Re: [Lake] [lake-wg/reqs] Placeholder for resumption (e743c87)
Eric Rescorla <ekr@rtfm.com> Tue, 11 February 2020 13:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031501200E5 for <lake@ietfa.amsl.com>; Tue, 11 Feb 2020 05:12:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBobANIcGB1C for <lake@ietfa.amsl.com>; Tue, 11 Feb 2020 05:12:28 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80607120043 for <lake@ietf.org>; Tue, 11 Feb 2020 05:12:28 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id v17so11515328ljg.4 for <lake@ietf.org>; Tue, 11 Feb 2020 05:12:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5lQ8KceZ5tghsnjH8aB0EiYAThd593tTjLVH0QfXUHg=; b=T3SB0CAB+UI2jAoOta7F6InWmicPg5zQpt5Ara3K8BWTFXZA1OZGeBzhE/9/+yPNak 3U6wThklr6XksJAUohZpWclPHUVwpwMPE4qp4OvTjwbem82m37qGCufL24zBg++MQxbD kkG3XxwtAGyMCO68R841Knxx25/k3DhN1d8eAU5O7Wa+Z2g8lyl6vzt481sn2eygS9h4 nCttS0mnXktYX6PjvlH/qtzqrM6Z+jV1oRL7VH6tYo6QHQ5FkDbbcj0XOy6Cjd57LcmV U8v8EWGe4rMpv0plGt+8Dl1bzGaeXBYLW8BazPcUJkNMQNHuisX6/29LU0qlfrxC92mL t/SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5lQ8KceZ5tghsnjH8aB0EiYAThd593tTjLVH0QfXUHg=; b=P2MpMsPHj6qHoVHouwWy47df7h7Jvnq7NhqvdXmG+OL9K8KednA3EPb4t1Lhu8c9d8 babqSZxXNO/0vxjKB6zPiJmg4qB+1mB+iXfQnVI/Ywre4ztqrrHQyvlfDsod7CZWy+dc iVC0NU/NI17mWURKIQ+wUNrkB4Eh5PQO18QVRChL7muhE6buOUkUvx96WOCMWIVbDnVR OuRlbZk/97qQs2UFoo9sxugMYWB9pDFSJWA9ngxsdvT3mP3QORrqJKKZ1jZm/M4tgr+9 Cf1z8ptsWtEhgxccXP8lk5tY8pswsmVFudqSAiiaTVdhZWIlmxXirdcSP/Fm0NQoyo5r rm4A==
X-Gm-Message-State: APjAAAU3jgSrbWr3MSVlQ0Ekf/1SkKNwy4gnHY3Kd/lXWEwu8AW3KGHm I0cL1GwvPd1wkAQXFhFXJ7D8nahUAM8kIY4IFeP6HA==
X-Google-Smtp-Source: APXvYqxnuqrxKt7ZbcGVvu2QO3g5cKP1pGXXWzfsUp0j2VWyH60S7lzO02pAPNA89IEJ96jfL5UxyKqF0YIuK/FcpeQ=
X-Received: by 2002:a2e:9b12:: with SMTP id u18mr4243880lji.274.1581426746682; Tue, 11 Feb 2020 05:12:26 -0800 (PST)
MIME-Version: 1.0
References: <lake-wg/reqs/commit/e743c873a24f03c88019df5ca275660677f56e8a@github.com> <lake-wg/reqs/commit/e743c873a24f03c88019df5ca275660677f56e8a/37200172@github.com> <23690.1581337124@dooku>
In-Reply-To: <23690.1581337124@dooku>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Feb 2020 05:11:50 -0800
Message-ID: <CABcZeBMLBqOcK=Tb8qKw=MBpuF8pb5z6YR_N8YWS4pHp6zH+2g@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: lake@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007986b3059e4c9b9d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/VlZKZuyjUUVkk0xyn4yzQfXOuT0>
Subject: Re: [Lake] [lake-wg/reqs] Placeholder for resumption (e743c87)
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 13:12:31 -0000
On Mon, Feb 10, 2020 at 8:17 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Taking this to the list. > > ekr> This seems like generally good text, but I feel like perhaps > there is > ekr> another angle on it, specifically, whether it should be possible > to do > ekr> a new AKE exchange efficiently. > > > Perhaps > > "The AKE shall provide a mechanism to use the output of one handshake > > to optimize future handshakes, e.g., by generating keying material > > which can be used to authenticate a future handshake, thus avoiding > the > > need for public key authentication in that handshake". > > EKR, there is some subtly here. > The text speaks about avoiding public key authentication. > I'm unclear if that include DH exponentiation or not. > Yes, and. Just to recap from the top, the protocol skeletons that seem most likely for LAKE require multiple EC operations (assuming you are using EC). For instance, mutually authenticated SIGMA-I requires each side to do a signature, a verification, and a DH key establishment. Obviously, this is all kind of expensive, and so a resumption mechanism lets you bypass some or all of it by bootstrapping the first handshake. There are two primary options: - Skip the entire handshake and just bootstrap off the key output by the original handshake - Do a DH exchange and use the original to authenticate that. The first is obviously faster, but needs a mechanism like the one Karthik proposes to provide PFS (and also needs you not to use an encrypted session ticket type mechanism). The second provides PFS no matter how you manage the PSK. It's also worth noting that a resumption mechanism is an easy path to 0-RTT. Your question begs a more general question, which I think speaks to 'session > resumption' situation, I think. > > And I guess there is distinction between: > 1) avoiding expensive authentication, assuming a round for PFS. > 2) avoiding expensive authentication, no PFS > 3) re-establishing state after a restart, or a long sleep. > (the responder might have expired the session data) > 4) doing an exchange to rekey for PFS > Actually, you don't need an exchange at all to get PFS: just ratchet the keys forward as in TLS 1.3 KeyUpdate. > > (3) is different in a connectionless CoAP situation where there isn't a TCP > session to maintain. Do we include mechanism in AKE, integrating into > OSCORE, such the responder initiates a session resume when it sees an > OSCORE > context that it does not recognize? > Good question. I had mostly been thinking of the setting in which the sender knew it was reestablishing "connection" state (this can be true even with UDP-type protocols as long as there is a concept of association). I think this is what you mean with (1) and (2), right? -Ekr
- Re: [Lake] [lake-wg/reqs] Placeholder for resumpt… Michael Richardson
- Re: [Lake] [lake-wg/reqs] Placeholder for resumpt… Eric Rescorla
- Re: [Lake] [lake-wg/reqs] Placeholder for resumpt… Michael Richardson
- Re: [Lake] [lake-wg/reqs] Placeholder for resumpt… Göran Selander