[Lake] Mandatory to implement cipher suite (issue #22)

John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 18:05 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A7A3A0AB4 for <lake@ietfa.amsl.com>; Thu, 13 May 2021 11:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-Drz9PvOAD3 for <lake@ietfa.amsl.com>; Thu, 13 May 2021 11:05:04 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2068.outbound.protection.outlook.com [40.107.21.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FB123A0AD8 for <lake@ietf.org>; Thu, 13 May 2021 11:05:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L94ovSC9fIFbsr0vdPiSjRr0hkYpe/376XCHcEixz+osPCwPda7WD/75xYnKypKIbpqf4tpfQ0FJAjSVbFQ7GH8C+yd1Zv7azAeChwnHPJzlvZBM4WpvqFkiIXfSeESp76ZCddVZnAwAl/3aXWm0X+90CsLbP2q1G67NaXDa5j29eL75pHDcsXpQWtZJB1Fu1v+Qvw52zLJcC19jmtUfz+xkitFy46tnIh3bUKZQwt9gtrSwEtw9T/W09iuP4R+L80tQ46cIb3sxomeBMinFera+TDVvi7gyUoupRoIvEvav0qzceCIuAhF0Lu1H83yw4QMIKD6/y0VnJfrc3wNXSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CG3TgisrlIYryx0BK2LHlaEojMT7juNHJUWjBws9l7o=; b=NTkhkyCKA/i6JhYh3/2r+gIPwt1mXfkrZB0X+/ufwoN/5mwVzVZbR7y0G57NGAahpqbDsZrmaTLOYMOrf+gzmDJ5j1wrllw73ibq+7YZgkSdChH+zRuTGK4t2sqa6SLRu5+rY/J+fq9kxYSHea4tOrG/eYwFH6fo1PpqpjLJc/3turYGOJobSb81ZXNq4oYNvpvGxfxeVh3m+XVEpOK0AhYkmDgd8G+3ZdMZ3htUfPxJCPbJ618nju5wmfkSuX1SCA3/6AuWvjp1CbHueHKC8ioR1fe1rsGzC/PNRUGNFInZCKnS1k48fcdoXx2QJ6yXA+XY+O7QVvXhTbXGos3Hig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CG3TgisrlIYryx0BK2LHlaEojMT7juNHJUWjBws9l7o=; b=o8WqTWYVipzBN49nnPSbZcFhfPTqUFlFYvF2aBoQdaM9usydVSj8QTyvIbjC/mpcvwg2dLnj4T3Fn6/8CMWNuGf5JntF/8Oo6tcSeDzCrcfTbAr5WcVH+FJTlvSa66o3pH53VZqFnHc2IOUIsdr9PV2CIfbPiTk9jekYq3h7bSM=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR07MB3081.eurprd07.prod.outlook.com (2603:10a6:7:32::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Thu, 13 May 2021 18:04:55 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 18:04:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Mandatory to implement cipher suite (issue #22)
Thread-Index: AQHXSCJ5akoKZ9wtE0mNcJL96ozc7Q==
Date: Thu, 13 May 2021 18:04:54 +0000
Message-ID: <0074ABD3-792C-4CAA-8877-32A6CFF3CCF4@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7fe40cdf-8dc3-48e3-43ce-08d916399cb3
x-ms-traffictypediagnostic: HE1PR07MB3081:
x-microsoft-antispam-prvs: <HE1PR07MB30813BC55F8E7AF870D6292589519@HE1PR07MB3081.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LErg2lqXBQJVNOXGT4xdbvZHZ4QSIKe5fCqDmxbTKjZ28EHCRMwZF45Re8nvRgcnsszfDF9u13dKNvJKWtJKiWYX2BSbP0bmvNwXrFNz7WjY8tvfrTvIODtC8yOzG20YF5knXcCxvEKcgtc5WQ18Y+idXBGcWIZFu2IUhkg372CoCkpbtPXw5bGlt3TZcjHxY0e95gvnTHsnOzTttyiATL9DrGUbCF5vZcBP1mNxK+C1z3YWku5bSlgrKL3R3JItsUw0gbGXovxIaw+ymTaQ/fMXEqdYSINXcAzZdoMUimw6/Kh6H1kMXHr1t35SYWOnmq5qkMI4ZmKF0m3RowTjmjeacxeybH87EdEkI4oBQOwe6xqwRff7VfOBZyYMvEHsbrZngwPIz7RMVTmUIOWi7g+XW+oY0MWZyXnpqZQL3jfsHsfGDO2ggKC+tTuvg9N96ThsmqE3V4r9G3m1Ou7AlQVB9hOUsx4OqH9Je6svqAXLWo8mmRAMBkgoRJYMITyTk0Za4LmFX9XEohF/Lnu0p7j3o00Dij9saUy2NAYwcg4SSu7YVbfRfyELfiyM+lrdid35aQscorANkd2f4kTITE6o/3sO/mDiLLtm+5UTT7MEGhatzk2+4XJTO0gkX2NoZ0emwev0u10YcGszBCOk4hjrnnNZNdR1/WQobaWZaik=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(136003)(346002)(396003)(39860400002)(44832011)(66574015)(2906002)(2616005)(316002)(36756003)(6916009)(6512007)(6506007)(186003)(83380400001)(38100700002)(26005)(86362001)(66556008)(64756008)(66446008)(66476007)(8936002)(8676002)(71200400001)(478600001)(5660300002)(33656002)(76116006)(66946007)(6486002)(122000001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?UzRnb0hHTjBDbGw3dkRTZmthaEJlcDRNdytIT0xzRmZySFJyT04vcU5VU2tj?= =?utf-8?B?REdtOWE2ZkRaRERvT2RyaGFINjNZRWc3UXBIYlFyb1RlQ09vV3JGa2xXazVo?= =?utf-8?B?R1RZUXFMY2w3VHRpbGZlQ1gwWFd1eGhCVDNDc21iWEoybG56ZTg5aTJUWDNK?= =?utf-8?B?VjhEaWpTSWF1b3JuUWJ6VWpRK3hUS1JSNXJ4N3o4ZTcxcWd0dmlFSlJiODZP?= =?utf-8?B?MnhmcHNlUURObUE3aEFqSXo5Mk5vMVVjSTJNeUY0Z1pNaGQ3NUlRRldsQ2oz?= =?utf-8?B?REg3WmRxT1FJT3dQTDMxbkdsWWErRFRpblRzcDBTVVFmZDYvMEdkTjczdUp5?= =?utf-8?B?Ni9Dd3IxR20wY2xtcDlhTDUrODJra3BSeWlaM2VrS2sxRVVlVFRuYkpUbDJ6?= =?utf-8?B?MlROZ2NkZDZHRHhrRXExWHRGczF1d04zbFdIMXpRVTRtMjFjTE1lMkhCalYz?= =?utf-8?B?NWs1Q0lUdjVNa3ZTdE9EajVMSENFNzM3cG5kc2tSL0dNNlVHbFZmOWZsT2kz?= =?utf-8?B?cG1DaVQ3eUFRS1VKT2lrcGRneU9zNlBJaFFic1VDTkNkdmY4VzIzdDN5OU94?= =?utf-8?B?dXQwZ05KbUdhZnE1LzBpOGdMWVB2V2Nwclg5K1RlTmFySHlCWUk0emw4SVl4?= =?utf-8?B?TlhhQVl2UkxKelZwNWNva2tsay9ONkROa0lRNHNRQ1BYT2t5MnBlTURDRjgy?= =?utf-8?B?RFBMQzMvNFoxUnpwbzBpdnpwS3YxM294RU1tS2hjT3lLeEdqZEpHVllOSzVi?= =?utf-8?B?a2FFVnB6QWM2dkcxeVMwdnc3ZERJK0xQN0k0WUFLMFR0UnE5MkY2cDRVblZK?= =?utf-8?B?ODcxaS9NMWhUMUk4Y2F2MjBBZVRaN0tWbkZhQ3ZtTy80Zlh2NUsvSG9Fb3Ru?= =?utf-8?B?cHNIQ2tPSDNvTVA0QzM1eWMvejl6VEgzSWMwTVlITzkvU2ttbkMvK0k1WUZ3?= =?utf-8?B?NDY5UlNzQ1JnbE1QT2dNSDBpK3VKNU5sZE4raVlacEM0cmwwZDRKdlBYekxp?= =?utf-8?B?RFRMUUo2T3Q3ckJxSFROL1hTTmVFVWozZGZiWDhhb2o5S3MzYk1PTnUxK0Rj?= =?utf-8?B?VUNUbUxUSGd4eTg3UFhBTUJ5YWYySlZKTW9ldGRLOWl5REVkaG15c2Jaa1pY?= =?utf-8?B?Q1FPRkFrRytKOWtJdjk4TEhGQ29yS3dHNG0vblFJOTM1UWJ5NUdPenJ4VjA5?= =?utf-8?B?Z0NkUnNpbHYwQ1ZGVWFCUENsb1llNnY3MXJKd3lFQ1lkYjJkSHVXNm4ydStE?= =?utf-8?B?THJpM2xhZlFJM1BIZHQ5WGVqdzBtVGV5SE9tVkNtZlVJYWFWK2kvV2l1Vjhs?= =?utf-8?B?SjFaeko0Y01LZFNqREhsaW5DaG91NmoybXpOL1RYcTcwRjlrWlAwdnZtcXJD?= =?utf-8?B?Zk1jMU5GV3IvM1dOT0ZHYnlOTU5PclBJeENyRTYxMlRZbHMrVmZnWTZnR0xy?= =?utf-8?B?dFB4OVRDNXBrbFNxSXVOdzdDTkxaSkQwRXVrMnV2QU1FRTVVOTVUMGhiWXBk?= =?utf-8?B?TTA3SHpwa3VOMEZjS09VR2RoaURzUnRtSFVlWHJ3bDVTWFN1LzZQNGRUTUNp?= =?utf-8?B?R2VkbjhCTm1uZzVxdU1NMktGaDBmdU5VNUM1dGhqcEN5WHgwcFBHeEJJcGox?= =?utf-8?B?aWlpK3V5Um5XSVV6ZzFlVmNEbStKV0RBV1JrTjFDanQrcDQ3TkdIRHhNeXhy?= =?utf-8?B?dHZ5NkNEbmlsaTBLblpSWlZwcFZtbmlvUXJlWHpMZlMzWG5FdzJadnlJK3p4?= =?utf-8?B?djdXN3hzWTQydWhqa2VnWk9QNVNjV0lzTkpUN0pxNU55aTRSQklHWVh5UzRQ?= =?utf-8?B?bmVNZ0VUYTNDQTZMbzBwdz09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5DE08ECA61196D409AB2E31092D11B0D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7fe40cdf-8dc3-48e3-43ce-08d916399cb3
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 18:04:54.1759 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pAoPKQ9DtzCS0b2g/7/iKG6Udre9YQf2NPRKwEML8TaH19nMgNeu/7y4ufpDvAN015MCSABLvDz2yrkk9o1aZ8Se0zLPAydIU+WLeRGA+aI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3081
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/75nRaD6czYG6RqLT06Qe8C_lsaM>
Subject: [Lake] Mandatory to implement cipher suite (issue #22)
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 18:05:17 -0000

Hi,

Mališa asked me to post a summary of this issue (including differences between the algorithms) to the list as there was an objection to the compromise text suggested by Stephen Farrell some meetings ago. 

"For many constrained IoT devices it is problematic to support more than one cipher suite.  Existing devices can be expected to support either ECDSA or EdDSA.  To enable as much interoperability as we can reasonably achieve, less constrained devices SHOULD implement both cipher suite 0 (AES-CCM-16-64-128, SHA-256, X25519, EdDSA, AES-CCM-16-64-128, SHA-256) and cipher suite 2 (AES-CCM-16-64-128, SHA-256, P-256, ES256, AES-CCM-16-64-128, SHA-256). Constrained endpoints SHOULD implement cipher suite 0 or cipher suite 2."

The main discussion regarding this issue has been the signature algorithm, where the two choices are ES256 (ECDSA with SHA-256) and EdDSA. The rest of the parameters affecting the signature are decided by the public key algorithm in the COSE_Key/X.509:

- ES256 would typically be used with secp256r1 (P-256)
- EdDSA would typically be used with Ed25519 which implies SHA-512

The cipher suites combine ES256 with P-256 and SHA-256 for key exchange/derivation and EdDSA with X25519 and SHA-512 for key exchange/derivation. When used in method 3, the signature algorithm is not used. There has not been that much discussion of non-signature cipher suite aspects.

- Performance: EdDSA + Ed25519 is significantly faster than ES256 + secp256r1 in most public benchmarks. Some recently published benchmarks show equal performance on some platforms. Unclear if this is because of more optimized secp256r1 code or if the benchmarks were done on platforms with acceleration of Weierstraß curves, were Ed25519 would have to be transformed to Weierstraß form and back again.

- Trust: Some years ago there was a discussion if secp256r1 could be trusted as it was invented by the NSA. Note that DSA and SHA-2 were also invented by the NSA. This discussion seems to have largely died. I don't see any reason to mistrust any of these algorithms, they have been publicly reviewed by a huge amount of people globally. EdDSA was invented by Schnorr/Bernstein and X25519 was invented by Bernstein, and they were standardized by CFRG.

- Security: Both algorithms should have similar security as long as they are implemented correctly. EdDSA is significantly more resistant against implementation mistakes and side-channel attacks. ECDSA is standardized with both deterministic and random nonces. EdDSA is only standardized with deterministic nonces, but as discussed in CFRG, any choice of nonce generation is compatible with all verifiers and implantation can therefore chose any nonce generation method. Comparing ECDSA with random nonce against EdDSA with deterministic nonce, ECDSA is significantly more resistant against side-channel attacks. If both use deterministic nonces, EdDSA is significantly better.

- Support: ECDSA is the clear winner here as it has been standardized for a long time. EdDSA is however well supported in cryptographic libraries. Some hardware only has acceleration of Weierstraß curves, but as shown in draft-ietf-lwig-curve-representations Ed25519 can be transformed to Weierstraß form and back allowing acceleration on such hardware.

- Features: Ed25519 can easily be used for threshold cryptography while secp256r1 cannot. This has been mentioned as an important feature by companies interested in using EDHOC.

I think both are good choices. My understanding is that industries would like to use ECDSA for older more constrained devices and EdDSA for newer less constrained devices. Note that in many IoT deployments, systems often consist of devices controlled by a single entity. The same company might use ECDSA for one kind of devices and EdDSA for another without them ever having to talk to each other.

There was also discussion about ECDSA with Wei25519. As it is a new algorithm, I don't personally see this as a candidate for MTI. The transforms in draft-ietf-lwig-curve-representations are very important to accelerate Ed25519 and X25519 but I don't see ECDSA with Wei25519 taking much market share from ECDSA with secp256r1 or EdDSA with Ed25519.

Note that this discussion has taken a huge amount of time both before LAKE (in ACE) and in LAKE. It is also completely independent of all the other issues. I was personally extremely happy with the current compromise text suggested by Stephen Farrell. I cannot see why anybody would like to spend time discussing this issue more. If needed, let's have a vote and get rid of the issue. If discussion is needed I would suggest we do that as late as possible when all other issues are done.

Cheers,
John