[Lake] review of edhoc-12
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 11 November 2021 00:38 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D393A148D for <lake@ietfa.amsl.com>; Wed, 10 Nov 2021 16:38:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QS8I-4a7M6n4 for <lake@ietfa.amsl.com>; Wed, 10 Nov 2021 16:38:39 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130113.outbound.protection.outlook.com [40.107.13.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5214F3A0A84 for <lake@ietf.org>; Wed, 10 Nov 2021 16:38:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JLGWrDTr94h4AA7BBAfo3PD8aN4qvUXP+IqTfWOXzMRf9opUdFEC8YoMhPqOUfa8Pg/NxmrU/v6SZa8u1M6qEsCaQ0x93xPCqcLnToGIDZJNRKCCkjokpoqO8pG+3bFfpdoJlIxMslYrnqNprzc22Fajle3Xefn5ZPcU1TKJyblnTOh/ayAiI5K8TW7ndxxHcflawQ+KO4PR4YrubNxahALklBif9O6y7VQxq7Vp6cXHAXmPItjD8vkID6e2wxJVf0bK/DZPYW8jHRUPz5L4dj3Lytr0G4Lw+tzTfS6Jr57HP27l6he4Sz8S5XjS01iLUvYQgnj24Uk+PqbeqGXRHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YMaaEJAYhlmeo0X4bOxGmTAG8KujJHttPNBJihoRxKY=; b=Vw1gjeVFo3ifjyKZQOY0hAjhV7ANGTvpJXY5JCwqhQJ/YCBSoeKSzIgAfI8c066I2SyrZmbr07OHEj/WpG2F+t4nEPZQSJmaMSiarNFnDtukLdHtQ2OF3JvnVEIZCSugbD6Sk4kiu8Ug6GDkoWwDd+e96YZ4/TXbyFJsR4d3wxUTuehfcCtm5CVafXpx4YKHF86Yj6HNOOM/7snFRJrc75K1rVG0Md+Bf3Nj8znwu9hDNg8eNq/dfbxP/TawVX0I2QX7qh9vb2OG77OvtkPVYXbp43Vovd0WWMf/4SJ+NNHe1kScKPrzbHw0a51R4n+NMyMmCQAE0/YFCgylm+5gJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YMaaEJAYhlmeo0X4bOxGmTAG8KujJHttPNBJihoRxKY=; b=o6cP1X44uGVzsGZ6CA74qIF55ElaCi3dIvWzhrcY3VjFAR46G/1U1orZYuVgVAT6CWEXd4DUrQZzNCpLpQhvrBayBh28xtEQcZXqdHpegze0D4+ml7CZihTbujje8GOWfQmpYQzQlUh3QAvk0T28HTCOLVVNM+b/fT4zksdLR+cXdNskAS1r7jNtNHg1pnJTTvM/jshpQjDTh6G8h+X7xmdWvQXr9Ah4lX9djCWUwMldbOcYjryGoQYZxLnhU2AknEO72iBJIL07YG9JdnKXt/aXthVCALxllA04NSf6brU/dIgy0kmtSxWhFifud2vS8PMKULSgH/fTdzh0Brbf6g==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB8PR02MB5548.eurprd02.prod.outlook.com (2603:10a6:10:e1::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.15; Thu, 11 Nov 2021 00:38:34 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::cc12:31d:4dac:8672]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::cc12:31d:4dac:8672%3]) with mapi id 15.20.4669.016; Thu, 11 Nov 2021 00:38:34 +0000
To: "lake@ietf.org" <lake@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <617ce86c-8b4f-84e2-8eec-ae388cf023cf@cs.tcd.ie>
Date: Thu, 11 Nov 2021 00:38:32 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="0ZsVQAKD4akHXkKP4008gqByCnsNehezK"
X-ClientProxiedBy: DBBPR09CA0040.eurprd09.prod.outlook.com (2603:10a6:10:d4::28) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.244.2.119] (95.45.153.252) by DBBPR09CA0040.eurprd09.prod.outlook.com (2603:10a6:10:d4::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15 via Frontend Transport; Thu, 11 Nov 2021 00:38:33 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 56c3c295-1f8e-406f-d76f-08d9a4ab976e
X-MS-TrafficTypeDiagnostic: DB8PR02MB5548:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB8PR02MB5548716C2B3641AF655120E7A8949@DB8PR02MB5548.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ASMc5u2kqv2/o5fwjijCDlc3G0uKru+DL9GbWr2742ybIkkZgz0azQUr5apEkfUXIw3I1YaqsgJpY3A2TVWPnl1RzMqJ0PsiKAocj/SQScAry63+5ZkVaQwGLshqzr1iUoTO4kDfUgU9nP0soIzaovgZLZfWmQS6Oe0188v0G7jgcUKIQWSkVV1/1n1wgPzVJd388Xjf1AVGmR8ZzryWHr+U7j+AGe7M4G01rj9dvxDVoxLyOGfIfTm99zV3e/O43Q4PiJW0ZJr1KEJgy8LDz/H8/YgEZz5+spfIJX4tlcPYQiV1oUU8dgzDd4qekv8EA9gKG7U7sF2L9lPX4sfLzg8MAD0hVke6ri3YF60tcqDf4CVFZRExzhVm2b/8yc8i30Wz2x6gHQZ8ODnDX7hxyTXTVU7sRXGi3zxqYJgkDEGfV0tqTT48snQCJry7GL6nIgZ6gWQgXoYrUVGRi875Flida4N3P1PO5pe4gOx+n2Xi3VUHYYnWLSmN8fpcwdkCnbvtSE0bwkvDzWL42BbRdoOv9MbbPLrbhJRUeOxydx6Y6dCqdyrSlKWCCjWaolohHeAcOUm9SLYwxncuQHa9zEq1rtz5VDgykUAPmv4KrBTch8pzqLsjctpaXee+1K81ZcP2KLmCAMa7SMZSAfsUidzFZ7gpWmpWbun9ZL3KuRuHsLlivxDkT6mLhSZ3b/0jlW5Uak7g+nbjH6CmrcT0An70fI/Wthscn2Hdp5qVZUcxFluTyowWd2unV4bcMAAxDAkURe9MrcfkFqWFjEjYSATQ0YjHThdM+LyBFv3MP3DzSEE+PFGDUkuTeOGKjzk3
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(235185007)(2906002)(8936002)(6916009)(966005)(44832011)(956004)(36756003)(21480400003)(83380400001)(38100700002)(26005)(33964004)(86362001)(186003)(8676002)(31686004)(6486002)(2616005)(316002)(508600001)(786003)(31696002)(66556008)(5660300002)(66946007)(66476007)(16576012)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: TOhWcKAyeoHF1/oDo9CoQTJWjD1yeBHTuLVbeJfIS6sJ8xJijyDucJSBF613Pmr04g1mDhGsGCjPAXQP9EX+/n4H1gTV2FgzuP7pO2taHP29ZoEoBy+I2zAKYykQvI713JJGUrkeMaATkiOZW4JFD5JYcgrFGZ4KAnLRdnaCQV6IQJlWYSMB7i6YedoqLIaLdbCOt9k2rbyKRE7RLiGN2CACFL/ZKp9HErPr3u0xn2raCFQ8uZzMJBcsjfBI+C8jNAuv1vTqZVHg6rGAKbObmh/F+1rVKtJgpQ5EX77GqHM29Leu7FZPDHzvwDJKgXgYXkUIpRAaY/ACSTuGLz4F7DSPLTcbiTMn8CHOcEuyM2/Ua7rivb4STl4cE1WkxpoOMfL39zDDAWE2jkGJ+ahayYzWR0mp7njt0zThIT84+eg/GlPelVN3+tITJYEko7DKe0NmQFQ/PegPkFXznfIKSsTYAOnXALSCQQQpjQnhryPRLhAMhcumOiZlJYcbRizki1fhujpWZic8sXbOoYrRShe3GzPLxfcvnfJB4I4eWw+FBF3JZbHrLPEvBy1XWjk0GAGVJSZDHCGduIkLc3jihU31ocgmiE+ylOOaJenkhWUG5hM9pqmK3yfIe/gzWlQQ8wLHEuo36q3lkbALJkVqbR2+BMoJqMeJrf1EqxrHcrHm9u1Jqy47eDwG6yyJQZctINBYP5/lfr7QLDczSpGyZ/VqqfXrVlXigHp6mF0vBqjeg2brF1GZiuD4o5cXfMby4R1vX4u3MIF0kVccxY6vxOpyFKLapCtNSuDqWEsphsIMitSNHpJw06/jkvq3qh+2FY39rXRVFyhqgx8AsJtZpCl49Z50Bi6o/BDEMLQKHfPGjzm8Q8stEVTE6LR5NGY0ilJ6vDf8ZyuZNt78QDEOpnl78uCNwwSGSh3NU7fDrDNBnr8kx3kEQnoieAA+Um96T9sfF8xMH6kQnV5NceuTTsK7+F5qXqRSS+D1t2wp9GqjMCWOibwNlK1nd2+ktlRMDR0nl+rMyCx4NQWjpNdGP3yGbXIw6YjoMfxfUuooErpCdihr6TFHBN2Z9rwvFIonX3Tk2nt4Q+YZkTd2OLpnMqaQT0q7yN83QJlzolqwVUR76y+4GBv/75NTovVl4pj0tGl+8Pp+wMUki1u1sdEzl0NDsK0I4mQ2d1f/t6Ipq0EvOFJ7ruOAqUCFT+xgjkbfbz1C9IKz7DAQ2jUfkyxLFhgGPmLRhs/SFhpl4uhv7wxHsl7eGHpK8VeHUBMMQVFz/nwv3PjU5GdcxpCGcAon0rGrsrHeqq3bwlImf5hKlWYpe9yYcxD00YhFmSBzJ0daM9UNl9aiK2Fe4kaMe8TaR9CYVwDy+jXwWrv+NGr8eSDsac5orBA3UbClb+SC6NPIJwvBNuPRyuvbzCJS+H7cXF770W4kxPpm/K4/NSu3uOeMA+3ub4p2/Ldh9G4Rz7aUSH0i41LW0REuNc8vwrjSwFFgL1BqH/y/xivxikcd+BSD4V5L2xqL400duohAzAaoBu+8EqvAeJx0Cf6MCHZ7SmmUWXexi8wy4x/9nPL7qjw=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 56c3c295-1f8e-406f-d76f-08d9a4ab976e
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2021 00:38:33.9760 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: uIQHfM7yxzkrPSe4EUGLSe9oVZurG7oihL9dkHEkJkIANJ2btUydY5q94j388Leb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR02MB5548
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/JMVbv_rlfozxMh3n9ckmB7lvxAM>
Subject: [Lake] review of edhoc-12
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 00:38:47 -0000
Hiya, At our last interim I also promised to review edhoc. This is my late (apologies;-) review. This is all review by me as just another participant, not as co-chair. (So please do feel entirely free to ignore bits or just say no.) Generally, I guess I could implement from this, were I fluent in CBOR/COSE etc, so I think it's in good shape. All but my first comment are editorial. I assumed that we'll have others who do crypto analysis and implementers who'll provide yet more detailed feedback as we go, so we're not quite there yet but getting pretty close IMO. Good job! Cheers, S. - Connection identifiers (which can be byte-strings) are sent in clear which could enable various network observer attacks for protocols that later send values obviously derived from connection IDs in clear. (I see from A.3 that one main use case does expose these values anyway.). To given an example of how this could be concerning, if some proxy (that just muxes packets) sits between I and R then those cleartext identifiers could allow an observer on that link to more easily do traffic analysis of a specific initiator's traffic. Was any consideration given to deriving such identifiers in a less obvious manner? I'm not claiming that that'd be a great improvement, just asking. Editorial: - 80 pages is still big, I understand its hard to delete stuff but hope we keep trying:-) - 1.1, CWT, CSS and C509 could do with expansion here on 1st use. (Perversely, X.509 is probably sufficiently well known and disliked to not need such:-) That might also make the text before (or caption of) Figure 1 easier to read. - section 1.2: last para - this is repetitive, suggest making these points just once (Aside on figures/captions: I always find it a useful exercise to ensure that a figure+caption can, by itself, make a meaningful slide to present with no additions. And then I remove most text that's already in the caption from elsewhere in the document. Might be worth a try.) - Figure 1: I don't get how the "Figure 1 shows..." sentence results in those example message sizes. I'm not doubting the numbers, but the text could be improved (maybe, as suggested above via caption text.) - 1.4: are "EDHOC authenticated with digital signatures" and "EDHOC authenticated with signature keys" different things? If not, using one term is likely better. If so, using terms that are more clearly different would be good. - 1.5: which is normative, CDDL or English language text? We seem to have a bit of a mixture. - Figure 2: I see why message 2 doesn't also use an AEAD(), but probably no harm to say that more explicitly here. Maybe moving some of the relevant text from section 8 to here would work. - Figure 2: consider showing the AAD as an input to the AEAD() construct in the figure. That might be too cumbersome or it may help, not sure. - 3.5.1, 3.5.2 and 3.5.3: this might be some text to shorten a lot - how much is it really needed? Could it be cut down to the stuff with 2119 terms and a bit more? (I'd keep the examples though.) - 3.6: does EDHOC *really* support hash based sigs? What'd be the consequence for EDHOC of using a private key too many times or loss of state? (Are you missing a reference to rfc8778 there too or is one embedded in COSE stuff somewhere?) - 4.1: Be good to clarify that the PRK_<foo> labels in 4.1.x are basically local key names. (Same for others in 4.2.) - 4.1.2/3: You need to define R and I in each of these as (I guess) the static DH secret and not as the identities of the initiator and recipient which were (I thought) the previous uses of I and R. Might be better to use different names though. - 5.2.2: What does "truncated after the cipher suite selected for this session" mean? (Also be good to say order of preference means first in network byte order is most-preferred.) I'm also puzzled by "but all cipher suites which are more preferred than the selected cipher suite in the list MUST be included in SUITES_I." - 5.3.2: This seems to be the first occurrence of the "<<..>>" symbolism. A forward ref to C.1 would be good. - 5.3.3: is it ok to pass EAD_2 to the application before checking authentication? - section 6: I found this v. hard to follow. Suspect a re-write for clarity would be good. - section 8: "EDHOC provides a minimum of 64-bit security..." could do with a reference to wherever that conclusion is derived. And 64-bit security isn't quite "in line" with TLS is it? - 8.7: stating that a "truly random seed MUST" be provided isn't a sensible use of 2119, and isn't entirely under the control of an implementer (maybe the section title could be re-thought?). - 8.7 (or somewhere): if some random values are visible (connection identifiers?) then it can make sense to derive those from a different random stream compared to that used for randomly picking secrets. That way the publicly visible random numbers are less likely to leak information about the state of the PRNG used for secrets. Could be worth a mention. - 8.7: discarding a message_1 because of G_X collision/reflection should also be stated earlier - it could very easily be missed here. - 8.7: TEE => "cannot" be tampered is a little optimistic IMO. - 9.10: The well-known URI is not mentioned at all in the body of the spec but only here and then in an appendix. A forward ref to A.3 from 9.10 is probably enough to fix. The same may apply to other IANA registrations I guess. - 10.1: are we confident that all the normative I-Ds will become RFCs in a sufficiently timely manner? I've no specific reason to think they won't, and they're all far along the process, but sometimes transitive dependencies can cause a lot of delay. (Very sadly, we can't just ask Jim about this.) - A.1: "byte string shaped"? what's that mean? - Appendix D: Point 6 mentions an EUI-64. I'm not clear how that'd be used in edhoc. - The URL for SIGMA can use https so change to [1] [1] https://webee.technion.ac.il/~hugo/sigma-pdf.pdf
- [Lake] review of edhoc-12 Stephen Farrell
- Re: [Lake] review of edhoc-12 Göran Selander
- Re: [Lake] review of edhoc-12 Stephen Farrell
- Re: [Lake] review of edhoc-12 Göran Selander