Re: [Lake] review of edhoc-12
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 14 December 2021 13:53 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A483A0CAC for <lake@ietfa.amsl.com>; Tue, 14 Dec 2021 05:53:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.852
X-Spam-Level:
X-Spam-Status: No, score=-3.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.852, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6TjyPohNlW1 for <lake@ietfa.amsl.com>; Tue, 14 Dec 2021 05:52:58 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0723.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::723]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B0253A0C3D for <lake@ietf.org>; Tue, 14 Dec 2021 05:52:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MmRBrVyTJ8xuB+QyjYFNFB3CO/TrB1kwoUU0TTcgws0nreW4aezOmjMPVnYlAswBHizVhjW/rM2LFdYP9BlQOhKmEMD3WWEJ9un/cicMvzGI/DXcUUp8izqOHWYxVThjrQDEer+9mWM9uEuJv9t/llkx5v97X0Nu4HuEr+CPC2GY5imchGiWW8BJ5SYBGn2GsRosfH7SlgM+84caJov3YSSTpO6wSs8sIk+Bv3RiqJf0alnLnj1R3BqhFI7iblkGfaiWv6soK7rIR8tlwWcQQv/GIhQA+btaHYXulP9zxinrbxwmNNAJyYyXfXgHb19hfUsenFM/dgqRzy74FYYe9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MApnN7h+ZVLtQxvP9y4hFKH3PQ+O0Q6lMn7JhG6X7Fs=; b=EgZaQJ2xm0fbLQisnOy6HahA83feruFmZxPCyhPpRl8kNR/TCQXW8oIXadbvujmgX5Wc1or85i+xqOfiCpREJ667W+3fQF6OgyHnwCtMqyqXi4kAkW4qnI2mrrpKdgu0yO3E8q+hVAFJPz9017fFLWw/a2zAQQFxRLdpkWim+yYJd8Pdg0AMTcW+rH4I4rgKUOhaMgIVHvPbk5q1o+osbl1PD6YvLnThKszJL5s2fbbElUaJ172FuywP1fDvdqHpqX2S7wM9jh64/TNvGlPL2flGbHX0B0TDRTiPUqBv4L+BVX8y1Bsy599d5euhvGsSTgR64ikADdS0Jg6CEEJs7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MApnN7h+ZVLtQxvP9y4hFKH3PQ+O0Q6lMn7JhG6X7Fs=; b=Ay6VqtDhmsUGZpUKUY0LMWuKYna+dhFa2bvS1q7AZAPAIJWiZRLpVLsneFN+mFVQpUd53dM6HrX6qTeUSZmt+An2E3KUk2cxt1OVO/2MmUtyo1tKZtoXi19u8Olpp1ymW3JlwoN5dfUeSLxenhH5oixBsfQDJerklNZY1bpPlelqEYdnKcu6lM+G331agXBt+qM9fE6bgafFVQnxvWPi4uw+AWaMSzCPU18fGdoGS/ZAeZ0+6xj8aBZFLprbsqOHZbHlH7BLHkPxE3UWL1SjQK8IpyxSMiJLEH+GhV6SVOjOXWekQsoPdQEUSJt5o1UdK5uB8fS4uhV2K3Wsu45nSg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB6PR0201MB2376.eurprd02.prod.outlook.com (2603:10a6:4:34::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Tue, 14 Dec 2021 13:52:53 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::a85c:e144:6533:99ea]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::a85c:e144:6533:99ea%4]) with mapi id 15.20.4778.018; Tue, 14 Dec 2021 13:52:52 +0000
Message-ID: <7ee16a0b-e4f1-f65d-4032-ff759ddbd238@cs.tcd.ie>
Date: Tue, 14 Dec 2021 13:50:32 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1
Content-Language: en-US
To: Göran Selander <goran.selander@ericsson.com>, "lake@ietf.org" <lake@ietf.org>
References: <617ce86c-8b4f-84e2-8eec-ae388cf023cf@cs.tcd.ie> <AM4PR0701MB2195AAF05ECB2A7D7B0597AAF46E9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <AM4PR0701MB2195AAF05ECB2A7D7B0597AAF46E9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------rBqricANwFTA0Xa0LFMxAC3Y"
X-ClientProxiedBy: DU2PR04CA0086.eurprd04.prod.outlook.com (2603:10a6:10:232::31) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bb49d404-a25a-4e07-a8f7-08d9bf090618
X-MS-TrafficTypeDiagnostic: DB6PR0201MB2376:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB6PR0201MB23766375530E43FFC52C5830A8759@DB6PR0201MB2376.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: //s7YNdNnZ3JbXq3lvWvliRNp+8WSNYVFfMLup7ZcyOkQ4bH/6dytHICMlxsdwuCNk2H70T6mJRudskzTKPSdM0TPqevJlNrq/n5hR8kJppUx9ufBEuI+idiGl8cYqWA8MhWJGBGdXTEHLgekMqTCLlsFZnT9tM8WOYH0kTarVc7RyEz0A/gHBrHkYXEjcpZFT7rP0+QkCUJL0DHMCWCsiOO1Q/SbTEkTVZE3cHiDkBVSjsXjRoX9xyR7JB74lFWdFh/cR5ePTuJ/PWEshmeU7krYTJ/2DfDpqVSgmWXLZxV3auXHsleeDIE0M8QBb39YPlpOAhB5uE/KbC7qybuRrDa08KT9Q3GmligIYZ9fNu4ZZpP9RXbqGPUg0dqt3WIz8bpThaXr4nbnf9E6w7rR3L7AYlb3YnMwOP8XayplHZb257FUkWDE8tzLQiAbovyv2UK2o7O4LW/SK1LK9KuTHYoqObszeLW+dnnXWBAZuxBkEqVnuI9/lRXNtXDgH7f9JgFV+f7Zmqpl9t+UUjxIU0pct177aj6o2/Fjs7/p7jHCebxh2pif+0UDxBFMyDhUjQovdbMK+r10N7gstNMBXWQKVatBWwNQZez6IODZ8KweEK4OwxHxf/2kQo5ev2MOSEePI0SPDTAVmITBX3GJmrQ53rd+Eul76SaPBGvbjce0Q1+MjsmZuJJf+Or+z2ub0axey/glfEqriVLVemLb0CSFJVnGUuVakw0nFLe+TIUy2OOfky2A6wnNJ9ywCC8k+RqzPAroAyuWuEASVp7zSrUpkjU1HEsXpWogdI6pc7R9q6obUxDr356VMukfGbf
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(36756003)(5660300002)(33964004)(45080400002)(38100700002)(235185007)(31696002)(8936002)(6506007)(110136005)(6666004)(53546011)(966005)(6512007)(2906002)(66476007)(8676002)(508600001)(786003)(86362001)(6486002)(26005)(30864003)(66556008)(66574015)(316002)(2616005)(83380400001)(186003)(31686004)(44832011)(21480400003)(66946007)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: u+CJFOtSP4BbfOfTsHRaYCrfsGNmduOdwLQWO2IOJN9kxnf6r4N44aJLiC9Tbnu7mgEs9pudQETTdZcGrUEAFNvCWkKlzQvgVdmSyep7wD+wKu77DuWVv7zWcVne7SIF2IllJLTzH2qZZgAY2KwkXSPzoi+20PWdXBfM9p/cqDTrRPof4tVafkgDcRMBfI4k9pDF5SNLf2RT+GraVwp49Sxd2Of3e5nVQYZ3sABeM1vyIkQKM7DpzpRBDovrR5F9c+QI9YCSCofJbHQm7ss/qcCJpdRGgQxynysVdkhIAbWEfje+6+GkGyFTzdApaa6pTheh/Pj0LCMEcJdd6NeSnznkK0YT7zYkG8KEGrOaEjVgPLLmU7DrrFZlASvKl6Sf+9nZMKGQSfDryBaDZdfa7zDixf4IFJr1tWTT04v1hhjre9wIZck+ZLC03GsLeEhEMYIqWdAiL34dZy+eSgpsUC5EFAC08jhBYMv4Q2iwFBcoBavYq+0CuoDAoAw+IKKJ7rIXUb3Y7tYSz4sGStzCJFXeuxL/+PoE7aTeG1G/kSvvZNpv/cgX1oaUkDRuzA/QEgjTNidYQ1As+Wax3WFCLdkbebJP8qMcIAmbc3cmVrN/Qo+jspN1izVAHpmBt3jrGU1qGQmK9dc9xZRMQSiO6zqxftgbobj3bZCG9GFllr+cC6vpYbdvkBsPweJvJpHA+sUdK9BUA4iD1XXvuqsGoXn8y5iibk3UmvGJszGuE25g6daz9583YXVaVSPQbncgpnZdgXeyVYAdu4rqnSKtT466F0LNrR28vOb7qhKOqrAWN4/1FCICGkIIhzXSPVsQOEcQKCzsuZa76sSXPpymGCIfVOvvAujNKDiP/YbfoQDI/TKwbNgpg57f4pnYUz6IGtDiWsFIwA9MB476MxgNoPjej20wo2pS0Jlg65ATag7eHjARnZhR8nB+qY9RAATFFapGygs1JGgARe5y/f+eLC2LWiKmqY83D1KDcUWy1C3batfuwWzRlg+l4MZRf9W9HoKfoP3BRnNXfFwkXE1nRG2Mr9twSiFOCza1Y2bv/zrdnY51e2PgJOILfEGq086+sEkqK4831WeziPzZBAZntQTnTDvNZltzdzbRkpOsVONjKXOJD1ubOxvdKUZ5IYw+5r4dgpy+TKLoD/xmzhYqbyieJ1sHsVwXar+RyYYqL+a/NhYbd+NhGI+L/K7M3EVsQQHTWP3WP/qm7YgxGJo4cQjuH7lm4zw9mNJRQhapHYBaRYkTwAzdYVwtYCDlv5Bh2ZfoEAPuqtGJDoRSOH64AFe6w1ZBpt+OrZXikSuOHNxjMgpSBtYxAx1mDwftPVEqGwZJr2H2N1GHU+rYOk3F/WhkAIF9H0QK/Cmnd4ZY0kqaUTCTwM2Yff8NIJxtXhla75ZpDRKkinIAxslUtYW3pkj41+KnsYlvCm5G80EvSzAiL8ur7uOL00HjHfQt3ulhFkWv1w88b+dAD5eOmjAG5t0nvAyT6Xpr+w76fhVyxm2gITTdAgXL2XYrLx52cLPeA2TJtp0JMrkq/Kaj+lH4G+1y7vaq5rkpOya7YwP5JYI=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: bb49d404-a25a-4e07-a8f7-08d9bf090618
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2021 13:52:52.9095 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: OqvDSX5P5oCDu140QfpkBWafMvVGwPhm3cKlsJT2usKX8gYA3JvaUaI+m724X+As
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0201MB2376
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/V8b1uRnvrE8mju1mxu7JNg29BEk>
Subject: Re: [Lake] review of edhoc-12
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2021 13:53:05 -0000
Hiya, On 14/12/2021 13:43, Göran Selander wrote: > Hi Stephen, > > Thanks for the review, it is recorded as github issue #202. Comments > below. > > A proposed update to the draft is in PR #211, but some of the > comments we made into separate issues or additions to existing > issues, as detailed in the comments. I'll go over this later but do you prefer a mail thread or discussion on the GH issue where there's one? Either's fine by me... Cheers, S. > > > > From: Lake <lake-bounces@ietf.org> on behalf of Stephen Farrell > <stephen.farrell@cs.tcd.ie> Date: Thursday, 11 November 2021 at > 01:39 To: lake@ietf.org <lake@ietf.org> Subject: [Lake] review of > edhoc-12 > > Hiya, > > At our last interim I also promised to review edhoc. This is my late > (apologies;-) review. This is all review by me as just another > participant, not as co-chair. (So please do feel entirely free to > ignore bits or just say no.) > > Generally, I guess I could implement from this, were I fluent in > CBOR/COSE etc, so I think it's in good shape. All but my first > comment are editorial. I assumed that we'll have others who do crypto > analysis and implementers who'll provide yet more detailed feedback > as we go, so we're not quite there yet but getting pretty close IMO. > Good job! > > Cheers, S. > > > - Connection identifiers (which can be byte-strings) are sent in > clear which could enable various network observer attacks for > protocols that later send values obviously derived from connection > IDs in clear. (I see from A.3 that one main use case does expose > these values anyway.). To given an example of how this could be > concerning, if some proxy (that just muxes packets) sits between I > and R then those cleartext identifiers could allow an observer on > that link to more easily do traffic analysis of a specific > initiator's traffic. Was any consideration given to deriving such > identifiers in a less obvious manner? I'm not claiming that that'd be > a great improvement, just asking. {GS: John provided a response in > github issue #202 (second post on the issue). The discussion also > continues on the future-OSCORE-update repo [1]. Here is my attempt to > summarize the topic: 1. Connection identifiers are selected in EDHOC > and may be used with EDHOC (as in A.3) or in OSCORE (as > Sender/Recipient IDs). 2. The selection of connection IDs allows very > short locally unique identifiers. Derived stochastically unique > connection IDs would be much longer. 3. Connection IDs, either when > used as in A.3 or in OSCORE, work as key identifiers to facilitate > retrieval of the security context used to decrypt the message and > therefore need to be in plain text when used for this purpose. 4. > Connection IDs can become more difficult to trace by negotiating > multiple connection IDs for one security context and/or by updating > the identities in ways that does not reveal the binding in plain > text. OSCORE is not using multi-path and therefore we don't need > multiple connection IDs like e.g. in QUIC. The update of identities > is proposed to be included in Key Update for OSCORE (KUDOS, [2]) > instead of in EDHOC because: a. KUDOS assumes an existing OSCORE > security context which can be used to encrypt the first message, and > b. although it would be possible to link different messages of a > single EDHOC key exchange to the same endpoints performing A.3, the > main privacy implication is most likely on the application protocol. > With this in mind we propose to not change how connection IDs are > established and used in EDHOC, but we should make a security > consideration about this for which we opened a separate issue #213. > Is this sufficient? [1] Potential things to add to future update · > Issue #263 · core-wg/oscore · > GitHub<https://github.com/core-wg/oscore/issues/263> [2] > https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/ > (Note also issue/PR #188/189 about padding of plaintext, the lenght > of which also can be used to identify an endpoint.) } > > > Editorial: > > - 80 pages is still big, I understand its hard to delete stuff but > hope we keep trying:-) [GS: Yes. There are things we can do, e.g. as > you point out in sections 1.2 (gone in PR #211) and 3.5, and avoid > repetition of key derivation in sections 4 and 5. But there is also a > limit to what is worth the effort, and sometimes readability is > improved by somewhat overlapping text although different in > structure. We are now at 40 pages excluding security considerations / > IANA / refs and appendices - how long should an AKE be? (As a > comparison, when I did my masters prof. Gabriel Barton told me that a > master thesis is 10 pages long, anything else goes into appendices > :-) ] > > - 1.1, CWT, CSS and C509 could do with expansion here on 1st use. > (Perversely, X.509 is probably sufficiently well known and disliked > to not need such:-) That might also make the text before (or caption > of) Figure 1 easier to read. [GS: Done] > > - section 1.2: last para - this is repetitive, suggest making these > points just once [GS: Content of 1.2 now merged into with 1.1 and > shortened.] > > (Aside on figures/captions: I always find it a useful exercise to > ensure that a figure+caption can, by itself, make a meaningful slide > to present with no additions. And then I remove most text that's > already in the caption from elsewhere in the document. Might be worth > a try.) [GS: I sympathize with this and gave it a try but had some > problems in practice. The explanation of the content in Figure 1 is > already 7 lines of compact text with expanded abbreviations and > references which I think better stay immediately above the figure > than in the caption. The terminology in Figure 2 is explaned in 10 > lines of text which is better structured as currently with bullets > rather than running text in a caption. Figure 3 includes 10 types of > protocol elements/primitives which again would make the caption > unwieldly. While this principle was difficult to apply in general, it > can make sense to expand the captions in Figures 8 and 9 to provide > more text about the cipher suite negotiation so I tried there. I also > made a consistency check of the figures harmonizing capitalization > and minor updates (except Figure 4 which I already worked on in > another PR, to avoid merge conflicts). ] > > > - Figure 1: I don't get how the "Figure 1 shows..." sentence results > in those example message sizes. I'm not doubting the numbers, but the > text could be improved (maybe, as suggested above via caption text.) > [GS: The reference in the preceding sentence also applies here, we > added that reference again.] > > - 1.4: are "EDHOC authenticated with digital signatures" and "EDHOC > authenticated with signature keys" different things? If not, using > one term is likely better. If so, using terms that are more clearly > different would be good. [GS: Replaced "digital signature" with > "signature keys" consistently.] > > - 1.5: which is normative, CDDL or English language text? We seem to > have a bit of a mixture. [GS: CDDL defines the formats, and English > language text complements the format definitions. While there may be > a potential conflict, I didn't find any examples of that. The only > places where I see an overlap are places like this: "message_2 SHALL > be a CBOR Sequence (see {{CBOR}}) as defined below ~~~~~~~~~~~ CDDL > message_2 = ( G_Y_CIPHERTEXT_2 : bstr, C_R : bstr / int, ) > ~~~~~~~~~~~ " In this case the CDDL indicates that message_2 is a > CDDL group (Section 2.1 (.2) in RFC 8610), and the English text makes > this more specifc in that the particular group in this case is a CBOR > Sequence. Unless there is an actual conflict, I'm not sure it adds to > understanding neither to talk about a potential non-existing > conflicts in general terms, nor to talk about CDDL groups in this > document. ] > > - Figure 2: I see why message 2 doesn't also use an AEAD(), but > probably no harm to say that more explicitly here. Maybe moving some > of the relevant text from section 8 to here would work. [GS: Giving > the precise reason may be too much for a caption, but it includes now > at least a high level motivation and the search item "SIGMA". ] > > > - Figure 2: consider showing the AAD as an input to the AEAD() > construct in the figure. That might be too cumbersome or it may help, > not sure. {GS: We have changed notation in this figure a few times > :-) AAD was included in e.g. [3]. AAD input has several components so > does not make for simple figures. Hard to get right level of > information and keep message content on one line. Further suggestions > are welcome! } [3] > https://datatracker.ietf.org/doc/html/draft-selander-ace-cose-ecdhe-09 > > > > - 3.5.1, 3.5.2 and 3.5.3: this might be some text to shorten a lot - > how much is it really needed? Could it be cut down to the stuff with > 2119 terms and a bit more? (I'd keep the examples though.) [GS: > Section 3.5 is 6 pages long, so, yes there is a potential to > shortening. (Not that we haven't restructured it before ;-) Let's > have another look, I made it a separate issue, #212.] > > - 3.6: does EDHOC *really* support hash based sigs? What'd be the > consequence for EDHOC of using a private key too many times or loss > of state? (Are you missing a reference to rfc8778 there too or is > one embedded in COSE stuff somewhere?) [GS: In principle, yes, with a > private cipher suite, using algorithms as defined in COSE, which > should have the relevant references. The same would go for, e.g., > RSA. But since this is not a main use case I removed this example > from the main text on cipher suites in section 3.6 and just left the > note in the PQC considerations section 8.4. ] > > - 4.1: Be good to clarify that the PRK_<foo> labels in 4.1.x are > basically local key names. (Same for others in 4.2.) [GS: I didn't > get this comment. I assume "label" here does not refer to the 'label > part of the info data structure, since PRK_<foo> is not included in > any label. Did you want the text to be explicit that the different > PRK_<foo> are names of pseudo-random keys? (I added this.) ] > > > - 4.1.2/3: You need to define R and I in each of these as (I guess) > the static DH secret and not as the identities of the initiator and > recipient which were (I thought) the previous uses of I and R. Might > be better to use different names though. [GS: You are right that I > and R are also used for something else, but not as identities of I > and R, rather as abbreviation/shorthand for "Initiator" and > "Responder", respectively. We thought it was OK to overload I and R > on this point since there should be very small risk of confusion. (I > wouldn't know how to calculate an ECDH shared secret from a public > key and a public fixed text string.) I and R in the sense used in > 4.1.2/3 is defined in 3.5.2, I added a reminder about that in > 4.1.2/3 with reference. ] > > - 5.2.2: What does "truncated after the cipher suite selected for > this session" mean? (Also be good to say order of preference means > first in network byte order is most-preferred.) I'm also puzzled by > "but all cipher suites which are more preferred than the selected > cipher suite in the list MUST be included in SUITES_I." [GS: I made > some updates to the text, have a look and see if it reads better: > https://github.com/lake-wg/edhoc/pull/211/commits/a72bad2a I wonder > if the first part changed needs a different structure, here is a > potential change which I didn't make, do you think I should? OLD * > SUITES_I - array of cipher suites which the Initiator supports in > order of preference, starting with the most preferred and ending with > the cipher suite selected for this session. If the most preferred > cipher suite is selected then SUITES_I is encoded as that cipher > suite, i.e., as an int. The processing steps are detailed below and > in {{wrong-selected}}. ALTERNATIVE * SUITES_I - array of cipher > suites complying with the following conditions (processing steps are > detailed in {{init-proc-msg1}} and {{wrong-selected}}): * All cipher > suites in SUITES_I are supported by I * The cipher suites in SUITES_I > are listed in order of preference by I, i.e., the first in network > byte order is most preferred, etc. * The last cipher suite in > SUITES_I is selected by I to be used in this EDHOC session * If the > most preferred cipher suite coincides with the selected cipher suite > (i.e. first cipher suite = last cipher suite in SUITES_I) then > SUITES_I is encoded as that cipher suite, i.e., as an int instead of > an array. ] > > - 5.3.2: This seems to be the first occurrence of the "<<..>>" > symbolism. A forward ref to C.1 would be good. > > > [GS: Done] > > > - 5.3.3: is it ok to pass EAD_2 to the application before checking > authentication? > > > [GS: Good question. If EAD_2 indeed contains external authorization > data (e.g. information about identity of intended endpoint), then > EAD_2 needs to be processed before you can verify the identity of the > other endpoint and the integrity of the message. But if we look at > EAD_3, the same things apply, but we also claim that EAD_3 is > protected between Initiator and Responder, which with the current > order of things isn't verified at the time when EAD processed. I > added this to issue #210. ] > > - section 6: I found this v. hard to follow. Suspect a re-write for > clarity would be good. [GS] Thanks for sharing. Could you be a little > bit more specifc what is hard to follow? Is a) the general error > handling, b) the format of the error message, c) the currently > defined error codes or how they are used, d) specifically the cipher > suite negotation , e) all above, or something else? Note: Stefan also > commented on ERR_CODE 0 for which we made an update of section 6.1 > Success, see PR #200. > > - section 8: "EDHOC provides a minimum of 64-bit security..." could > do with a reference to wherever that conclusion is derived. And > 64-bit security isn't quite "in line" with TLS is it? [GS: Thanks, > this text needs to be improved. The statement that the MAC must be at > least 8 bytes is a change already included in master branch post -12, > but the security level is also dependent on what algorithm is used. > We removed "This is in line with IPsec, TLS, and COSE." and we added > this to issue #201.] > > > - 8.7: stating that a "truly random seed MUST" be provided isn't a > sensible use of 2119, and isn't entirely under the control of an > implementer (maybe the section title could be re-thought?). > > > [GS: Right, here is a proposed update: OLD If no true random number > generator is available, a truly random seed MUST be provided from an > external source and used with a cryptographically secure pseudorandom > number generator. NEW If no true random number generator is > available, a random seed must be provided from an external source and > used with a cryptographically secure pseudorandom number generator. > About the section title, this is a subsection of the security > considerations and the content does have relevance when deciding > about implementations, what would you propose instead? ] > > - 8.7 (or somewhere): if some random values are visible (connection > identifiers?) then it can make sense to derive those from a different > random stream compared to that used for randomly picking secrets. > That way the publicly visible random numbers are less likely to leak > information about the state of the PRNG used for secrets. Could be > worth a mention. [GS: Good point. New issue #214.] > > > - 8.7: discarding a message_1 because of G_X collision/reflection > should also be stated earlier - it could very easily be missed here. > > > [GS: Agree. We should add into the processing of message_1. This > point is added to issue #201.] > > > - 8.7: TEE => "cannot" be tampered is a little optimistic IMO. {GS: > Agree, this is taken from the abstract of [4]: "A Trusted Execution > Environment (TEE) is an environment that enforces that any code > within that environment cannot be tampered with, and that any data > used by such code cannot be read or tampered with by any code outside > that environment." > > [4] > https://datatracker.ietf.org/doc/html/draft-ietf-teep-architecture-15 > > Proposed change: > OLD The use of a TEE enforces that code within that environment > cannot be tampered with, and that any data used by such code cannot > be read or tampered with by code outside that environment. NEW The > use of a TEE aims at preventing code within that environment to be > tampered with, and preventing data used by such code to be read or > tampered with by code outside that environment. } > > - 9.10: The well-known URI is not mentioned at all in the body of the > spec but only here and then in an appendix. A forward ref to A.3 from > 9.10 is probably enough to fix. The same may apply to other IANA > registrations I guess. [GS: Done] > > > - 10.1: are we confident that all the normative I-Ds will become RFCs > in a sufficiently timely manner? I've no specific reason to think > they won't, and they're all far along the process, but sometimes > transitive dependencies can cause a lot of delay. (Very sadly, we > can't just ask Jim about this.) > > > [GS: We think so. Those which are not RFCs would probably be OK as > informative references.] > > - A.1: "byte string shaped"? what's that mean? [GS: The parenthesis > containing this text is removed. The meaning is hopefully explained > by the example.] > > > - Appendix D: Point 6 mentions an EUI-64. I'm not clear how that'd be > used in edhoc. [GS: Reference to example in 3.5.3 added.] > > > - The URL for SIGMA can use https so change to [1] [1] > https://webee.technion.ac.il/~hugo/sigma-pdf.pdf [GS: Done] > > Göran >
- [Lake] review of edhoc-12 Stephen Farrell
- Re: [Lake] review of edhoc-12 Göran Selander
- Re: [Lake] review of edhoc-12 Stephen Farrell
- Re: [Lake] review of edhoc-12 Göran Selander