Re: [Lake] WGLC for draft-ietf-lake-reqs-01
Christopher Wood <caw@heapingbits.net> Fri, 20 March 2020 00:31 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C3A23A1342 for <lake@ietfa.amsl.com>; Thu, 19 Mar 2020 17:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=C81ZGuC7; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=I+FdiMSu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cj-VR2jDh1qc for <lake@ietfa.amsl.com>; Thu, 19 Mar 2020 17:31:09 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104053A1338 for <lake@ietf.org>; Thu, 19 Mar 2020 17:31:03 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A61655C01AF for <lake@ietf.org>; Thu, 19 Mar 2020 20:30:55 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 19 Mar 2020 20:30:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=OS2QC zMTXCaAvUBbFEU5HCUzYi/o3sLGDlMtc9359xQ=; b=C81ZGuC7cF57fX3L85izL l7CDRcJn2RR7+L4A+Kwu0Gjqzi+/QVhYUHj8pRS5rMIkVVh1W5Yc6S1m5bLtw751 5hdPZpoNTAmhFy3HyG5QRGCfPYTqxMnitVAf1sAruSOc6gHucckc/8zXD5xr1+ZF 2PeQWKHr5caN5o+yyd4oVNUJna2iWaG7UDsVYHTTz24fqSq8gpb5ww3xVFPklAu4 g6TcCR2WBn6rQKLDYhTziE0QXtF7iX1YqnpPTJ6S/15q4RrflX3soS1ZVPfj5q+x pcgztfL7M8Bmo/39s6OYLM3mGKr1AVdqgb8jVwbhUEBBtksZA3axbIYwUXLD4zwg w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=OS2QCzMTXCaAvUBbFEU5HCUzYi/o3sLGDlMtc9359 xQ=; b=I+FdiMSu6y2Fn+koX6FG1O6JWMR0GGy49eZrl/9Lgno58dZeLUzGnPjnk jxPnQi4I65z1LVXTZSafyO6Wwds/vI22xorO1R6hoB0y+R3SK8Sg4N8uYp0Ox7kq JpHEgZmM65nhMSr1s6tqurxEbDXDlW6v6QDqXdObzF3bH31LbecF0JlMFmqb2cm4 rkw9JsZrOX1Ljsu3QjQW6y/diD5pQl2jDjrGRhiqFBafKpmcaga9qnPEyHpOKSDk yaD0IKi4Zv8R5w4Cr0I0NvbNGXw9mh1HHSOOao4bT3RC10mkvzGMzQFtDhaV0eEi z2n4HjBiKnoWbKLOpztMq0QWR1L9w==
X-ME-Sender: <xms:vw50XolPR1IO-M8piJF3AVgtACToTR-hRR6QwB7TaFYEXOQLWm1lIQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrudegtddgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehivghtfhdrohhrgh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgif sehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:vw50XsHoQtvVlzZFDlAg1xjAi_9h5jjIQMKR8imrUXkoW0eXxnjI2A> <xmx:vw50XhptMSpxGORBdjXMACH6pueh4Q2j5AiqMTw5O_Sj_SqDAdd5aA> <xmx:vw50Xo7ZB47TLF0ST82ZGbRashch8kV4zyyOpSYAfse2nbwV2qa1cg> <xmx:vw50XuuU78OBglI2ON2AzT-m9s_g0crRhGumYsombx_0CriA7TopXw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 353F33C00A1; Thu, 19 Mar 2020 20:30:55 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-1021-g152deaf-fmstable-20200319v1
Mime-Version: 1.0
Message-Id: <def78b1a-f679-48ac-a97b-204859fc8866@www.fastmail.com>
In-Reply-To: <CABcZeBNNaXTwLufkECD33X=XVz3PQ=of8uiCgfE1bQAZYhW9_A@mail.gmail.com>
References: <b7c084b0-8489-5c05-046d-33aa70c85b94@cs.tcd.ie> <191b7e3c-4453-a60c-7d5d-07a051e8b85e@cs.tcd.ie> <CABcZeBNNaXTwLufkECD33X=XVz3PQ=of8uiCgfE1bQAZYhW9_A@mail.gmail.com>
Date: Thu, 19 Mar 2020 17:30:35 -0700
From: Christopher Wood <caw@heapingbits.net>
To: lake@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/9MQ2mFCab4Dz4PKV28ZT3mqXCDY>
Subject: Re: [Lake] WGLC for draft-ietf-lake-reqs-01
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 00:31:23 -0000
FWIW, I think Richard and Eric raise excellent points worth considering before moving forward. Best, Chris On Thu, Mar 19, 2020, at 2:30 PM, Eric Rescorla wrote: > I do not believe this document is ready for WGLC. With some important > exceptions, it does a tolerable job of laying out the security > objectives, but does not really meet the need of describing the > specific resource constraints that make this a lightweight protocol > (which was the point of this requirements exercise). > > Let's take the basic question of how big messages can be. Here's > what this document has to say about LoRaWAN, the technology > about what is most specific. > > LoRaWAN has a variable MTU depending on the Spreading Factor (SF). > The higher the spreading factor, the higher distances can be achieved > and/or better reception. If the coverage and distance allows it, > with SF7 - corresponding to higher data rates - the maximum payload > is 222 bytes. For a SF12 - and low data rates - the maximum payload > is 51 bytes on data link layer. > > The benchmark used here is Data Rates 0-2 corresponding to a packet > size of 51 bytes [LoRaWAN]. The use of larger frame size depend on > good radio conditions which are not always present. Some libraries/ > providers only support 51-bytes packet size. > providers only support 51-bytes packet size. > > I'm not sure what I am supposed to do with this: it seems like we have > packet sizes that range from 51 to 222. I think what this is saying is > that I am supposed to assume 51-byte packets, but even that is > unclear. And it leaves open more questions than it answers. For > instance: > > - What is the additional penalty for (say) 5 packets over 4? > Some additional power? Latency? > > - I understand that some of these protocols are stop-and-wait. > Is LoWaRAN? How many packets can I have outstanding at once? > > - How does the CoAP overhead factor in? What about when I fragment? > > The descriptions for the other technologies are even more vague: > > Increasing the number of bytes on the wire in a protocol message has > an important effect on the 6TiSCH network in case the fragmentation > is triggered. More fragments contribute to congestion of shared > cells (and concomitant error rates) in a non-linear way. > > The available size for key exchange messages depends on the topology > of the network, whether the message is traveling uplink or downlink, > and other stack parameters. A key performance indicator for a 6TiSCH > network is "network formation", i.e. the time it takes from switching > on all devices, until the last device has executed the AKE and > securely joined. As an example, given the size limit on the frames > and taking into account the different headers (including link-layer > security), if a 6TiSCH network is 5 hops deep, the maximum CoAP > payload size to avoid fragmentation is 47/45 bytes (uplink/downlink) > [AKE-for-6TiSCH]. > > So should I be assuming 47? 45? Should I be assuming 5 hops? More? > > The answers in this document are frankly pretty unsatisfactory. For > instance, it says: > > Considering the duty cycle of LoRaWAN and associated unavailable > times, the round trips and number of LoRaWAN packets needs to be > reduced as much as possible. > > What I would expect to see is something to the effect of: "this is > the incremental cost in {power, bandwidth, time to complete} of an > additional packet and therefore we should be able to keep to <X > packets", but really the only thing we get is in 2.10.4, which says: > > Considering that an AKE protocol complying with these > requirements is expected to have at least 3 messages, the optimal AKE > has 3 messages and each message fits into as few frames as possible, > ideally 1 frame per message. > > The problem here is that we *know* we are going to have to accept > some level of messages that span multiple radio units and so > getting a sense of where the real boundaries are is critical, > but this document frankly isn't much of a help. > > I would suggest that we try to take one of these protocols > (say 6LoRaWAN) and do this exercise in detail and then we > will have a template for the others. > > > > > SPECIFIC COMMENTS: > Abstract: > authenticated key exchange protocol for OSCORE. This draft is in a > working group last call (WGLC) in the LAKE working group. Post-WGLC, > the requirements will be considered sufficiently stable for the > working group to proceed with its work. It is not currently planned > to publish this draft as an RFC. > > You'll want to change this, obviously. > > S 2.1. > COSE provides the crypto primitives for OSCORE. The AKE shall > specify how COSE can be reused for identification of credentials and > algorithms of OSCORE and the AKE, as extension point for new schemes, > and to avoid duplicated maintenance of crypto library. > > This is the first of a number of places where this document tries > to pre-make design decisions. The requirement here is lightwightness, > not COSE. In general, this document should not be making any > such decisions; I've tried to call them out but may have missed > some. > > Moreover, the AKE must support transport over CoAP. Since the AKE > messages most commonly will be encapsulated in CoAP, the AKE must not > duplicate functionality provided by CoAP, or at least not duplicate > functionality in such a way that it adds extra costs in terms of code > size, code maintenance, etc. It is therefore assumed that the AKE is > > This too is too strong. If it required .001% more of something, that might > be a totally reasonable tradeoff for some other feature. > > S 2.2. > To further minimize the bandwidth consumption it is required to > support transporting certificates and raw public keys by reference > rather than by value. Considering the wide variety of deployments, > the AKE must support different schemes for transporting and > identifying credentials, including those identified in Section 2 of > [I-D.ietf-cose-x509]. > > Really? so we need to support both x509bag and x509chain? Why? > > This also needs to be a lot clearer about what the identity misbinding > properties that apply here when we refer to references. > > > Assuming that both signature public keys and static DH public keys > are in use, then also the case of mixed credentials need to be > supported with one endpoint using a static DH public key and the > other using a signature public key. The AKE shall support the > initiator signaling which public key credential mix to be used in the > protocol such that the responder knows and can verify that the > intended variant was executed. > > I don't understand what this means. The initiator doesn't know what > the responder can use and so can offer but can't dictate it. > > > S 2.3. > The AKE must provide mutual authentication during the protocol run. > > So unilateral authentication is completely out of scope? Why? > > > authenticated the other's credential. In particular, both endpoints > must agree on a fresh session identifier, and the roles and > credentials of both endpoints. > > What are the properties of this identifier? I don't see it described. > Is this a CK-style session identifier? > > * The AKE shall protect against identity misbinding attacks > [Misbinding]. Note that the identity may be directly related to a > public key such as for example the public key itself, a hash of > the public key, or data unrelated to a key. > > I don't understand what this means, but it seems like having names > that are public keys is a potential cause of misbinding attacks. > > > Moreover, it shall be possible for the receiving endpoint to detect a > replayed AKE message. > > What does this mean? I don't know how to detect replay of the initial > message without maintaining infinite state or an extra round trip > (or catching it later in the protocol run) do you. > > Furthermore, the endpoints shall be able to verify that the identity > of the other endpoint is an acceptable identity that it is intended > to authenticate to. (This requirement extends beyond the AKE in that > > What does this text mean? > > > S 2.4. > Perfect Forward Secrecy may alternatively be achieved with a nonce > exchange followed by appropriately derived new session keys provided > that state can be kept in the form of a session counter. Note that > OSCORE specifies a method for session key update involving a nonce > exchange (see Appendix B in [RFC8613]). > > As noted in my comments on SAAG, the whole FS landscape is pretty > complicated, and this doesn't do that great a job of capturing it. For > instance, where do session tickets fit in? > > > The AKE shall provide a mechanism to use the output of one handshake > to optimize future handshakes, e.g., by generating keying material > which can be used to authenticate a future handshake, thus avoiding > the need for public key authentication in that handshake. > > Do we expect to need a 0-RTT feature? Because that has different FS > properties. > > > To mitigate against bad random number generators the AKE shall > mandate randomness improvements such as > [I-D.irtf-cfrg-randomness-improvements]. > > I don't think this should be a requirement.. It's an implementation > technique and in any case is not a differentiator for selecting > protocols. > > > S 2.5. > * The protocol shall allow multiple elliptic curves for Diffie- > Hellman operations and signature-based authentication. > > Does this need to be negotiable, as in the responder might have > 1 > certificate differentiated by EC group? > > * The AKE shall support negotiation of COSE algorithms > [IANA-COSE-Algorithms] to be used in the AKE and in OSCORE. A > successful negotiation shall result in the most preferred > algorithms of one of the parties which are supported by the other. > > This is overly specific, and I don't see why it's a requirement. The > way you want to phrase this is that it resists downgrade. > > > The AKE negotiation must provide strong integrity guarantees against > active attackers. At the end of the AKE protocol, both endpoints > must agree on both the crypto algorithms that were proposed and those > that were chosen. In particular, the protocol must protect against > downgrade attacks. > > Would be good to quantify "strong". I suggest >= 128 bits. > > > S 2.6. > In case of a PSK identifier, this may be protected against passive > attackers, for example with a key derived from a Diffie-Hellman > shared secret at the earliest in flight 3. As a consequence, in > order to authenticate the responder within the AKE, at least four > protocol flights are needed in case of symmetric key authentication > with identity protection. Considering the need to keep the number of > round-trips at a minimum (see Section 2.10.4), unless there are other > good reasons for having more than 3 flights, it is not required to > protect the PSK identifier, and it may thus be sent in the first > flight. > > This kind of buries the lede. I would just say it's not a requirement. > > Other identifying information that needs to be transported in plain > text is cipher suites and connection identifiers. Encrypting crypto > > What is a connection identifier. > > > S 2.8 > > The main objective with this work is to create a simple yet secure > AKE. The AKE should avoid having multiple ways to express the same > thing. When the underlying encodings offered by CBOR offer multiple > possibility the AKE should be strongly opinioniated, and clearly > specify which one will be used. > > This seems to assume that CBOR will be used, but that's not decided. > > > While remaining extensible, the AKE should avoid optional mechanisms > which introduce code paths that are less well tested. > > I don't think this is a requirement that is actionable. > > > The AKE should avoid mechanisms where an initiator takes a guess at > the policy, and when it receives a negative response, must guess, > based upon what it has tried, what to do next. > > I don't agree with this at all, and I'm not sure why this is > here. There are good reasons to do this. In fact, it's the main way to > get a three message protocol with confidentiality for the server's > first flight. > > > S 2.10.5. > > 3. To limit the impact of a kseley compromise, BSI, NIST and ANSSI and > other organizations recommend in other contexts frequent renewal > of keys by means of Diffie-Hellman key exchange. This may be a > symmetric key authenticated key exchange, where the symmetric key > is obtained from a previous asymmetric key based run of the AKE. > > Or hash ratcheting. > > On Thu, Mar 19, 2020 at 9:06 AM Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: > > > > Ping! Today's the deadline day for this. Please do try > > get your comments in on time. > > > > While this hasn't been controversial in the WG, I would > > like to see more comment as there hasn't been enough to > > determine if we have consensus to proceed. So some more > > mails saying you've read this version and are ok with it > > would be good if that's the case. Or if not, why not. > > > > Thanks, > > S. > > > > On 21/02/2020 15:32, Stephen Farrell wrote: > > > > > > Hi all, > > > > > > The authors have asked to start a WGLC for the requirements > > > document. [1] This mail is to start that. The deadline for > > > comments is March 19th in order to give the authors time to > > > prepare for discussion at the upcoming IETF meeting. Since > > > my co-chair Mališa is a co-author of this draft, I'll be > > > the one calling consensus on the WGLC. (If that gets tricky, > > > I'll likely ask for help from our AD.) > > > > > > If you can, it'd be great to get comments in the next week, > > > to give the authors a chance to publish an update before > > > the March 9th I-D cutoff, should they think that'll help > > > us get done. > > > > > > If you think this is ready, sending a comment to that > > > effect is fine. If you think it's not ready, you do need > > > to say why and ideally suggest changes that'd, in your > > > opinion, make it ready. > > > > > > As a reminder - our charter calls for us to park this draft > > > after WGLC has successfully completed, and we'll not be > > > sending this on for publication as an RFC at this time. So > > > please try keep the focus of your comments on the meat of > > > the content rather than on crossing all the i's and dotting > > > all the t's:-) > > > > > > Thanks, > > > Stephen. > > > > > > PS: I'll send my own comments (with no hats) in a separate > > > mail shortly. > > > > > > [1] https://tools.ietf.org/html/draft-ietf-lake-reqs-01 > > > > > > > > -- > > Lake mailing list > > Lake@ietf.org > > https://www.ietf.org/mailman/listinfo/lake > -- > Lake mailing list > Lake@ietf.org > https://www.ietf.org/mailman/listinfo/lake >
- [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Christopher Wood
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Richard Barnes
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Eric Rescorla
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Christopher Wood
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Eric Rescorla
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson