[Lake] EDHOC Issues related to cryptographic algorithms and cipher suites
John Mattsson <john.mattsson@ericsson.com> Wed, 21 October 2020 04:52 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B48E63A0EF6 for <lake@ietfa.amsl.com>; Tue, 20 Oct 2020 21:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14L3qeTmjswA for <lake@ietfa.amsl.com>; Tue, 20 Oct 2020 21:52:30 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2053.outbound.protection.outlook.com [40.107.22.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C17FE3A0EFA for <lake@ietf.org>; Tue, 20 Oct 2020 21:52:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SfeVnZZg/UuUgX06AR2FrrVVS6L5uj4Fm52szmon0JWFkwUNsAeOzFRo8/G+LOSPsNTkyL+HtAZRAKrDJsWHm8aPRfilFxm0BXKosL9z52ftm3NYIJYBhPrcMlWwltzszTA3wasWWIbmfO74VAGa95cos+WVFZx4zZVit6Je4mmDlqcPHrgZkM9aQVgBlRKEq32PZhAORTQAavdGVsxCy1Pu10h23/jpF07+wgVmLZ2m0MOBErf4qHhTfwOydiIeXolbsGEiFOdtv26mp1+N43ilOTBrSXObFbbaARpZl8dWrICPIzsZit7O9dW6aaFghprE08tluK5f7whwi2TdIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pbZb2KdJirQpb8jDNtqotFrKmsp3PZL/OoUYy46W0F0=; b=QwZS2GkKDY58u82pf9drKn/etKOFqXELj/FtBgBHzE3qjICeJVBeSIkFzfcAubRFvb2f3hwjmNo8cLC1ZZai0oKQOTEBVSA0T1ogXibEtoKCxIqxLmRuiWmOhTcbjuO8Q8qvVAckh0G1RnQkwhMrJPBLSNdyg0WlyVOQ0Dc9R+y6CcHP4ppHBHBrmveIZ1BXv268rAwI1CCoR5j8Y0Oar3k4dsSzd6CB+8K3FjfLAtM8wAGLshK7+M9LUBtGGviBNBBYg2x47lqhVnyA2JlCVdxq91LHdxZfBP7ihMq0Y2Ta0CvBmwlHU5lQu8s23/8ieJ7fvbv7e2J8tgY4ZzTj8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pbZb2KdJirQpb8jDNtqotFrKmsp3PZL/OoUYy46W0F0=; b=YqWtu5b5ztqa8MoEh1E06CwG97qksDvi8FFYnCR3kRiTKPZ+YmHGYXJI88DuvXN1EUShvQDbAYUPNqYGYtH6lfwz7yWRXt+DChBOmmkPXzyxg3SsOLm+9W3Juu8NNADslUTFU/w5GWIjIN24cQnzPT+LDXg566lIip/ltTCWTJA=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB6088.eurprd07.prod.outlook.com (2603:10a6:20b:9a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.4; Wed, 21 Oct 2020 04:52:27 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3499.015; Wed, 21 Oct 2020 04:52:27 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: EDHOC Issues related to cryptographic algorithms and cipher suites
Thread-Index: AQHWp2X5EQSwWirx9kuKaw9++Sj9ig==
Date: Wed, 21 Oct 2020 04:52:27 +0000
Message-ID: <34F4E5A5-F13A-4D46-BB90-1EEBBE7F8A02@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2053b86d-60ac-4c85-2231-08d8757d1bf0
x-ms-traffictypediagnostic: AM6PR07MB6088:
x-microsoft-antispam-prvs: <AM6PR07MB60883B62E127A69322D1917E891C0@AM6PR07MB6088.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Vs7GWJiich4miA2u4x4viadiTTtWEubfKqV+2n6LpzLO/dO6575zbTAbs5+OD8oyH1n7gjLtLAqB64+A3PvuAz+YS+yLUOH4GpTEyyjAoIXtPk4+Za8AdESnG3ERcpmpyt5a3acKhqACb7P5rT7lIKkEtXcYiCUaoUcyND20VitWA7hn9LnFHbpQuEc4Kx4jFRKGryD/8CpRZ7xyQ1ZYkoVwjXTyfGCfJ6TXY+YkpArDLAgwXR9qFr2JOnVCq5REbl1qsNVN68iEClzPvr+Yi/GHNe7nbbfJmlwc9oVO49tw9dMcGlcg+paWYnRM1Z21mAKcjRwJh1GM5SSNy2vl9LkuBnYVqtkxTBV8dsYLfi3ihg8+fhDIX3DECxCKKTv6Wq0unIsisosKN3/Dt4ThzA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(366004)(39860400002)(346002)(376002)(71200400001)(2616005)(6916009)(26005)(5660300002)(36756003)(966005)(6486002)(6506007)(478600001)(33656002)(66446008)(8676002)(66476007)(66556008)(76116006)(91956017)(6512007)(66946007)(86362001)(44832011)(64756008)(83380400001)(316002)(2906002)(186003)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 1YvhxgiZX3BN9/xTxhlsixdDD16y7cEME6c7fPjLOrM5tfkIt3VWzPZ3dHR+lx1uJWTod+h01XWOrkPbj2iqfpn/8lvZ4wmQbNwAyq+9Thv2uIxM4cYi/D+I5hLq9gAaID+zW/oK8DhG0HQmQoKlnpIgHrG46tuiLuKwlxjVN7/9IdFxqbOdXisiib73FyH6bb8uMeY5Xp+ZJ702Nu7rKlarOHfG5rxuEa1hsSD5c+zfqjsJ+kjPqef0pE7epQ6YV+rlPiKZYjJkffpJKeGrqtXB2erD8Fw3uf8F8QsmEHc4Le/abD7gfDJxFHVZFCTSoLb7Z/mMPJXwWiKpO2b8s7XU1v75NHjOut8MX/oNGICVAMVl176mpGSjORb7ZfS+jfN6LD8/wufNWwfAq7DOUXPzF8qb4rwYDnMnaX60MQpPNiP+hn6W3+CnJHQfZcLD/QBiXCKDBJUE0UlOmjjv9HUTY4gomRh1ErfssS1Bdwq3130z98z62y8wqrdVOBapTGqPyFYoyj1JafDEqiTRPqgNY3CX83CnazxAqZdeJqhuVX+Ty1e7EjrvYCEUWz9Dc3NGhm+qOcfs5ds148DTBk97quhdoZis/IntpemITpVvHyBCPb0EU4Mgk2aKZh9Lbxkr2gkE6bv22hYnaylO7A==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F4B45193DBDF9B40B511B2C5B72CACF5@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2053b86d-60ac-4c85-2231-08d8757d1bf0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2020 04:52:27.1969 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dA55HDVRar8ixpwXpT6n3HdTE0PCdMETEkBx1L3pV7qUTL/FAwXzTVF070ItGKJsrVNfgLR4gBSFNiSXKlGnyuZFvuqnGc8MXolm+Nf7ZrA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB6088
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/fD44DzNrn4sLSFT-uyJGbXm5s_g>
Subject: [Lake] EDHOC Issues related to cryptographic algorithms and cipher suites
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 04:52:32 -0000
Hi,
Below is a list of issues we think should be discussed on the list, at IETF 109, and at an upcoming interim meeting. More issues will follow in a second mail later today.
Cheers,
John
1. Choice of hash algorithm in cipher suites.
Hash functions are used in several places in EDHOC.
- Transcript Hash
- Key-Derivation Function (KDF)
- Signature algorithm
- Credential identifiers (ID_CRED_R and ID_CRED_I)
- Application, e.g. OSCORE KDF.
The signature algorithms Ed25519 mandates the use of SHA-512. This means that to implement the cipher suite
0. ( 10, -16, 4, -8, 6, 10, -16 )
(AES-CCM-16-64-128, SHA-256, X25519, EdDSA, Ed25519, AES-CCM-16-64-128, SHA-256)
the implementation has to support both SHA-256 and SHA-512.
A solution would be to specify only SHA-512 in cipher suites with Ed25519. We plan to do this change in the next version of the draft. Requires more memory to handle larger digests. Note that it also increases the length of x5t identifiers to 256 bit instead of 64.
Should the Ed25519 cipher suites specify only SHA-512?
2. Use of SHA-512 in constrained IoT.
SHA-512 is not supported on many IoT devices and the question is if it ever will. Currently SHA-256 have wide support and is often HW accelerated. Adding also SHA-512 requires more code storage. If SHA-256 gets replaces it would likely be with SHAKE128 or some future XOF emerging from the NIST lightweight standardization protect (e.g. Gimli).
Ed25519 is currently only specified with SHA-512. While there are benefits of having a single algorithm, CFRG should maybe have taken IoT more into consideration. Specifying Ed25519 with another hash algorithm is technically easy, but would mean even less implementations.
It has been suggested that draft-ietf-lwig-curve-representations-05 and W-25519 from Draft NIST SP 800-186 would solve this problem. As far as we know, they only helps with implementing X25519 and Ed25519 on devices which only has acceleration of Weierstrass curves. They do not affect the hash function in any way. We plan to add references to draft-ietf-lwig-curve-representations-05 and W-25519 with the text that they may help with HW acceleration.
Is the use of SHA-512 in Ed25519 a problem?
3. Mandatory cipher suite
EdDSA (and to a smaller degree X25519) does not have as many IoT implementations as ES256 and P-256. curve25519 offers much better performance in general, but the performance is likely similar to P-256 if X25519 has to be expressed in Weierstrass form (W-25519) to be able to use HW acceleration. Also many IoT devices have HW acceleration for SHA-256.
Question how much the MTI cipher suite matters, as most IoT implementation are expected to only support a single cipher suite.
Shall we change MTI to ECDSA?
4. Support of SHAKE and KMAC.
The COSE WG is working on adding SHAKE128 and SHAKE256 to COSE and there is ongoing work to define the use of KMAC128 the KMAC256 as KDFs.
https://tools.ietf.org/html/draft-ietf-cose-hash-algs
https://tools.ietf.org/html/draft-schaad-cose-more-algs
There has been interest in the IETF IoT community to use these algorithms. As currently specified, EDHOC supports SHAKE, but would run SHAKE in HMAC mode, which is inefficient.
Should EDHOC should be updated to use a KMAC KDF together with SHAKE?
5. Rekeying of AEAD algorithms
The TLS WG have analyzed, discussed, and specified bounds for distinguishing and forgery attacks on various AEAD algorithms in TLS. The distinguishing attack lets an attacker destringing the ciphertext from a random string and the forgery attack lets an attacks forge a single message (typically consisting of a random looking string). CFRG is now planning to publish a document with formulas to calculate AEAD limits. The limits chosen by TLS are stricter that any earlier protocol or specification. This is fine if rekeying is easy.
It would be good if the IETF IoT community discussed which probability is acceptable for the IoT protocols in IETF.
EDHOC does not use the same key more than once, but the exported session key might be used for a long period in e.g. OSCORE. The most efficient solution may be to rekey in the application security protocol. E.g. if OSCORE would frequently derive a new Sender/Recipient Key from the Master Key, this would effectively mitigate distinguishing attacks. See e.g. "key_derivation_rate" in SRTP (RFC 3711). This is not currently part of OSCORE but could quite easily be added in a backward compatible way.
What is the acceptable probability for IoT? How do we do this rekeying for OSCORE? Do we need to do anything in EDHOC at all?
- [Lake] EDHOC Issues related to cryptographic algo… John Mattsson