Re: [Lake] Security levels for EDHOC for formal verification

John Mattsson <john.mattsson@ericsson.com> Fri, 12 February 2021 17:11 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6CE3A17D3 for <lake@ietfa.amsl.com>; Fri, 12 Feb 2021 09:11:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCzZkIUNg8-C for <lake@ietfa.amsl.com>; Fri, 12 Feb 2021 09:11:04 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80057.outbound.protection.outlook.com [40.107.8.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2347D3A1736 for <lake@ietf.org>; Fri, 12 Feb 2021 09:11:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZI80PefjPHkgQQHEzDtCwztO86MrWcZsi8ERof5smAHcGt7Q15luLxdWdv2mERrJ+xFytLT1ijT7jitnItYc8obcrrcF8ySd4HPQLowjqhXhX9pcjc7fYP6yROIwQDm3DZ7K3eLJTbuStrkTBS8vY583oMoXUg4oBHDHM7SuM34CMc8xrBDZ4Qt8KbXSDR1cRArFeOwG3w/aOcg3mgtMXsRbO5/EuxrqabiPomRgR4KH0onmVIwLMTLohAgDcvNHfaV5a/WlXCHW7NTUDVHHKDwiWOljzJTkSv8ejHO7VfonU1wJi1TyEO16YC9cB2B5VZfZ8K66AH4yRlozuGmx4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RCiGRmT5NpYXo30W0Zn/mh3/3KuntdArZEgz/7SElbQ=; b=KvOn1cqz+bUfwEn8BK2KHSZkloxTJKbhKdA13C4hNdGfAENBfZ/Tu8lhnhuq5vz9nLC1cqKlo12Zg66otojWfQ7QsGVx9ulS3lROtySnL0/4w1Nu0ksHkjnFroBUfuLon4nvbBJHBf6eSr26EJKqphv7A1bgBh9PgYSLqeuocJDjqHJE6tS1ekOWDIn9YqEU5nKQwf8guvQp8uhvR76BN3zHFdh159ux55y+OgfbmkjMgDmWnXZ11DrcHJ6xoLq0bq8Yrm7TUP4JFrra5YwhA27UMeGRtkYnyw43858RutrVHwVf9+hB9oJUUS8boiwMXVsES1qnIcvyLBsZww/WKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RCiGRmT5NpYXo30W0Zn/mh3/3KuntdArZEgz/7SElbQ=; b=NQEBcW6mWBEHz2O0UH/tUyQasSa3vLq+Ue5LhincMWNRChBghUT+odWnFUUPLjGmrAUV+LzYX9HONGSwSkrQKeCYDdMuZhEK8oTAh6Uw7cDDbuUMxSZndCx7TooxeDS1SODxGc5lmJs/BNjLDxIsICQDNl8oHYYC3K97RVSpe8o=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2620.eurprd07.prod.outlook.com (2603:10a6:3:97::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.12; Fri, 12 Feb 2021 17:11:01 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3868.015; Fri, 12 Feb 2021 17:11:01 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
CC: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Security levels for EDHOC for formal verification
Thread-Index: AQHXAE3CIo84kXTI0k20kQP+0TZxfqpTKFWAgAB9RoCAAS6fAA==
Date: Fri, 12 Feb 2021 17:11:00 +0000
Message-ID: <AD04F8F3-7E96-41CE-9B3E-D84E46BC3818@ericsson.com>
References: <87582CFB-7166-49DB-85F1-E6D389A966F0@ericsson.com> <F36A4003-58EF-491F-A23F-D6B65DD278C0@inria.fr> <A4B65141-0CD1-44FC-9614-ABD00FBBCD8C@ericsson.com>
In-Reply-To: <A4B65141-0CD1-44FC-9614-ABD00FBBCD8C@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: inria.fr; dkim=none (message not signed) header.d=none;inria.fr; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 631c38da-6bff-4842-6906-08d8cf792c1c
x-ms-traffictypediagnostic: HE1PR0701MB2620:
x-microsoft-antispam-prvs: <HE1PR0701MB26201273B5E1F28FF7B5457F898B9@HE1PR0701MB2620.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: N8uTbGThy5/zK3WeFhUo80tJIvaDKk5DuSv9DtN66WKkocmeNAJqH4swTzl0XNnTCWO+vRPdE7jhTAF862H6rLnwyLKtmiL7DkTOu8SkC97ouuMobC4TAlYb53FuAEOvBRRpjWONi/N0HO/aqtI6znNjPsMjEerXQ+HaiM8aVHFIOGYwiYUPH7VPHY6iDECK0R1JJDLshwf5RmNBCSPN7m7/hPyOH7Z011XLwdyvUpG72D5dhSjZe8lIRCvP8Sbo3ZtBKxjt11TfE8qiaChlG+QEZxKLhnXGArlFUHEy7/F9APfLLUD1HgPXTl94vq9g3bK0BvW2lYHU7iHJeZGqsIbmteITHHozG+9srz7ewjEkP9t739Vo4o6ebGjfT54pS9RPaaVsxfBB6Y4HgJEknV/cZByKvEbO0yGFRaPN/2dKIf01ETYAL9ggehIQrmWhBoTjBgTIU4ai4N0NibN03h4TSHzmBF2USvztVC6oneJEGZijd3lGRMxF6AOcueW1IVHFvaN9B05QCROdISrfjxYsA2nsh/IlGcJLY9pQdPZIu5ZGjQJdy76XjZYHDBbr8r2FwV0Dv69gCFq1g9WRH1K6yyvcUYAU3/q9xNIuPNCzecPZF09k48SUend0+qWO9SQQ5yaXkiR89qNMWThmaw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(39860400002)(366004)(396003)(36756003)(4326008)(83380400001)(6512007)(76116006)(66446008)(44832011)(2906002)(33656002)(71200400001)(6506007)(53546011)(5660300002)(2616005)(6916009)(66946007)(66476007)(316002)(966005)(86362001)(15650500001)(30864003)(8936002)(66574015)(26005)(186003)(66556008)(6486002)(64756008)(478600001)(8676002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?YTFWU3RoTnphTkxreEI2U1lwcFdmUWZCemdlWnBLdktZYzVKM0M4elA5ayt6?= =?utf-8?B?TU5aSjJiZkhKdHdqaldkZkNWUEQxck1RejlxZWVEZHNCMWxDc1NsTTdvVGlQ?= =?utf-8?B?OFd3NEFYRE1Dc0Jpb1E5QW1iWXRGTHMrVzM4dFRxcmN3eG5ES3lJVERGRDNr?= =?utf-8?B?QlU5VitPQ09VZVhNc3hJcThGSzAwcUxHdXJWOU1nU3FiOGJNZStUTTZlOG1Z?= =?utf-8?B?clUvSjJYZ3M2Rjd1aERkbDIzL2lVb09zdC9pZW5yc2JnU2VvaGxvZE1UdVlV?= =?utf-8?B?emo3RWNZWm5zSTArKzRhaFh4aVhnQTl5d1ZIR2JES00wTENOcVVCNUlySnpP?= =?utf-8?B?K2xDWUVDdit6STZ0aXBQRWRhZ1M4aWJ5WWJvSGJqb3ZwQUNRWUpIMitJN0ho?= =?utf-8?B?cnErWlpEeGwyTWhPdTUwMWNNV0QrRWNYMTlCcXR5YlRNYXF6TW5ldXJCZ284?= =?utf-8?B?ZWVkbmF6TUZ3YkRNYjYrbk5DeWVEWkcrRTdWQStib2dUbjdCRXFwWTZPWkZp?= =?utf-8?B?UUNWdTRXQ0t6V3ZURWpjM3h1aFRJL0NYZE1NOS83eG5kWDBCeWtlbmZ1K2JY?= =?utf-8?B?K2JmOHViVDY3M3NYY3FVeU9xYVNhWWNtTXNmbUtSL2VMdjVUMHg2cGM4R1ZQ?= =?utf-8?B?VFRjYW5YYnBQNkxZZVdYS3Vtb3NrTWI5Zk5COHhSdkdLZ2hhUVV2dUpwNXk4?= =?utf-8?B?TnNTcnhMYzNOQlhQWHVwYTMvdTVIeGJlMVhjU3AwdG1zSjQ5QzBCM09NbUNT?= =?utf-8?B?d3JOVlhMbmxrTFRIL0FpUGRXOEtrMVhhWGRUSG94UFZidVBXVDJZcDljbUx2?= =?utf-8?B?dnIrQW1CT2VyU0FEMHRhdmliWFArNDdpR1duL21LKzkvWmNnQ1c0TlVuaWRp?= =?utf-8?B?N1NwdjRVdmtMblZpdXhCYjVtdFNtaU40VU5Ga05kWXpJcUNGZ1BiZlVYN0xD?= =?utf-8?B?Wk5pLzlTYUdIMkloZGNSWVFGTUEyNFRqK2MyK3RNVldIWGtZeFNFb1M5T1BF?= =?utf-8?B?SklrV0FXQWtueDQ5VENSNGRJL3BuT0d5UTVSTUJOaGVVdWRSUWZMZG9pOGo3?= =?utf-8?B?c2ZpWm1Kdmtham1LanAydzVRSHVpb2xhdVZTbFFQZWYwbDUvcGdQZlhwQTc4?= =?utf-8?B?Ymlxd1FoVkplNTZtZ2djbkpoU2tYTUMyVTkvdlJWQWpoTDZvNEgrd1NneTFp?= =?utf-8?B?Z05MRjlQZnZTL1RzMXJ2SGdmejZHTEVINysxWXhXN1U1Sk8xUS9EYmFtK3lN?= =?utf-8?B?WVdaUVhjNEUxZ3RCZTFkQ3VXWXlGbjRod0dBQ0VuVDliNmVMOXR4ajRXaVY0?= =?utf-8?B?enlLTUd3Y3lzTldFTW0vZmp3dzBIQjB0cE11K2RSaXFYQlh0ZkF2dDF4Tk1D?= =?utf-8?B?UjFST2wvYUJybnV0LzZ2ZnBvb2g0b1hzNEhFNC9za056ZzU3RWJsQUNHKzBq?= =?utf-8?B?NUlWR0pwM1pIWGdSWlcvQm8xamo3Szc1bVZNMWN0MnBqZElJMzdaV2p3L3VB?= =?utf-8?B?blIzUDJ3TjQxVk1GNWc3cVZvTG4ydGwzOERhMUNrd0g1Q1Z6R3F2NXlqVWhH?= =?utf-8?B?clQvNFJJQ3A5bS9UdDFVUFpvRVRFdHhkV3d3aTNWVnFLa25BdzFYYU1FcGFm?= =?utf-8?B?b0lrcmRZR2NkTFhjM29MUnp1NXpFYU42Rk1JL2NtM1FtVVNneXZobTRRbnpo?= =?utf-8?B?TlN2bVByUjNBMG1IdTgvTHdRRGNEM3lHTjYvQWVOa21YMlBXVTFPdTV4NFAz?= =?utf-8?Q?CYhfnm700noeYYNOBkBYaCnasduTwAUbwixoOqJ?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <8AD3DFF21366E6438A65F966FB9E56A6@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 631c38da-6bff-4842-6906-08d8cf792c1c
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2021 17:11:00.9697 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZLTLA5u0u2tq7MdEqwKbIVh7aZiHUjx/y3iR4Z4cUfrVX+gGOzzf+1iZ/ddS3ky5iubGobSb3RXKwEVn4QXXOgTqkjXH2pO8Q71SajQDnLk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2620
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/h8E-x27pYkc4OqhjQQ_aX6_83HY>
Subject: Re: [Lake] Security levels for EDHOC for formal verification
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 17:11:07 -0000

I forgot the TLS Finished MAC in my quick summary yesterday. TLS 1.2 had a 12 byte MAC and TLS 1.3 has a huge 32 byte MAC. Together with the record layer MAC TLS 1.3 always has at least 40 bytes MAC. This is probably overkill, but EDHOC definitely be significantly weaker on this aspect. Especially the static DH with 8 byte MAC.

Göran and I will try to collect the requested usage assumptions and write them down some form that can be referenced. A new -00 draft or a txt file on the LAKE WG github.

/John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Friday, 12 February 2021 at 00:07
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Cc: "lake@ietf.org" <lake@ietf.org>
Subject: Re: [Lake] Security levels for EDHOC for formal verification

Thanks Karthik,

>This is useful information and provides a good basis for discussion.
>It is particularly interesting to see the places where you specify that the EDHOC security >guarantee is expected to meet (or exceed) TLS 1.3,
>because these provide clear goals we’d like to focus on during formal verification.

[John] That sounds good. I think TLS 1.3 is a very good basis for further discussion. Both TLS 1.3 and EDHOC are based on SIGMA. If there is a large difference, that is something that the LAKE WG should discuss. Another design aspect that I can think of is:
 - TLS 1.3 uses nonces and therefore more entropy. TLS 1.3 security level against huge pre-computed rainbow tables would be higher than EDHOC.

The Static DH authentication is of course quite different from TLS 1.3. I think it should have equal of greater security than TLS 1.3 with PSK authentication. EDHOC with Static DH authentication should be stronger than EDHOC with signature authentication is some aspects (the key derivation includes three shared secrets instead of one and it should be stronger against key leakage), but weaker in some aspects as the authentication security is bounded by the AEAD tag length.

>As Rene says, the proof itself relies primarily on standard crypto assumptions about the >underlying constructions, but one of the interesting aspects of LAKE and COSE is that we >are trying to minimize message sizes (e.g. by using shorter authentication tags).
>It is therefore important to understand the concrete security goals in terms of the >expected security level so we can make sure that one of the message size optimizations >isn’t unexpectedly breaking the security of the protocol.
>Conversely, known the target security level may also allow us to identify new cryptographic >optimisations that have not been considered yet.

Yes, looking forward to you results.

>In addition to the sizes of the crypto keys, it would also be useful to know how many EDHOC >session is an intitiator/responder expected to participate in (per day, and over its >lifetime.)
>How much data do we expect to send in each session?
>What is a reasonable compromise window for each device; e.g. would it be ok to refresh the >ECDH keys every hour, or once every day?

[John] I hope that other people in the WG can help me fill in these assumptions:

- I think a typical device would run EDHOC quite seldom. In the extreme, a sensor or actuator might run it only once during its 10 year lifetime, but maybe a more reasonable estimate is every month/year when it receives a firmware update? A cloud server might run EDHOC very very often (many times per second) with differnet devices.

- I think other people in the group have much better answers for how much data an average IoT device sends per time unit.
  Also what do you mean by session? Current work in progress is that OSCORE will rekey frequently to get FS without rerunnign the full EDHOC. This would be similar to TLS 1.3 KeyUpdate. As the details are not completely specified yet, I do not know if you can model this but any comments or suggestion would be very welcome.

- Which ECDH keys do you mean? EDHOC currently states that the ephemeral keys MUST NOT be reused so they are erased from memory after each run. The Static ECDH keys used for ES ECDH authentication would typically be much more long lived. It is common to use IoT authentication keys for the lifetime of a device, i.e., around 10 years, but recently there has been a trend in the HTTPS world to use shorter lifetimes (1 year instead of 3 years).

>It would be great to collect a compendium of both usage constraints like these >and concrete security targets so we can make sure the protocol (and its >recommended ciphersuite) satisfies them.

[John] I guess we can turn this discussion into a appendix or some other form of document that you can reference.

Cheers,
John

-----Original Message-----
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Date: Thursday, 11 February 2021 at 17:40
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "lake@ietf.org" <lake@ietf.org>
Subject: Re: [Lake] Security levels for EDHOC for formal verification

Thanks John,

This is useful information and provides a good basis for discussion.
It is particularly interesting to see the places where you specify that the EDHOC security guarantee is expected to meet (or exceed) TLS 1.3,
because these provide clear goals we’d like to focus on during formal verification.

As Rene says, the proof itself relies primarily on standard crypto assumptions about the underlying constructions, but one of the interesting aspects of LAKE and COSE is that we are trying to minimize message sizes (e.g. by using shorter authentication tags).
It is therefore important to understand the concrete security goals in terms of the expected security level so we can make sure that one of the message size optimizations isn’t unexpectedly breaking the security of the protocol.
Conversely, known the target security level may also allow us to identify new cryptographic optimisations that have not been considered yet.

In addition to the sizes of the crypto keys, it would also be useful to know how many EDHOC session is an intitiator/responder expected to participate in (per day, and over its lifetime.)
How much data do we expect to send in each session?
What is a reasonable compromise window for each device; e.g. would it be ok to refresh the ECDH keys every hour, or once every day?

It would be great to collect a compendium of both usage constraints like these and concrete security targets so we can make sure the protocol (and its recommended ciphersuite) satisfies them.

Best,
-Karthik


> On 11 Feb 2021, at 09:13, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> There was a request from Karthik to have specified security levels for EDHOC so that formal verification can verify or falsify the claims. This is not trivial. Below is a first try. Let's discuss if this is enough or if more or different information is needed.
> 
> The design objectives of EDHOC has been to have approximatly the same security level as TLS when the same algorithms are used, but to have much smaller messages. Just like TLS I think the expected security level depends heavily on the chosen algorithms and the method. Method 3 should be comparable with TLS 1.3 with mutual certificate based authentication. Methed 0 is a bit trickier to compare to TLS.
> 
> In general there should not be much difference between EDHOC and TLS 1.3 when certificate based authentication is used. The exported keys should be a bit stronger as EDHOC include message_2 and the for Static DH also the private authentication keys. The Static DH Method with 64 bit tags does not offer the same security level as TLS 1.3 with certificate-based authentication, but should offer better security than TLS 1.3 with PSK authentication and short tags.
> 
> EDHOC can use all algorithms defined for COSE (but maybe you will restrict your work to
> the pre-defined cipher suites). Below are the relevant algorithms defined for COSE.
> 
> EDHOC AEAD algorithm:
> ---------------------------
> AES-CCM-16-64-128
> AES-CCM-16-64-256
> AES-CCM-64-64-128
> AES-CCM-64-64-256
> AES-CCM-16-128-128
> AES-CCM-16-128-256
> AES-CCM-64-128-128
> AES-CCM-64-128-256
> A128GCM
> A192GCM
> A256GCM
> ChaCha20/Poly1305
> 
> EDHOC hash algorithm
> ---------------------------
> SHAKE256
> SHA-512
> SHA-384
> SHAKE128
> SHA-512/256
> SHA-256
> [SHA-1 and SHA-256/64 not allowed]
> 
> EDHOC ECDH curve
> ---------------------------
> P-256
> P-384
> P-521
> X25519
> X448
> Wei25519 (expected to be registered soon)
> [Ed25519, Ed448, secp256k1 are not allowed] 
> 
> EDHOC signature algorithm
> ---------------------------
> ES256
> ES512
> ES384
> EdDSA
> ES256K
> 
> EDHOC signature algorithm curve
> ---------------------------
> P-256 (ECDSA only)
> P-384 (ECDSA only)
> P-521 (ECDSA only)
> Ed25519 (EdDSA only)
> Ed448 (EdDSA only)
> secp256k1 (ECDSA only)
> [X25519, X448 are not allowed] 
> 
> (Non-ECC signatures algorithms are supposed to be allowed as well. I think the draft needs to be updated.)
> 
> Below are two initial ways to express the security level, one as a function of the Mehtod and algorithms. The second as a comparision with TLS 1.3. In general, EDHOC with the weakest options SHALL offer 64-bit security against on-line attacks and 128-bit security against off-line attacks. I think this aligns with TLS 1.3.
> 
> Let me know if this is enough for the formal verification, if you need something different, or if something is missing. It would be good if somebody reviews the information is this mail.
> 
> 
> EDHOC security levels for different aspects
> ---------------------------
> 
> The security level of confidenciality protection against passive attackers should be the key length of the AEAD (128, 192, or 256 bits).
> 
> The security lebel of integrity protection and confidentiality against active attackers should be the tag length of the AEAD (64 or 128 bits)
> 
> The authentication security in the static DH modes are determined by the  tag length of the AEAD (64 or 128 bits)
> 
> The authentication security in the Signature Key modes are determined by the security level of the signature algorithm (128, 192, or 256 bit)
> 
> The integrity protection of some fields are detemined by the security level of the signature algorithm (128, 192, or 256 bit).
> 
> 
> 
> EDHOC security levels compared with TLS 1.3
> ---------------------------
> 
> Method 0 (2* Signature Key ) should offer the same security level as TLS 1.3 with the same algorithms.
> 
> 0. (AES-CCM-16-64-128, SHA-256, X25519, EdDSA, Ed25519)
> 1. (AES-CCM-16-128-128, SHA-256, X25519, EdDSA, Ed25519)
> 4. (A128GCM, SHA-256, X25519, ES256, P-256)
> 5  (A256GCM, SHA-384, P-384, ES384, P-384)
> 
> 
> Method 0 (2* Static DH Key ) is a bit trickier.
> 
> 0. (AES-CCM-16-64-128, SHA-256, X25519, EdDSA, 
> 
> The authentication security level here is bounded by the 128-bit tag. Should offer at least the same security level as TLS 1.3 with PSK authentication with CCM_8, and the other algorithms the same.
> 
> 1. (AES-CCM-16-128-128, SHA-256, X25519, EdDSA, Ed25519)
> 4. (A128GCM, SHA-256, X25519, ES256, P-256)
> 
> Should both offer similar security level as TLS 1.3 with certificate authentication and the the other algorithms the same.
> 
> 5	(A256GCM, SHA-384, P-384, ES384, P-384)
> 
> The authentication security level here is bounded by the 128-bit tag.
> 
> Cheers,
> John
> 
> 
> -- 
> Lake mailing list
> Lake@ietf.org
> https://www.ietf.org/mailman/listinfo/lake