[Lake] Fwd: brief feedback on draft-selander-lake-reqs-00
Rene Struik <rstruik.ext@gmail.com> Mon, 22 July 2019 18:48 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F63120154 for <lake@ietfa.amsl.com>; Mon, 22 Jul 2019 11:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMmxNUQ41VwP for <lake@ietfa.amsl.com>; Mon, 22 Jul 2019 11:48:43 -0700 (PDT)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A55CC12012A for <lake@ietf.org>; Mon, 22 Jul 2019 11:48:42 -0700 (PDT)
Received: by mail-vs1-xe31.google.com with SMTP id y16so26946736vsc.3 for <lake@ietf.org>; Mon, 22 Jul 2019 11:48:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=zjgbMmbG4vA+9oPhWLbiF7S93llv5ISxN7QkK4lOh5U=; b=Wnspl0ynSjn/gGUm4dAJafgZQZAoPeOPGtyKEmvChJRl1OOJNtuEaq0s3ZDVNVhgZD iyJ/mOAhz85sOyVAlj+7xRMYNoFerTVdj3RINYoCd9E/7iL80wQnjODJH1SgtX+1Cd92 uqBLUl3b+6a+LXbjhTXvBF+9uSAiI4+F7IUYYxrgafHCNiPNjWPSLTyFZFLoKIwCSn3a rvGYKyZWaZ/NHBN6cSxU0Npnn9QKMjT9pHz+htX2OM9YpPHrdVnobNp/VHHToQczittg kDrxDwi6Y98EuuG/EDhCGKEeEPoYp4KpAVlEHbrIm2KVnxcp+Lxi9DKFoZ+KtqbaQIGk iKMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=zjgbMmbG4vA+9oPhWLbiF7S93llv5ISxN7QkK4lOh5U=; b=ALkJqHStHWNhP1sRJKwaefGZTZhX1H/bFmZuq7SZlDSY6cmwlsDIz+qqgKL4MxOssU c984PevWBf2L2zfP4/ocB0FPBY/ybRk37J+B/cFsnGxQ92b68iindRr3qLvPAaTxrHs4 e5mUNS77UDKagAWcCLKHr4j1wQxbZPHm0D6dB9guX8Ovx/KO6OVYdSNaP9LKkOXIE8ZD C5xt59B6WpBKmnrMCejyokCopA0Vt020ePNR6qQPOMMtLF7rUa+B3EHKyj6x5pT5cZwF XfmTltghegScYf/P8nwOCaarT6XLYKEI24PafyL2N7gT4xSiocGcLhWjZsmcnC1oIjUb tURQ==
X-Gm-Message-State: APjAAAWHCX6Db06mwWLyyLJHbq+5/Hlg7iNsYrFxYviksyWly0u1YLAy oDMQWzXh2VgEgW7tkFYic1TKxKvF
X-Google-Smtp-Source: APXvYqw4ZcicZMyyKeOqv3a+QMwssuuKlX9WqWurt37VgIU7dOAtaOgEhMwmiL0IgbaSIPyYNguGiQ==
X-Received: by 2002:a67:2e0e:: with SMTP id u14mr44808932vsu.182.1563821321283; Mon, 22 Jul 2019 11:48:41 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:e14f:8487:b458:70b5? ([2001:67c:1232:144:e14f:8487:b458:70b5]) by smtp.gmail.com with ESMTPSA id f140sm27906137vka.36.2019.07.22.11.48.40 for <lake@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jul 2019 11:48:40 -0700 (PDT)
References: <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
To: lake@ietf.org
From: Rene Struik <rstruik.ext@gmail.com>
X-Forwarded-Message-Id: <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
Message-ID: <7fe29681-6b9f-7856-690e-19fad5470531@gmail.com>
Date: Mon, 22 Jul 2019 14:48:38 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
Content-Type: multipart/alternative; boundary="------------F54160903E001C117283E37C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/BEmiLxJc3CRrBCGqmbgcUJy8bLc>
Subject: [Lake] Fwd: brief feedback on draft-selander-lake-reqs-00
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 18:48:46 -0000
Dear colleagues:
I just had a look at the LAKE BoF "requirements" slides [1].
I have some reservations as to duty-cycle arguments with LoRaWAN
("Benchmark 2") - see also my earlier comment of April 15, 2019 below
(item #a). As to 6TiSCH ("Benchmark 3"), whose applications would
include critical infrastructure, the cut-offs do not include any
provision for certs, which easily tilt the numbers a lot. For serious
applications one needs to consider a slghtly broader setting than a
simple authenticated key agreement scheme.
Bottom line: while I do appreciate the perceived need to be "minimal"
(whatever metric one measures this by: computational cost, communication
size), etc., when making shopping lists, this may be at the detriment of
operational security offered (see earlier comments (b) and (c) below, as
well as algorithm agility requirement).
One question that occurred to me is how easy it would be to certify
chipsets that implement crypto, but have data representation conversions
that are not standard (e.g., if one uses EdDSA and does not guarantee
the integrity of message encoding rules within the security boundary of
the device under test, this may break the scheme right away).
Best regards, Rene
[1]
https://datatracker.ietf.org/meeting/105/materials/slides-105-lake-lake-requirements-00.pdf
-------- Forwarded Message --------
Subject: brief feedback on draft-selander-lake-reqs-00
Date: Mon, 15 Apr 2019 14:38:33 -0400
From: Rene Struik <rstruik.ext@gmail.com>
To: Göran Selander <goran.selander@ericsson.com>, secdispatch@ietf.org
<secdispatch@ietf.org>
Dear Goran:
Some brief remarks on draft-selander-lake-reqs:
a) duty cycle (see Section 4.2.1 - LoRaWaN):
Duty cycle depends on context (e.g., duty cycle during Tx of a single
frame is always 100%). According to ETSI [1], Section 5.4.1, duty cycle
is relative to observation time window (Tobs) of 1 hour, where
conformance ([1], Section 5.4.2), is defined relative to normal use
during operational lifetime, where "the representative period shall be
the most active one in normal use of the device. As a guide "Normal use"
is considered as representing the behaviour of the device during
transmission of 99 % of transmissions generated during its operational
lifetime", and where "Procedures such as setup, commissioning and
maintenance are not considered part of normal operation". This does
suggest that inter-frame spacing is not necessarily 99 frames for each
frame sent, as this section seems to claim. In fact, if key agreement is
only done as part of network formation, it falls outside the duty cycle
regulatory requirement.
b) few messages/few frames (Section 4.2 - Discussion):
The suggestion that a 3-message protocol is a requirement seems to be
more an opinion/preference by the author, since lacking detailed
technical justification. {If sending an additional frame causes "the
probability of errors [to] increase exponentially", the medium access
control layer seems to be unfit for use. Or, do you mean that if error
probability is p, one gets prob no error in t frames equals (1-p)^t? If
so, with small p with viable networks and small t, one definitely has
(1-p)^t ~ 1 - t*p (i.e., almost linear degradation rather than the more
dramatically sounding exponential).}
c) conflicting requirements (Section 4.1 - AKE for OSCORE vs. Section
4.2 - Lightweight):
There are trade-offs between communication overhead and security
properties, which generally should be explored in more detail before
imposing a requirement. As an example, a strict requirement for PFS may
necessitate increased communication overhead, since, e.g., a
communication failure during an AKC-scheme with strict PFS may preclude
reusing this keying material with a retry mechanism.
d) security considerations (Section 6):
Contrary to what is suggested, the document is mostly about "size"
arguments and does not offer a definition of desired algorithmic and
operational security properties for sensor networks.
e) protocol flavors (Section 2):
The suggested protocol options include authenticated key agreement using
symmetric-key, raw public keys, and certified public keys. Another
option, which may be worth exploring (even if discarded based on sound
rationale) is a key agreement scheme where authentication is based on a
short secret authentication string (password) or a short public
authentic, yet not secret string that is provided by a user (see, e.g.,
[3]).
f) COSE algorithms (Section 4.1):
The algorithms in the current COSE specification (RFC 8152) may not have
a rich enough set of primitives to instantiate the sought after
authenticated key agreement protocol. As an example, to my
understanding, COSE only facilitates use of static-ephemeral co-factor
Diffie-Hellman. Thus, some changes to the COSE specification may be
required if one wishes to use a protocol that uses co-factor
Diffie-Hellman based on ephemeral key shares. (Of course, this may be
easily facilitated, esp. if the underlying core crypto primitive is
already defined).
These comments illustrate that some requirements are less clear-cut than
as suggested in draft-selander-lake-reqs-00 and, that, in fact, there
may be more to this than just a "smaller is always better" argument.
Rene
Ref:
[1] ETSI EN 300 220-1 V3.1.1 (2017-02);
[2] ETSI EN 300 220-2 V3.1.1 (2017-02);
[3] Authenticated Key Agreement - Using Short Authenticated Strings
(Serge Vaudenay, Crypto 2005)
On 4/12/2019 12:20 PM, Göran Selander wrote:
> On request I compiled the requirements for the lightweight AKE for
> OSCORE discussed on the list into a draft. This is not exactly the
> formulation by the security ADs but the main requirements should be there.
>
> Göran
>
> On 2019-04-12, 16:20, "internet-drafts@ietf.org"
> <internet-drafts@ietf.org> wrote:
>
> A new version of I-D, draft-selander-lake-reqs-00.txt
> has been successfully submitted by Göran Selander and posted to the
> IETF repository.
> Name: draft-selander-lake-reqs
> Revision: 00
> Title: Requirements for a Lightweight AKE for OSCORE.
> Document date: 2019-04-12
> Group: Individual Submission
> Pages: 7
> URL: https://www.ietf.org/internet-drafts/draft-selander-lake-reqs-00.txt
> Status: https://datatracker.ietf.org/doc/draft-selander-lake-reqs/
> Htmlized: https://tools.ietf.org/html/draft-selander-lake-reqs-00
> Htmlized: https://datatracker.ietf.org/doc/html/draft-selander-lake-reqs
> Abstract:
> This document contains the requirements for a lightweight
> authenticated key exchange protocol for OSCORE.
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
--
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363