Re: [Lake] comments on draft-ietf-lake-reqs
Göran Selander <goran.selander@ericsson.com> Wed, 15 January 2020 16:04 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F03120861 for <lake@ietfa.amsl.com>; Wed, 15 Jan 2020 08:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cz3nXhuh5hoI for <lake@ietfa.amsl.com>; Wed, 15 Jan 2020 08:04:29 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30075.outbound.protection.outlook.com [40.107.3.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32DE12086E for <lake@ietf.org>; Wed, 15 Jan 2020 08:04:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jcneUDqiAjtrktWcvBqRq4ufg7fwcKOFY9s7m0dduERK6TVfHl0jE7t/rWRNDNEzQTCF4BolWJKzpk1aaz6LmZ4elXZoRcFOUlr2Orswq4koAG5RIU/j0LZB1EjySbAHZkToOeSAa0GT02yfN9VI05ydBma2Iyd0VrFEiDKPoU2UvbDuP4sBFsi+wZ3PqDicbiQHJmjVZ9R5a1gJabdfu2Ry7NXgrMTykOXad8t2si2eOmD9K53N6AS2kpmvj4wCODTbS5iHnwMx2omndIfGw9cgNmt9vXUUgqEGbdxr1FiiNtG7hPWMg3g+FMRDwYOuiasXHwhkqrKHrcVaKHG4nQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b6knedVDG0SoKu8tcw0BmDTzjkqhy6cwM5LZrwrE7lk=; b=AwnBhnUfy3o7euI2aOZZ+vboXGutFy1w/K74SzqwwWWpMZ6AIYq2j8mahhf0SUMqkIx9dQWRrAdvbTP744LX9+/g8YDBG4VsUcfGQWtZiB6gFUjMoo7qEi0Ix9pVKIhfbCiB9uqc92mbXYC2jxQJhbtU4BRbK03+0vod/FOmo3Pso/MYB/cGku9TC2Z7ViFOxda7ZPqsu9M2IcM1uujVNn5Y8Aq9LL9fOEyDvb30J499iz20bHhZpioauxWDIavB6J2Li1rHCePBotZCDmJvlHv1xbCPs4KHQ70gKjTQ5r6JGlLQ6bIcjq7oKxsWWbhHfBqotgk05WEbCsxsbNzGwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b6knedVDG0SoKu8tcw0BmDTzjkqhy6cwM5LZrwrE7lk=; b=srz79J+GdqOSGVz0pbdt3UUcrZqFUd8ab4oQ+DjxSk41/UqjzyMrxTCsyItH+5P89VbTtsPwCPus3mG0j3onVTsCYvMyE/0wI5+8/h2XsEnUVaECtCR6So1695LjSyTHjnmx6hIU2QzfEpCs6RuKyaOeIYFigQmaU6XM273No10=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.163.140) by HE1PR07MB4427.eurprd07.prod.outlook.com (20.176.161.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.14; Wed, 15 Jan 2020 16:04:23 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::538:4bc2:5936:6252]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::538:4bc2:5936:6252%3]) with mapi id 15.20.2644.015; Wed, 15 Jan 2020 16:04:23 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] comments on draft-ietf-lake-reqs
Thread-Index: AQHVyveOZo+RqmIbpkSDnicnSyJk5Kfr9boA
Date: Wed, 15 Jan 2020 16:04:23 +0000
Message-ID: <9DF65470-767B-4C65-9DB7-0F81A1DCF0E5@ericsson.com>
References: <DA04764C-A550-476E-8A3E-5B6653AF659B@inria.fr>
In-Reply-To: <DA04764C-A550-476E-8A3E-5B6653AF659B@inria.fr>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.246.8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8eccfcb-794b-4a4c-5f1d-08d799d49691
x-ms-traffictypediagnostic: HE1PR07MB4427:
x-microsoft-antispam-prvs: <HE1PR07MB442726A3263E99485C9D7D14F4370@HE1PR07MB4427.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02830F0362
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(39860400002)(346002)(396003)(366004)(189003)(199004)(66556008)(76116006)(64756008)(85182001)(33656002)(66476007)(6486002)(316002)(110136005)(66446008)(66946007)(85202003)(71200400001)(5660300002)(966005)(6512007)(478600001)(26005)(6506007)(86362001)(186003)(36756003)(2906002)(8936002)(8676002)(81166006)(81156014)(66574012)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4427; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 01ILEgJJp7DdaUvGlDVrjzON1C1HPkx1StCE56qpt2le145hbxWIAJXJO1jNeC6Uah+jLG4VShk72ncVT3wRuHRl6cRJUGpkdPNsukbd2XI5t5/7dJpWN+QTz3ilJTr8x5cykA+aPpik1k2HINLGk/x54K/ML7W+qrAw4PlMQ98S46SdGcwp5rXg1mxKwUXB8qD8QoyOJcrfKDz5DskcXVPpMfdkfMQf1pYmisfdBYUgTuexTqqj8NjTx8jBopjfEdUtgw3VnbveWv0GhqeZyOxVNsyzBlasL+qR7WQEdnBedzHk9gBJuCVqvktXs92VYZnTttuJWpesBD5X9LLWd3zk1OV9ISkpU9m4w8P8yAZY3A0iTlkMjeO9tnAaeKPIab9GVVZMLo3GtFDCcWj7V3xtPalLw4h8+d3dz+i3yVcVxQVYIPpNF2M36BhyoV34YQeqjqQxZ+bXu69ciyYKJFYbJprZV3nxaIsjnxxfo7Q=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F5EFBD7E25499449B60D5FFB926F13DC@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8eccfcb-794b-4a4c-5f1d-08d799d49691
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2020 16:04:23.2301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cx0wC5M5TMIxb/ql7uOhRiKq2zSOWSAi1XBa41FPNyodHrgcCymtHq/rJOxgFQM5ocj3GuyFOfoe5CuAl3+V7+277Oa5Ise9d2JUW9IOF30=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4427
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/XivxDFHDV7SuLe_IjAmovq3U9-8>
Subject: Re: [Lake] comments on draft-ietf-lake-reqs
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 16:04:35 -0000
Hi Karthik, Thanks for comments! My responses below. Here are the updates I made to the draft: https://github.com/lake-wg/reqs/commit/bc5a9644 On 2020-01-14, 17:27, "Lake on behalf of Karthik Bhargavan" <lake-bounces@ietf.org on behalf of karthikeyan.bhargavan@inria.fr> wrote: Dear All, In preparation for the virtual interim, here are some comments on the current version of the requirements doc (up to section 2.8) A high-level concern is that in many early sections the requirements document text is too protocol-specific, and especially assumes protocols based on Diffie-Hellman. It would be better to leave such details to the protocol design document and only state the high-level goals here. GS: Previous comments have requested some of these details, so there is a conflict here. Perhaps your reaction indicates that we are about to reach the right level of detail. More about Diffie-Hellman further below. Section 2.1: the acronym PFS is used here for the first time. Expand. GS: Done. Section 2.2 says: "In order to allow for these different schemes, the AKE must support PSK- (shared between two nodes), RPK- and certificate-based authentication of the Diffie-Hellman (DH) key exchange.” Here, and in later sections, the assumption that the AKE must support Diffie-Hellman is unnecessary and over-specific. All we want to say is that "the AKE must support PSK- (shared between two nodes), RPK- and certificate-based authentication” and leave out DH. GS: For this section I agree and changed accordingly. Later mentioning of Diffie-Hellman also contains requirements for supporting multiple and mixed public key credential types, and there I kept the mentioning of signature and static DH as illustrative examples. More generally, I am assuming we do not want the requirements document to preclude all non-DH solutions, e.g those based on lattice-based KEMs. GS: As far as understand, a lattice-based KEM is currently out of scope for the IETF but may be supported in a later version of this AKE. Section 2.2 then says "Bandwidth is a scarce resource in constrained-node networks. The use of static DH public keys instead of signature public keys is a significant optimization and shall be supported.” Again, this seems overly specific for a requirements document. Maybe just delete? Of course the protocol should optimize bandwidth but we already say so elsewhere. GS: See above. There is also good reason to support static DH for the authorized enrolment application, I added a placeholder for that in section 2.6. Section 2.3 defines mutual authentication for LAKE. It then describes PFS, which feels a bit misplaced since it is not an authentication property. The same can be said for the bad RNG improvements paragraph. Maybe we should move these two paragraphs elsewhere? GS: I moved these paragraphs to section 2.4 "Crypto Agility and Security Properties". Prevention of KCI resistance, identity misbinding, reflection attacks, are all specific cases of mutual authentication, and this should be clarified better. These are not additional authentication requirements; instead we should say that the mutual authentication guarantees of LAKE should be strong enough to guarantee these 3 properties. GS: I reshuffled the content of section 2.3 accordingly. "The AKE shall protect against replay attacks (injective)”: I am quite unsure what this means. What do we prevent from being replayed, the full AKE? The application messages? GS: I rephrased this as "It shall be possible for the receiving endpoint to detect a replayed AKE message." Others may want to comment on this. Section 2.5 sets out the goals of identity protection. However, the third paragraph on how to protect PSK using DH and the trade-off between 3 and 4 messages seems too protocol specific. We have not even seen a protocol yet, so it is hard for the reader to even know why 3 messages is the “right” number for an AKE. GS: I added a motivation for why the AKE needs at least 3 messages in section 2.3, see if you agree. I shortened the reasoning on Diffie-Hellman and made it an example. Section 2.6 describes application-level security goals. This section may be a good place to discuss or reiterate forward secrecy. GS: Forward secrecy is now discussed in section 2.4. Please propose a formulation if you think it should be reiterated here. It also says: "It is expected that an AKE with 3 messages will provide the following protection of the application data” Rather than providing specialized requirements for a 3 message protocol, it may be better to instead say that the LAKE protocol should provide clear guidance on the level of security provided to application messages at different stages of the protocol. For example, the first message may be unprotected, … etc. GS: I used your proposal to rephrase the current sentence related to guidance, but kept the specialized statement as the example. More comments are welcome. If you think I skipped over something you like to discuss in one of the virtual interims, we/you can make an issue on the Github. Thanks, Göran
- [Lake] comments on draft-ietf-lake-reqs Karthik Bhargavan
- Re: [Lake] comments on draft-ietf-lake-reqs Göran Selander