[Lake] comments on draft-ietf-lake-reqs
Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Tue, 14 January 2020 16:27 UTC
Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9EC0120986 for <lake@ietfa.amsl.com>; Tue, 14 Jan 2020 08:27:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rqj3kqzUNOOa for <lake@ietfa.amsl.com>; Tue, 14 Jan 2020 08:27:25 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D624F120978 for <lake@ietf.org>; Tue, 14 Jan 2020 08:27:24 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.69,433,1571695200"; d="scan'208";a="431334241"
Received: from 89-156-101-160.rev.numericable.fr (HELO [192.168.0.64]) ([89.156.101.160]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jan 2020 17:27:22 +0100
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Message-Id: <DA04764C-A550-476E-8A3E-5B6653AF659B@inria.fr>
Date: Tue, 14 Jan 2020 17:27:20 +0100
To: lake@ietf.org
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/CNYhJaLn36L5-tFLaxINg38joHg>
Subject: [Lake] comments on draft-ietf-lake-reqs
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 16:27:33 -0000
Dear All, In preparation for the virtual interim, here are some comments on the current version of the requirements doc (up to section 2.8) A high-level concern is that in many early sections the requirements document text is too protocol-specific, and especially assumes protocols based on Diffie-Hellman. It would be better to leave such details to the protocol design document and only state the high-level goals here. Section 2.1: the acronym PFS is used here for the first time. Expand. Section 2.2 says: "In order to allow for these different schemes, the AKE must support PSK- (shared between two nodes), RPK- and certificate-based authentication of the Diffie-Hellman (DH) key exchange.” Here, and in later sections, the assumption that the AKE must support Diffie-Hellman is unnecessary and over-specific. All we want to say is that "the AKE must support PSK- (shared between two nodes), RPK- and certificate-based authentication” and leave out DH. More generally, I am assuming we do not want the requirements document to preclude all non-DH solutions, e.g those based on lattice-based KEMs. Section 2.2 then says "Bandwidth is a scarce resource in constrained-node networks. The use of static DH public keys instead of signature public keys is a significant optimization and shall be supported.” Again, this seems overly specific for a requirements document. Maybe just delete? Of course the protocol should optimize bandwidth but we already say so elsewhere. Section 2.3 defines mutual authentication for LAKE. It then describes PFS, which feels a bit misplaced since it is not an authentication property. The same can be said for the bad RNG improvements paragraph. Maybe we should move these two paragraphs elsewhere? Prevention of KCI resistance, identity misbinding, reflection attacks, are all specific cases of mutual authentication, and this should be clarified better. These are not additional authentication requirements; instead we should say that the mutual authentication guarantees of LAKE should be strong enough to guarantee these 3 properties. "The AKE shall protect against replay attacks (injective)”: I am quite unsure what this means. What do we prevent from being replayed, the full AKE? The application messages? Section 2.5 sets out the goals of identity protection. However, the third paragraph on how to protect PSK using DH and the trade-off between 3 and 4 messages seems too protocol specific. We have not even seen a protocol yet, so it is hard for the reader to even know why 3 messages is the “right” number for an AKE. Section 2.6 describes application-level security goals. This section may be a good place to discuss or reiterate forward secrecy. It also says: "It is expected that an AKE with 3 messages will provide the following protection of the application data” Rather than providing specialized requirements for a 3 message protocol, it may be better to instead say that the LAKE protocol should provide clear guidance on the level of security provided to application messages at different stages of the protocol. For example, the first message may be unprotected, … etc. Best, Karthik
- [Lake] comments on draft-ietf-lake-reqs Karthik Bhargavan
- Re: [Lake] comments on draft-ietf-lake-reqs Göran Selander