Re: [Lake] Secdir review of draft-ietf-lake-edhoc-18
Marco Tiloca <marco.tiloca@ri.se> Thu, 26 January 2023 09:48 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC64C1522D3; Thu, 26 Jan 2023 01:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpEN-eP8viFJ; Thu, 26 Jan 2023 01:47:55 -0800 (PST)
Received: from GVYP280CU001-vft-obe.outbound.protection.outlook.com (mail-swedencentralazon11012000.outbound.protection.outlook.com [52.101.82.0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF54C1524AA; Thu, 26 Jan 2023 01:47:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QwsWVnjGH4ll5w+XhRdTO1Ryn9ow2Z5RTXKn23rztT1J6GezEYrDoXnb7oivOh5kRZSTJrL1CYq0uHDnAxKDmCV+g/ERItUDP/jr2MJXAG7wO2yi4UsO54vr3avg5yVhE/Bb8l4LXMrw83akp/vV9T+49CHH838gf38ti73/sUAcYGPf7LqDv5++9KlYq8k2NMWmUYA3oSzbpvBHbnUoKAcdMgQuSysNAcitIwEVUssUiKy4cfzxyiXPbb2DrqexuEHgV+ouuu+G5yLTf5HZ6iCbHKJe9o+yh2EWnvYCJEuRqIFXrcRdcjFbDqDrCMk+sRqM01DRLPqtsc93205ieg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UIKLJ09unVcUCalvq/V07/ZXCGkxkyQDFKubYGUMRIo=; b=NQueV1dtiX65uJUJQ1hDvFo5l4aVMg7KvNLvCIjKs4+4q3wM94iLkNkCC7eN5SyzBQNcFhVXPUKQYYdAPLRU2Wg/S2x6Qxbuw4AomY3hh/Ta86WaJ7Su9XZ+172uadoVyEYwH1jDJaLJ5sHwIEYKJW67vygnwpn1R6mLbd5eMT9WFBO05AH33BSrFnESMbyi/JOyoIxX21YRbL3kdZKsAWdw+XODyhd8lhsYsIoN7G9RBk5IQPYfBEiDrZy5hdQ09ziHczF+NfstnRLX/6FuiUPkOFmBYspkTO7xO33QnP40qovCyf33bhap3g+mMJlZ+1ep+9FYHw8Yjl9IkX0e+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UIKLJ09unVcUCalvq/V07/ZXCGkxkyQDFKubYGUMRIo=; b=jDgysC8CfiUHR46VetAVoO0ir/wb3/j3xuY0OEnQcptWrNeBHPLvpqrqcQAH7W92jfNjqCql15nI0HRM9ZRdlP+6/mm3vadl2rgzs8yw93A38XYQGfYIdHfS5pXiQy8PfsDPmpz42FP585k2gT4CYmSwK/8//wex9VORGpG0B+U=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by MM0P280MB0881.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Thu, 26 Jan 2023 09:47:45 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::c92:6f2f:7738:ed9b]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::c92:6f2f:7738:ed9b%3]) with mapi id 15.20.6043.022; Thu, 26 Jan 2023 09:47:38 +0000
Message-ID: <1cabe14a-2c5e-082e-96cf-8e03128c8a0e@ri.se>
Date: Thu, 26 Jan 2023 10:47:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Göran Selander <goran.selander@ericsson.com>, Radia Perlman <radiaperlman@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-lake-edhoc.all@ietf.org" <draft-ietf-lake-edhoc.all@ietf.org>, "lake@ietf.org" <lake@ietf.org>
References: <CAFOuuo5xrmSqHkca6YQLF9gZqEX27ziqvsw5B0mM5dYTU5O_+g@mail.gmail.com> <PAXPR07MB8844BEBBF579FFF102A85498F4C99@PAXPR07MB8844.eurprd07.prod.outlook.com> <PAXPR07MB8844A6073141A5ADB0CC87D9F4CE9@PAXPR07MB8844.eurprd07.prod.outlook.com> <HE1PR0701MB30500D8F1FA85BE91878BA4389CE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Content-Language: en-US
From: Marco Tiloca <marco.tiloca@ri.se>
In-Reply-To: <HE1PR0701MB30500D8F1FA85BE91878BA4389CE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Vo1vxoRmWsbwzXRVgtEkEb9I"
X-ClientProxiedBy: FR3P281CA0109.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a3::9) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|MM0P280MB0881:EE_
X-MS-Office365-Filtering-Correlation-Id: 91d29dfa-8689-496b-8cde-08daff825c2a
X-LD-Processed: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jF23whSwCmpv1O6C0H6HRwATNvnGy1orqGqofK/c9lgI7c09yCggAs5IM8NlumtEnhM1qcVt9tpdqVSZvjfwMUq8bUgv87zyVh4N+iEh/FSegNhntbQzEwiZhvQdDwXQrJQaT/DAXCWDxy4MucnYtWD752E4SBq2/Rm3heMzJROBYwK7q71eNxGBvDBYbkZ7Fmml4mukDoBNWviJIeCGX7noyTTWNbP3JVW/srQ9Uw5ItQuQCrfL/CTSuPh3NrI8jIQZzgQukEmwlIFi3cTDzTCr07jUzLmfxL0+WqSUfpJ5b7FGalOv8l8ylVpVgBptHOTf03NoQgOYiNxyba4SMvrlQI6V2jd3929rCwWDD27DtLPaSO1ohxyJ83H4pihe5gYNjrCy7TeyffybEfoYanjhyqzyCHsVeqzDvSizJj1g7UcarEeVHXZkLkWTq754dbODx2TKzsp0T1UQSJkC0xDEM5xiRPf3Eo5rWPbaHnLAAJMmjwIYgrAXuW0WnsmSjXB1aNpU1ERZV/xlqdh9ZAI5qKJ+Y4bZi66VSu70NtFPYvpbcbOf7eEs9GTocoRfCPfK6ZUZTt+rIzF43QjKQd9uES3Tyuy3ffjwFffG68alkqeygRng4A9oXrFfD+XA+fcVhQCS380me/qyDulsRpqThILRLEWIjlI0yNXnGZQTWIOfhr7wG69Q7N5bTFCwXCcWV1z5hvHxfxyFzghMUmTW9Nlpync4E6UjceFXL+7OH98Mrxg7iZNBIUVCT3C9
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(4636009)(136003)(396003)(346002)(366004)(376002)(39860400002)(451199018)(6486002)(478600001)(186003)(31686004)(6512007)(26005)(966005)(21480400003)(2616005)(45080400002)(83380400001)(6666004)(66574015)(110136005)(316002)(166002)(41300700001)(8676002)(38100700002)(6506007)(33964004)(53546011)(86362001)(5660300002)(235185007)(30864003)(36756003)(8936002)(44832011)(66946007)(31696002)(66476007)(66556008)(2906002)(43740500002)(45980500001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: rM/qxQAH+ILyZy8ro8Jw1Sl3INHcfQurchSLTaZrkNn1gg8tGUFNEpr8N+FMIjs/IBcbXDmacai5Z9K/1IU0dxcR56yz9a8nnjqBDtbq1HOe+/c7xqHxI2ifsgo7gAldEOphA9oLrNKRJLFtYoxXScjWpUh5tgn8epXFRbU6aAewIog0PMo+PGAKNfP42QuNM/Ofz7KJui5Ar801JvVfHZmqYcEsmfSSEgfMvYfy3F+8MmHMUTRaRXLJ30gGb/L4zKZTOlUB/13Rta1Hn7/r2l6LatTykvVbTN7JKk6sstU5FQOc7Y9IJPye+I21gSr+bxlgsdrMuABp5sl4or1R6A+7uPuG3/hvHqAdlXA9PkfHiDbLzS8cCTZo/aL3XDcoLh2E7bj6ekJrLZVMgRuy6NlszhMsU3V4Kr/ywSB+/7FWy0IxeXKoiIJtYEsqt/qdVH5WOrquT0LpsXAS2ZmfD8YXwQS9puVJ6LB9x0ynub0zK/tVcVKhotgz+5Q+mcl9xVhJUnSnvXKbFasTQWHCvVxjyZewDf+kqSevFbNpD3uFxhkV8APb6KPk/0PhGCy68OHCHia3096dcgYmkoqmNKk4/P7AEXOWCHLfGWbAvdlscVXkYF7YC8A4biihmX/pTT9KL6AcIdqmCvh4iANO8cQTK35rCnzQaPRUmIAnPFH9gN1F1bxhPrL6L85OLwTDfg2OiYQl2HbJr7/7Rke0AkOTDHZeIIyUZdgxKdL9U5j1b796Bu7yq2Njww8vZD21t4vIx7RBPFgTRqDqdkCJebzl8aoAvXgjHqZkEKrnHjBshrHu4Z8BzSf5v3rr333a8lLylX5KsEfWv4Oxc4reLekUFHhvOYD1iO5gBVBm1WYOCQRnpOHuurnfjus9kD/BP4DXQI9by9xVasWdn+k5gqDOxIN0DQkX2Bz5IVRNv67p91aKzMbEefCvEBX4qwkMBAOs0hAxeRxVpe3sQF9JAKRnrCr9qDRaylcN6HNfZAdW9Laaagr0bPmBF1hY39qsLPLxMhb1zDD2iMQybLIMZF/SMwXTRTx4KSCTb41HYiuKryvZVhkbblL+SvYPL0Q2tTyVX0Drr3iOV3PaZgNYIWUj510cdb2Tf7L/ootWpu1uCQoFLgt1QZoiBV511slP3zFGgu2WeS9ieFyp4YXDtyppgVvYZZShk5Y8T+VvIQippf8gjur50buVY8cVpaVcAI98lmJGMaW9BKFNai9mk9VH0VbVHwLZjW1osv0gMf7UlsxiTjXbHsVZA2DUqRsjsACWZdRkFvHy8AWvQw7+N9f729ckoGWNFP2QoYU+9u+HFYmvTkRdthl/mRcZbOf1uid4pgdvOFcJiUM2HZ7q8B74lqQybeV0RjKTU/MZUDO1cljKzuhr3DBiG6cN0iuT9w7z87vzcbT2ycAdiGLG4R6YV84nj8fiwgbAltPfrDoC0otHKW45L83R+iMCLLoRNJ8gMALrtJ9lIAd0yLR+5iV33pw+Jg7CtxOA2Pf6PuS4uXoAyMdjAm2uBMsKVmIoLHRkyEndn1OcvNCFbHBDrOogkO7EMOnbQLl74X0JYkIv0coPdi65KDQRLlcUpFdq
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 91d29dfa-8689-496b-8cde-08daff825c2a
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jan 2023 09:47:38.6750 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Pvb1tF4QTzcr7Ii0zlHpXcTSPpqzppIzOzEupNsAqvfxjgaz8x+ySqsxEAXEKLrIwCuKcICy+k9dQe6ZUWzBBw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0881
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/I6xWGy2xZhjDwDRHMGjYws-F-44>
Subject: Re: [Lake] Secdir review of draft-ietf-lake-edhoc-18
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2023 09:48:00 -0000
Hi John, On 2023-01-26 00:40, John Mattsson wrote: > > Which changes should we do based on Radia’s comments? > > - Do we need to explain better that EDHOC always do > ephemeral-ephemeral key exchange giving forward secrecy with respect > to the long-term authentication keys? > > - I don’t think we should change the name of the “Static DH keys”. But > we should explain that they are only used for authentication and that > an ephemeral-ephemeral key exchange is still performed. > > - Is the term ephemeral DH confusing? Should the body talk about > ephemeral-ephemeralinstead? > > - Should Appendix J be thrown out? It is not used by KUDOS anymore. > ==>MT I think it's better to keep Appendix J. Also based on the related discussions from the LAKE interim meeting on 2022-10-05: * EDHOC-KeyUpdate is used in the EDHOC & OSCORE profile of ACE [1], for peers not supporting KUDOS [2]. * Stephen suggested to keep that content altogether (even if as an Appendix), in order to ensure to take into account BCP 107 [3]. Best, /Marco [0] https://datatracker.ietf.org/doc/minutes-interim-2022-lake-02-202210051700/ [1] https://datatracker.ietf.org/doc/html/draft-ietf-ace-edhoc-oscore-profile-00#name-use-of-edhoc-keyupdate [2] https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/ [3] https://datatracker.ietf.org/doc/html/rfc4107 <== > > Cheers, > > John > > *From: *Göran Selander <goran.selander@ericsson.com> > *Date: *Wednesday, 25 January 2023 at 23:21 > *To: *Radia Perlman <radiaperlman@gmail.com>, secdir@ietf.org > <secdir@ietf.org>, The IESG <iesg@ietf.org>, > draft-ietf-lake-edhoc.all@ietf.org > <draft-ietf-lake-edhoc.all@ietf.org>, lake@ietf.org <lake@ietf.org> > *Subject: *Re: Secdir review of draft-ietf-lake-edhoc-18 > > The formatting was messed up in the my response to Radia’s review > which made it difficult to distinguish between the review and the > response. Here is the same mail repeated but where my inline comments > are prepended with [GS]. > > Hi Radia, > > Thanks very much for your secdir review. Please see comments inline. > > Updates are being tracked in PR #395. > > https://github.com/lake-wg/edhoc/pull/395 > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D31323334-501d5122-313273af-454445555731-bb10ca2ae3c3bf76%26q%3D1%26e%3D427745ef-5c95-47a0-829a-3e732e155bd9%26u%3Dhttps%253A%252F%252Fgithub.com%252Flake-wg%252Fedhoc%252Fpull%252F395&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263280565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QPfvjZ5MyHzkY53BWuY%2B9XsCfScb2HYJif2aBo69Y4E%3D&reserved=0> > > From: Radia Perlman <radiaperlman@gmail.com> > <mailto:<radiaperlman@gmail.com>> > > Date: Tuesday, 24 January 2023 at 03:49 > > To: secdir@ietf.org <mailto:secdir@ietf.org> <secdir@ietf.org> > <mailto:<secdir@ietf.org>>, The IESG <iesg@ietf.org> > <mailto:<iesg@ietf.org>>, draft-ietf-lake-edhoc.all@ietf.org > <mailto:draft-ietf-lake-edhoc.all@ietf.org> > <draft-ietf-lake-edhoc.all@ietf.org> > <mailto:<draft-ietf-lake-edhoc.all@ietf.org>> > > Subject: Secdir review of draft-ietf-lake-edhoc-18 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG.These comments were written primarily for the benefit of the > security area directors.Document editors and WG chairs should treat > these comments just like any other last call comments. > > There are a family of "lightweight" protocols designed for us in > "constrained" environments (think IoT) that replace other IETF > protocols that would be otherwise be used. The constraints may include > lack of CPU power, lack of bandwidth, lack of non-volatile memory, and > running over a non-IP network. > > EDHOC (Ephemeral Diffie-Hellman over COSE) specifies a protocol for > establishing session keys for use with OSCORE that specifies how to > cryptographically protect a session. So you can think of EDHOC as > corresponding to IKE while OSCORE corresponds to ESP, or you can think > of the pair EDHOC/OSCORE as corresponding to TLS. As you would expect, > the protocol is functionally quite similar to both TLS and IKE, and > the interesting security discussions would be around the > justifications for the differences. > > The name EDHOC is misleading, since EDHOC supports four authentication > variants, only one of which is Ephemeral Diffie-Hellman. The other > three are where one of both endpoints use a static Diffie-Hellman key. > > [GS] There seems to be a misunderstanding here. All four methods are > using ephemeral Diffie-Hellman, although some use additionally static > DH for authentication and some use signature for authentication. The > message fields G_X in message_1, and G_Y in message_2 are ephemeral > public keys and the shared secret G_XY is the Input Key Material for > the pseudorandom key PRK_2e for all methods. Is there some text that > is unclear on this point which we can improve? > > TLS 1.3 decided to abandon all such variants because they do not > provide forward secrecy, but I suppose it reasonable to revisit that > decision in the context of a constrained environment. > > [GS] All four methods do provide forward secrecy according to the > security analysis papers (see below). Static DH authenticated > ephemeral DH is also used elsewhere, for example, the Noise XX > pattern, which is similar to method 3. TLS 1.3 unfortunately did not > abandon all variants that do not provide forward secrecy; psk-ke is > even marked as “Recommended”; a decision that is proposed to be > revisited in > https://datatracker.ietf.org/doc/draft-mattsson-tls-psk-ke-dont-dont-dont/ > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-mattsson-tls-psk-ke-dont-dont-dont%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263280565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=C7ofNVNFb6jedCIIziwq0n2BWiHYFU4XR6mOza%2FD3Wc%3D&reserved=0>. > > But I can think of no justification for the misleading name. The > working group name (Lightweight Authenticated Key Exchange - LAKE) > would be a more accurately descriptive name. > > [GS] That particular name change has actually been discussed and, at > the time, was not preferred: > https://mailarchive.ietf.org/arch/msg/lake/2uuzP5T2ijkYEMsbqzt03200U2s/ > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Flake%2F2uuzP5T2ijkYEMsbqzt03200U2s%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263280565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4NU3UNH8hkurB1UFgHF9ENNtm8e0R9hHK5T4mk%2BjDo%3D&reserved=0> > > The authors may be confused about the definition of forward secrecy, > since in Security Considerations they say this protocol provides > forward secrecy and in Appendix J they refer to a key refresh > technique that has some nice security properties but does not provide > what is generally regarded as forward secrecy. > > [GS] All methods in the protocol do provide forward secrecy with > respect to long term keys. Compromise of the long-term keys does not > compromise session keys from previous connections. Compromise of one > session key does not compromise old session keys in the same > connection. The method of obtaining forward secrecy through iterated > key derivation was introduced in LAKE by Karthik Bargavan: > https://mailarchive.ietf.org/arch/msg/lake/-Fx-NVLrZohQ7p8Wy8VNpsDC_-M/ > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Flake%2F-Fx-NVLrZohQ7p8Wy8VNpsDC_-M%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263280565%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Uh%2BBglhnRxoREWuN4wxL0wFYLzvjxxObpDSa%2FZmzWMI%3D&reserved=0> > > Appendix J does not include a protocol since the WG decided this draft > to focus on the public key authenticated ephemeral Diffie-Hellman, but > the high level solution in Appendix J is the same as the key update in > TLS 1.3 and RFC 8446 states that this mechanism provides forward secrecy. > > Other differences: > > They simplify the protocol compared to TLS by not including the > variations allowing restart of a security context based on cached > information. While this makes the code to implement the protocol > simpler, it hurts performance. > > [GS] A resumption option with ephemeral DH would have roughly the same > message size but would only require one Diffie-Hellman operation > compared to three in full EDHOC. In many constrained radio > environments message sizes are the most important parameter for > performance. One perhaps more important reason to define a resumption > option is that fetching credentials from a database, validating them, > and doing revocation is slow. > > Variations of resumption for EDHOC, to specify in a companying > document, is for discussion; one recent email on the topic: > https://mailarchive.ietf.org/arch/msg/lake/sMUlR-8eOe5ZalCNpsQS69hlCc0/ > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Flake%2FsMUlR-8eOe5ZalCNpsQS69hlCc0%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263438017%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QfnBKi%2B6Wxz%2Flsw4H198QWprvOy5hG6OcEpYjHZZaos%3D&reserved=0> > > There is also the KUDOS draft which provides updates on the OSCORE > security context without using EDHOC: > > https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/ > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-core-oscore-key-update%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263447958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=i2%2F9Gi9fwXvleTCJ2V%2Ffllklk2lUmsv9bqXkoKQKgjk%3D&reserved=0> > > The negotiation of cryptographic algorithms is based on suites (as > early versions of TLS did) rather than a more ala carte approach that > TLS has evolved towards. Further, while TLS has a system of initiator > proposes and responder chooses cryptographic algorithms, in EDHOC's > systemthe responder is constrained to choose the most preferred of the > initiator's suites that it supports. Further, the initiator must guess > the suite the responder will choose and the protocol may be very > "chatty" the first time the protocol is run (or every time if the > initiator does not cache the preferred suite of the responder). There > would be an extra pair of messages for each suite the initiator > prefers over the first one the responder accepts. > > [GS] One common setup for IoT devices is that there are only one or a > few supported algorithms, and that supported algorithm is known at the > time of deployment, in which case there is less risk for chatty > negotiation. Regarding caching of cipher suites, 6.3.1 notes that > ”After a successful run of EDHOC, the Initiator MAY remember the > selected cipher suite to use in future EDHOC sessions.” > > With such setup we believe it should be possible to avoid too much > chattiness. Happy for further input. > > Whether authentication is going to be based on Ephemeral or Static > Diffie-Hellman keys is not negotiated. The initiator is expected to > know (or the protocol gets more chatty). > > [GS] Negotation of method has been discussed in the WG. It could be > included in the same low overhead proccedure as negotiation of cipher > suite. But like the common case for cipher suites above it is expected > that constrained devices only support a single method which is known > at deployment time, so it is not clear that negotiation is needed for > the most constrained settings (or a significant overhead in less > constrained settings). > > Finally, rather than negotiating a symmetric encryption algorithm for > use within EDHOC itself, EDHOC generates an extended PRF output which > it XORs into messages to encrypt them. In practice, this strikes me as > a clever hack to greatly simpify the specification while not > substantially hurting performance. But others may disagree. > > There was a reference to an analysis of the security of the protocol > (which is based on SIGMA). I didn't read it, but the design of the > protocol looks sound to me. > > [GS] Just a note: We have updated the list of security analysis papers > we are aware of and which we have taken into account (Section 8.1) and > there are now 5 publications analysing different methods of the > protocol using different techniques: [Bruni18] [Norrman20] > [CottierPointcheval22] [Jacomme23] [GuentherIlunga22], see > > https://lake-wg.github.io/edhoc/draft-ietf-lake-edhoc.html#name-security-properties > <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D31323334-501d5122-313273af-454445555731-81c5b24e4d1baec7%26q%3D1%26e%3D427745ef-5c95-47a0-829a-3e732e155bd9%26u%3Dhttps%253A%252F%252Flake-wg.github.io%252Fedhoc%252Fdraft-ietf-lake-edhoc.html%2523name-security-properties&data=05%7C01%7Cmarco.tiloca%40ri.se%7C0573e835d4604c96a0ff08daff2d8689%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638102868263448691%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wSDDdk%2FHFeW8vTRkAV2DA0Ne543Yr%2F2T3auOCWPgI7w%3D&reserved=0> > > Nits: > > >From Section 1.1: > > "This specification emphasizes the possibility to reference > > rather than to transport credentials in order to reduce message > > overhead, but the latter is also supported." > > -> > > "This specification supports the referencing of credentials in order > to reduce message > > overhead, but credentials may alternatively be embedded." > > [GS] Done. > > In Section 3.9: > > "incompliance" -> "non-compliance" > > [GS] Based on a previous comment we already changed this to ”lack of > compliance”. > > Thanks, > > Göran > > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… Göran Selander
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… Göran Selander
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… John Mattsson
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… Radia Perlman
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… Peter.Blomqvist@sony.com
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… Marco Tiloca
- Re: [Lake] Secdir review of draft-ietf-lake-edhoc… John Mattsson