect against.
- When an attacker gains physical access to a constrained IoT device, can he/she extract all the information or is long-term keys more protected than session keys?
- Does the attacker have access to all the traffic information? Many contrained IoT environments will be local.
- Is the attacker passive or active?

Cheers,
John

-----Original Message-----
From: Lake <lake-bounces@ietf.org> on behalf of Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Date: Saturday, 18 January 2020 at 14:22
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Cc: Eric Rescorla <ekr@rtfm.com>, "lake@ietf.org" <lake@ietf.org>
Subject: Re: [Lake] Forward Security with PSK-Only LAKE

    Yes, I take the point that we should be careful about security guarantees.
    
    Further expanding on Ekr’s comment, one can see that there is room for various AKE modes with different levels of guarantees.
    So far, we have mainly been thinking about PSK-ECDHE and SIG-ECDHE modes, since forward security was a core property.
    I think  we should also consider a PSK-FS mode that achieves forward security via key derivation.
    
    In practice, we may want devices to e.g.  bootstrap a PSK using SIG-ECDHE and then use PSK-FS for some period of time.
    After some period of time, we may want to throw away the PSK and do another SIG-ECDHE from scratch.
    
    -Karthik
    
    > On 18 Jan 2020, at 12:26, Benjamin Beurdouche <benjamin.beurdouche@inria.fr> wrote:
    > 
    > 
    >> So, if you tell me that LAKE will provide a mechanism <insert name> (e.g.FS) that enables us to recover secrecy from a
    >> passive compromise while most of the time using the PSK rotation for FS, I am willing to say it is ok.
    >> Otherwise, if there is no hope to introduce freshness via <insert mechanism> (e.g.FS) and that a compromised session will always
    >> remain compromised, I’ll maintain that we cannot claim this to be a secure AKE for protocols we’ll build on top…
    > 
    > 
    > (e.g. FS) -> (e.g. DH) obviously...
    > 
    
    -- 
    Lake mailing list
    Lake@ietf.org
    https://www.ietf.org/mailman/listinfo/lake

v2.23.0 | Report a Bug | By Email