Re: [Lake] WGLC for draft-ietf-lake-reqs-01
Eric Rescorla <ekr@rtfm.com> Thu, 19 March 2020 21:31 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C646A3A100F for <lake@ietfa.amsl.com>; Thu, 19 Mar 2020 14:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVNSzTVR40lr for <lake@ietfa.amsl.com>; Thu, 19 Mar 2020 14:31:14 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC5D3A1009 for <lake@ietf.org>; Thu, 19 Mar 2020 14:31:13 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id u12so4271313ljo.2 for <lake@ietf.org>; Thu, 19 Mar 2020 14:31:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cq7l1Wo/Ng5TKwSPns79JRVq2aZ44VNrKTNulr7LR0g=; b=hO9Pnli+sGc9+j/OEP85yeGZFEppkzhhT+WUpcQmOkL96vhmUIrheCdCxMcXlYaM1X MouSPX8bM5Np99RAHdaX2lNlkn4Yo//fuMF9FRdiahSamw+pyqgbrPPm0vq5pXhjas37 HVvQ12wc9RR209ZSwrYV+L/LlrJ4t7TEqt8+Q0kjzl8xEdzWFcMaNYo3OWtp/i8H68m2 IL3Fu0b/UoKt7Y4i819YXiX4rY36NLUzM9vafIL9LTlale5qBqQYnc08wn9S9XaDWM7p +g6N9IJzJZh/S29VQ88otY9/NcyAwFKO5YjqVrZfPOUCHmqiEiFRYcHL1L+sjtujkItf rszg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cq7l1Wo/Ng5TKwSPns79JRVq2aZ44VNrKTNulr7LR0g=; b=qlMB+enF3cEkc+S2Ayb7h2jl4ixfAkkO9q19b5hxHe5srnQJJnkRbZGN5reZGhr9uf GEyozUUce+zqkshTRx1t48juEXSAZnz8TgHwTxkVqzbLp2ydDbO8CEEMbarnDcMt+jpP R6q8k1uJZJXSeP4Tsws4c+8rXXrCAad8emzSt0xzGs1OxIpCeV20dUpFgTJy5gqXit9t rvje5RCc2A9U9Vbj1auF0LMscT86W8hXEAqZ7m1Kx2i2c2VAzsiDUaKv1prPRIA8MA9O 5hTgSLNXimUuoXTMc4R8Xm9FGMxBIMVURAiuKIuUVp1qL5rf0nIOm8O1Q5bz71yUkern D+sw==
X-Gm-Message-State: ANhLgQ2ang5kAqjZ/2i4SvDVERbjJvgL/Qr7EDXWgEKYaQsB0s8tR3Ri pa4A3p0kE91Fe9JGVBitPlPIlIF4CoxttjieQG7b3Mh+G5OtGw==
X-Google-Smtp-Source: ADFU+vvTdmN4Jqt2qTwOY51wtJzcevMYOlmq+ytE7FaASRykirl6OIkO5hmLO87SOEH1CIuXamft22zVP/Hv4dZc8r8=
X-Received: by 2002:a2e:908f:: with SMTP id l15mr3214953ljg.120.1584653471027; Thu, 19 Mar 2020 14:31:11 -0700 (PDT)
MIME-Version: 1.0
References: <b7c084b0-8489-5c05-046d-33aa70c85b94@cs.tcd.ie> <191b7e3c-4453-a60c-7d5d-07a051e8b85e@cs.tcd.ie>
In-Reply-To: <191b7e3c-4453-a60c-7d5d-07a051e8b85e@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 19 Mar 2020 14:30:34 -0700
Message-ID: <CABcZeBNNaXTwLufkECD33X=XVz3PQ=of8uiCgfE1bQAZYhW9_A@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "lake@ietf.org" <lake@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003baa4505a13be3e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/F19x67vKmMnl2uti8b2J_u5CYmY>
Subject: Re: [Lake] WGLC for draft-ietf-lake-reqs-01
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 21:31:20 -0000
I do not believe this document is ready for WGLC. With some important exceptions, it does a tolerable job of laying out the security objectives, but does not really meet the need of describing the specific resource constraints that make this a lightweight protocol (which was the point of this requirements exercise). Let's take the basic question of how big messages can be. Here's what this document has to say about LoRaWAN, the technology about what is most specific. LoRaWAN has a variable MTU depending on the Spreading Factor (SF). The higher the spreading factor, the higher distances can be achieved and/or better reception. If the coverage and distance allows it, with SF7 - corresponding to higher data rates - the maximum payload is 222 bytes. For a SF12 - and low data rates - the maximum payload is 51 bytes on data link layer. The benchmark used here is Data Rates 0-2 corresponding to a packet size of 51 bytes [LoRaWAN]. The use of larger frame size depend on good radio conditions which are not always present. Some libraries/ providers only support 51-bytes packet size. providers only support 51-bytes packet size. I'm not sure what I am supposed to do with this: it seems like we have packet sizes that range from 51 to 222. I think what this is saying is that I am supposed to assume 51-byte packets, but even that is unclear. And it leaves open more questions than it answers. For instance: - What is the additional penalty for (say) 5 packets over 4? Some additional power? Latency? - I understand that some of these protocols are stop-and-wait. Is LoWaRAN? How many packets can I have outstanding at once? - How does the CoAP overhead factor in? What about when I fragment? The descriptions for the other technologies are even more vague: Increasing the number of bytes on the wire in a protocol message has an important effect on the 6TiSCH network in case the fragmentation is triggered. More fragments contribute to congestion of shared cells (and concomitant error rates) in a non-linear way. The available size for key exchange messages depends on the topology of the network, whether the message is traveling uplink or downlink, and other stack parameters. A key performance indicator for a 6TiSCH network is "network formation", i.e. the time it takes from switching on all devices, until the last device has executed the AKE and securely joined. As an example, given the size limit on the frames and taking into account the different headers (including link-layer security), if a 6TiSCH network is 5 hops deep, the maximum CoAP payload size to avoid fragmentation is 47/45 bytes (uplink/downlink) [AKE-for-6TiSCH]. So should I be assuming 47? 45? Should I be assuming 5 hops? More? The answers in this document are frankly pretty unsatisfactory. For instance, it says: Considering the duty cycle of LoRaWAN and associated unavailable times, the round trips and number of LoRaWAN packets needs to be reduced as much as possible. What I would expect to see is something to the effect of: "this is the incremental cost in {power, bandwidth, time to complete} of an additional packet and therefore we should be able to keep to <X packets", but really the only thing we get is in 2.10.4, which says: Considering that an AKE protocol complying with these requirements is expected to have at least 3 messages, the optimal AKE has 3 messages and each message fits into as few frames as possible, ideally 1 frame per message. The problem here is that we *know* we are going to have to accept some level of messages that span multiple radio units and so getting a sense of where the real boundaries are is critical, but this document frankly isn't much of a help. I would suggest that we try to take one of these protocols (say 6LoRaWAN) and do this exercise in detail and then we will have a template for the others. SPECIFIC COMMENTS: Abstract: authenticated key exchange protocol for OSCORE. This draft is in a working group last call (WGLC) in the LAKE working group. Post-WGLC, the requirements will be considered sufficiently stable for the working group to proceed with its work. It is not currently planned to publish this draft as an RFC. You'll want to change this, obviously. S 2.1. COSE provides the crypto primitives for OSCORE. The AKE shall specify how COSE can be reused for identification of credentials and algorithms of OSCORE and the AKE, as extension point for new schemes, and to avoid duplicated maintenance of crypto library. This is the first of a number of places where this document tries to pre-make design decisions. The requirement here is lightwightness, not COSE. In general, this document should not be making any such decisions; I've tried to call them out but may have missed some. Moreover, the AKE must support transport over CoAP. Since the AKE messages most commonly will be encapsulated in CoAP, the AKE must not duplicate functionality provided by CoAP, or at least not duplicate functionality in such a way that it adds extra costs in terms of code size, code maintenance, etc. It is therefore assumed that the AKE is This too is too strong. If it required .001% more of something, that might be a totally reasonable tradeoff for some other feature. S 2.2. To further minimize the bandwidth consumption it is required to support transporting certificates and raw public keys by reference rather than by value. Considering the wide variety of deployments, the AKE must support different schemes for transporting and identifying credentials, including those identified in Section 2 of [I-D.ietf-cose-x509]. Really? so we need to support both x509bag and x509chain? Why? This also needs to be a lot clearer about what the identity misbinding properties that apply here when we refer to references. Assuming that both signature public keys and static DH public keys are in use, then also the case of mixed credentials need to be supported with one endpoint using a static DH public key and the other using a signature public key. The AKE shall support the initiator signaling which public key credential mix to be used in the protocol such that the responder knows and can verify that the intended variant was executed. I don't understand what this means. The initiator doesn't know what the responder can use and so can offer but can't dictate it. S 2.3. The AKE must provide mutual authentication during the protocol run. So unilateral authentication is completely out of scope? Why? authenticated the other's credential. In particular, both endpoints must agree on a fresh session identifier, and the roles and credentials of both endpoints. What are the properties of this identifier? I don't see it described. Is this a CK-style session identifier? * The AKE shall protect against identity misbinding attacks [Misbinding]. Note that the identity may be directly related to a public key such as for example the public key itself, a hash of the public key, or data unrelated to a key. I don't understand what this means, but it seems like having names that are public keys is a potential cause of misbinding attacks. Moreover, it shall be possible for the receiving endpoint to detect a replayed AKE message. What does this mean? I don't know how to detect replay of the initial message without maintaining infinite state or an extra round trip (or catching it later in the protocol run) do you. Furthermore, the endpoints shall be able to verify that the identity of the other endpoint is an acceptable identity that it is intended to authenticate to. (This requirement extends beyond the AKE in that What does this text mean? S 2.4. Perfect Forward Secrecy may alternatively be achieved with a nonce exchange followed by appropriately derived new session keys provided that state can be kept in the form of a session counter. Note that OSCORE specifies a method for session key update involving a nonce exchange (see Appendix B in [RFC8613]). As noted in my comments on SAAG, the whole FS landscape is pretty complicated, and this doesn't do that great a job of capturing it. For instance, where do session tickets fit in? The AKE shall provide a mechanism to use the output of one handshake to optimize future handshakes, e.g., by generating keying material which can be used to authenticate a future handshake, thus avoiding the need for public key authentication in that handshake. Do we expect to need a 0-RTT feature? Because that has different FS properties. To mitigate against bad random number generators the AKE shall mandate randomness improvements such as [I-D.irtf-cfrg-randomness-improvements]. I don't think this should be a requirement. It's an implementation technique and in any case is not a differentiator for selecting protocols. S 2.5. * The protocol shall allow multiple elliptic curves for Diffie- Hellman operations and signature-based authentication. Does this need to be negotiable, as in the responder might have > 1 certificate differentiated by EC group? * The AKE shall support negotiation of COSE algorithms [IANA-COSE-Algorithms] to be used in the AKE and in OSCORE. A successful negotiation shall result in the most preferred algorithms of one of the parties which are supported by the other. This is overly specific, and I don't see why it's a requirement. The way you want to phrase this is that it resists downgrade. The AKE negotiation must provide strong integrity guarantees against active attackers. At the end of the AKE protocol, both endpoints must agree on both the crypto algorithms that were proposed and those that were chosen. In particular, the protocol must protect against downgrade attacks. Would be good to quantify "strong". I suggest >= 128 bits. S 2.6. In case of a PSK identifier, this may be protected against passive attackers, for example with a key derived from a Diffie-Hellman shared secret at the earliest in flight 3. As a consequence, in order to authenticate the responder within the AKE, at least four protocol flights are needed in case of symmetric key authentication with identity protection. Considering the need to keep the number of round-trips at a minimum (see Section 2.10.4), unless there are other good reasons for having more than 3 flights, it is not required to protect the PSK identifier, and it may thus be sent in the first flight. This kind of buries the lede. I would just say it's not a requirement. Other identifying information that needs to be transported in plain text is cipher suites and connection identifiers. Encrypting crypto What is a connection identifier. S 2.8 The main objective with this work is to create a simple yet secure AKE. The AKE should avoid having multiple ways to express the same thing. When the underlying encodings offered by CBOR offer multiple possibility the AKE should be strongly opinioniated, and clearly specify which one will be used. This seems to assume that CBOR will be used, but that's not decided. While remaining extensible, the AKE should avoid optional mechanisms which introduce code paths that are less well tested. I don't think this is a requirement that is actionable. The AKE should avoid mechanisms where an initiator takes a guess at the policy, and when it receives a negative response, must guess, based upon what it has tried, what to do next. I don't agree with this at all, and I'm not sure why this is here. There are good reasons to do this. In fact, it's the main way to get a three message protocol with confidentiality for the server's first flight. S 2.10.5. 3. To limit the impact of a kseley compromise, BSI, NIST and ANSSI and other organizations recommend in other contexts frequent renewal of keys by means of Diffie-Hellman key exchange. This may be a symmetric key authenticated key exchange, where the symmetric key is obtained from a previous asymmetric key based run of the AKE. Or hash ratcheting. On Thu, Mar 19, 2020 at 9:06 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Ping! Today's the deadline day for this. Please do try > get your comments in on time. > > While this hasn't been controversial in the WG, I would > like to see more comment as there hasn't been enough to > determine if we have consensus to proceed. So some more > mails saying you've read this version and are ok with it > would be good if that's the case. Or if not, why not. > > Thanks, > S. > > On 21/02/2020 15:32, Stephen Farrell wrote: > > > > Hi all, > > > > The authors have asked to start a WGLC for the requirements > > document. [1] This mail is to start that. The deadline for > > comments is March 19th in order to give the authors time to > > prepare for discussion at the upcoming IETF meeting. Since > > my co-chair Mališa is a co-author of this draft, I'll be > > the one calling consensus on the WGLC. (If that gets tricky, > > I'll likely ask for help from our AD.) > > > > If you can, it'd be great to get comments in the next week, > > to give the authors a chance to publish an update before > > the March 9th I-D cutoff, should they think that'll help > > us get done. > > > > If you think this is ready, sending a comment to that > > effect is fine. If you think it's not ready, you do need > > to say why and ideally suggest changes that'd, in your > > opinion, make it ready. > > > > As a reminder - our charter calls for us to park this draft > > after WGLC has successfully completed, and we'll not be > > sending this on for publication as an RFC at this time. So > > please try keep the focus of your comments on the meat of > > the content rather than on crossing all the i's and dotting > > all the t's:-) > > > > Thanks, > > Stephen. > > > > PS: I'll send my own comments (with no hats) in a separate > > mail shortly. > > > > [1] https://tools.ietf.org/html/draft-ietf-lake-reqs-01 > > > > > -- > Lake mailing list > Lake@ietf.org > https://www.ietf.org/mailman/listinfo/lake >
- [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Stephen Farrell
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Christopher Wood
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Richard Barnes
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Eric Rescorla
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Christopher Wood
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Göran Selander
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Eric Rescorla
- Re: [Lake] WGLC for draft-ietf-lake-reqs-01 Michael Richardson