Re: [Lake] 🔔 WG Last Call for draft-ietf-lake-edhoc-17

John Mattsson <john.mattsson@ericsson.com> Fri, 04 November 2022 09:55 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B144C152708 for <lake@ietfa.amsl.com>; Fri, 4 Nov 2022 02:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.679
X-Spam-Level:
X-Spam-Status: No, score=-2.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWBx4Kt7vN3A for <lake@ietfa.amsl.com>; Fri, 4 Nov 2022 02:55:45 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130047.outbound.protection.outlook.com [40.107.13.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A9CC14CE44 for <lake@ietf.org>; Fri, 4 Nov 2022 02:55:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l0FJdMTs5DeJ9ao3xADHOguZQk/Pukr61YlL6iCcx1iLdPqwn9+tnI1vdXH4yX2r4yug7BsFYgnwCgmu7t0ejNOVGJ0Q+fzJnvVeBLSWCTkqyj2B0USuDCwfb7r3v53cizhWrpfBEU4bEy/oJ2LCC64f78QUnrr5qYHrPfYxOxuWGyxrfFMRwHNv7IVIuQcVNNfy9U3Js/NZqj4ez0S8Zw4Qnk9msO4rR6INiKRyJw7nfBz0F9kbLZz3sPdID26ns3qA0pARvmxEmfBdsz0gbMfpiP6/dU5mhu+aq/Ict9sX15MGlT8My6LBHb8jei+t2iNAKwl1VIjCBzIxlVLe6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i6Jk7/t0Mn0cUF2wn7SuZn9lRMbFEmMcmeNxzQLnrzQ=; b=cuVhJrYz/DsjELSU4BSOxeFpi5biqvH/MnbJ/A7fgo7VMdgoiW9u0hglel5wuaQFrgVuhQpEToQer0NNQXmCkY0skUa/Nci187cxMzsYiE63yyWj6cuvanCW07PfWjaZGSglST4AbUmrcSVRZgggTNtrxwyZ9c/SY8RXSE7v/1Ub6dbKjLiFDnjNYmEwkmOmd84CeyMWkaXsMAk2x1pup4U58gyW09tz6YWWniSTiILqiN0qWZsv5CoCKeyVbbprzs4WR6YL1F/LWA9DyCovUj4Sch3zdcLlQst0BW816DhayTYH9mYkMTFzaTuwS9kG6N6Y+D+rfsQRiB8eafowUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6Jk7/t0Mn0cUF2wn7SuZn9lRMbFEmMcmeNxzQLnrzQ=; b=vBeTCGr5bscKMEmNIc+czA/vWi2vh82J4hAg1aT6v7jvLZeGYoiYmeOXxBKn+GXQ4F3sGstfzWi9ptRxSExEVTOcApaGnw/ElX3Y2v+0liUEsFC38B7sE4k7UmHPS5IkrpqvYes6Nh4EqJ+5l/6ILIWSSSJ2enrNR+sKVJ0rqRY=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AM9PR07MB7249.eurprd07.prod.outlook.com (2603:10a6:20b:2c3::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.22; Fri, 4 Nov 2022 09:55:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4458:48c2:e76a:4057]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4458:48c2:e76a:4057%6]) with mapi id 15.20.5791.022; Fri, 4 Nov 2022 09:55:40 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Charlie Jacomme <charlie.jacomme@inria.fr>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] 🔔 WG Last Call for draft-ietf-lake-edhoc-17
Thread-Index: AQHY74y1uZ8hGkCJuEK1Z3AvnCR//K4ugUlZ
Date: Fri, 04 Nov 2022 09:55:40 +0000
Message-ID: <HE1PR0701MB3050E43114D34FCF351A31E0893B9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <71E133FA-9C4D-4449-BC04-10F6D120D10D@inria.fr> <4d31934f-2a26-3392-8511-934e0dbeeb35@inria.fr>
In-Reply-To: <4d31934f-2a26-3392-8511-934e0dbeeb35@inria.fr>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AM9PR07MB7249:EE_
x-ms-office365-filtering-correlation-id: a23c8199-b1b0-4a53-f4bf-08dabe4abb86
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Evq3IzLdCh2n//uhlcLDwb+xfY2knNtr7tHkM7JGHiXyaiZM4sJ6weTwUrSmkiATMSZcaxIuAJ3nE1Nh20uRM8qwWxUNmF2sjpCeExDw8NHNsZp7PmUbrbytmw+JKojh83qpwl2PFdJLKbBjjBt2KKqCFbSMeTlVlAEUCQb8cECmexuKxOVuHSACpfHG0CaVOlaiOgMt4rKNhOrKXddKFog+boher4OuZPqB2LMMqquiLbmH/JM0ail/cJovh6bQXddkmL9EwbGvPnWobLADNClcxRN0uX3actcPl7xA6cxSKApX5Nq33Ibs6IShNxCMiElb1OUgOHo3VStD+iltDiU5jDi0vY3b9dI0Yx7cxqRAPhQYYhva8r2RaaX9HTgl9l/xileTzeVaBBU1kvzUvr+6+NVdSrMn+fbHz8szwV2eDsWUyueVk6ZAGSwY85FXa7tDG4F82VuwyDviOUkTF2GjgcnN7Pq4ZNGOcaRm8pDfzLWxVBTDVgA2y4x8ULM8z0TUIthHJJZmFoQ+yF+6svrrkVaB6JdmhZ0XKrLriTtmTROgendj4diIje54pOoOLo19Mqn4p391jUWdSByhBzsSmfWP7/87EscjMQsvviGy52I85MpbVlFiI++gsaT5t11HsFIGjkcNfy1DkP/uDkU5DVzMMQN1Gl+Ew+fK1Ds54l9HRVk5ygY7jL07n4Slz6VR1fTd/Zc3Lh5j1O6tec7PDqkksiuIf72ywtmZPC4NdoVwWLBFIdHy5A+lX8S2JwFzTICYgE5zAQXIwdNgmPRe4T/nlncgwHCODDGX4O8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(366004)(376002)(396003)(346002)(39860400002)(451199015)(166002)(38100700002)(122000001)(52536014)(44832011)(66556008)(64756008)(66446008)(5660300002)(82960400001)(83380400001)(66574015)(86362001)(33656002)(66476007)(38070700005)(110136005)(186003)(478600001)(55016003)(316002)(71200400001)(76116006)(8936002)(91956017)(41300700001)(2906002)(66946007)(966005)(9686003)(26005)(53546011)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9+D0Wqy7HLvat2SS6EqFFm2PPdRyt+uhAfPez4DA9Zy+nj1pwpyUhxu1KnVNA3Xdfsnau4R996C362BnZwp+eRV4XRCOGj+dsOVBCPYF+yBxfKMsPbPeBTNDne7E/FJE133LAHZkDxOCOYeFlb8bg1QZCsa0nS2z4b9lzsAVdU+LJJ8i+KdoSy7UxJvTNrm6XORHslr2d3iRur1kfjBgL7ZuXoycP2nfhgkdW3FLyfQvoZywEs1KxCKz1wYjV8g5tCVvFVHnkKLGvtP0uuYTtKCi8WHODCFfjz+peaEfQF+A1dBQa58p5vXdRpain3UTcVJimVqg41iYTRou4mMeX3BegJNhjevCdblt+TJKXxheIaMNeuyp5oKo47OPEMH14VBbfURG7W1QGCnl1vLfdjdoGxzMmYZX3Ye4mUDLJmLCME6I47bHKLQmFAHpEQF917EdeXXTKonts1wztuqgzNgY60JPkyVUz4qWk4oL1WctWh6NIGOqGUyTz2IhBreL1eQK4LXQ1W7cfyG+Zf/h5IdHKiYzXismYU9Lj76N9bOVrQjSeqrjQJIYK+Cq7nhvx/PMfyEan5SDMtUMkcxW6O1w3cdAJ/ZKyKGRqHQyRsMJhyS4cdleHYVf8roastpAk/DLFaraAqcrQn6DWogfzadkNf3Y1lr6op1Vo705Mt1ZI0QOdm7uPtFqZbZN2soBLq8sADdn4N9VsGipjy7eT+IDzF9KACCzqRsDOC4DbHqnPqDhRIoMpGG06Ac/Bv2kqlx9HnIoAc59jwzJUyxF5Sfc3UTomgShi0KhSPFkzVvIHV9LnZl0qw7XF0/XWbOGAXRqPWtRfrv/jsS6PUtG3LbGyDdJuykb+G+pcDNy+XqreCCE7tEb584Y2afiV49fntuTa/m7dtdoNSzFR+K6XhVrUyDkL69GCb/FzB6g45eTxFlP6h4LYaWZ4SiGg8k+1RZsUblpagp2r5cfa7Q+rj7BoZESq2ZhRBxhKgZkks+Pnj2i+JhR+0eGQyKgWrg14pMA2ePQypfIQ5kWere3AHzzQqe5YcZTVM4v4Ys1m78n8J3sk9vxRIoH4T6n2k+KyutxTveRCcMMUieg+RqEh6v7RCN4MuyCZ+BGeTFnTbMDtZIJR2Pi92iWaJ1cLbWKnEtt6uVbwwxU/HBiAyagsaHChokLiT6D/Eh86106V+k/0H/FsGG64rVMHr9iWLc+XYdSw/SHalXtUof1WUMvPhDExaYvX8p9HRyC9Mhp5AEy9mc0NrXOfLhcg7Sd+W7EtL7xuuXjqFZ2wZU2eAq3BMvqaPR5XwEg5AuM0Psus0DZbaTM9mCwxne0Y8ZhlI2hKku4qL9UD7+400hUgkube9v0AkFYcM6sFB2QftDzlO7lIMs63mkK2X9kN2ssb+OoIghyN6LVcVOJ4m+GE3jpZFhfalDzCaYb20ooncXH5NhaddOR0FXYgtrMclit9nEDmknfkwCWrNas85d39pH2mkG6o6lgwzYlCFJfXfAacL3iy58jzR3P1RoX5j5F1NT8LNzBeT3O5iTNOyizdPj6XZvb0rQ7DGR1shs7pyGv9T1fw3LaFUsjjdV2+XwpppgRLN5x3x975H+xGvxT6/h+cQFFYfuJ/km7WrGz6VdXjU0=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050E43114D34FCF351A31E0893B9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a23c8199-b1b0-4a53-f4bf-08dabe4abb86
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2022 09:55:40.9231 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sBaYGhVbHg7xn5pz7j4jOjaQZkyF0xt8iI840975+NYcxZlAaCT2K7lK1FvKwuXzeygIDH0Oksa0MiEtzrIQtqrCW0EyVzsvHAihntkBf04=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR07MB7249
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/j16PIqTIBZsqLrFFLPQsMhHhvDg>
Subject: Re: [Lake] 🔔 WG Last Call for draft-ietf-lake-edhoc-17
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 09:55:49 -0000

Hi Charlie,

Good catch, I think we should do some small update so the text is correct. My understanding is that EdDSA (The IETF standard) is SUF-CMA, while ECDSA, RSASSA-PKCS1-v1_5, and RSASSA-PSS are EUF-CMA. I do not know about HSS-LMS.

I assume that someone also theoretically could register a randomized AEAD in COSE which would only be EUF-CMA.

Cheers,
John

From: Lake <lake-bounces@ietf.org> on behalf of Charlie Jacomme <charlie.jacomme@inria.fr>
Date: Thursday, 3 November 2022 at 15:01
To: lake@ietf.org <lake@ietf.org>
Subject: Re: [Lake] 🔔 WG Last Call for draft-ietf-lake-edhoc-17
Hi all,

Following our previous analysis of the draft 12 and 14, we have now updated our models w.r.t. draft 17, making a full pass over both the protocol changes as well as the security considerations mentioned through out the draft.

Overall, there is a last security claim that is slightly wrong from a theoretical point of view, but in practice does not bear consequences. We detail it bellow. Otherwise, our automated analysis was not able to find any other weakness, so we hope that with respect to state of the art analysis techniques, the protocol is in a pretty good shape.

It concerns the following point, page 42:
    "Changes in message_1 and message_2 (except PAD_2) are detected when verifying Signature_or_MAC_2. "

This claim in fact depends on the security level of the signature scheme used. Assume that we have a signature scheme such that given "Sign(m,sk)", the signature of message m with secret key sk,  there exists a constant "c" such that "Sign(m,sk) XOR c" is also a valid signature for the same message m under sk. This is not a violation of the classical assumption over signatures (EUFCMA), and with such a signature scheme, an attacker could then change the content of message_2, by xoring the signature part with the constant c, and this change would not be detected after verifying the signature, and would only be caught on a message 4 or key confirmation.

This is only a theoretical attack, relying on the difference between the classical cryptographic assumption EUF-CMA, a signature authenticates only the underlying message, while under the stronger SUF-CMA assumption, a signature authenticates both the underlying message and the signature itself.  None of the concrete signature scheme currently standardized appears to be malleable under xor. We report it for thoroughness, but are uncertain whether the sentence should be changed or not.

Best,
Charlie Jacomme, Elise Klein, Steve Kremer and Maïwenn Racouchot.
On 14/10/2022 12:24, Mališa Vučinić wrote:
Hi all,

As discussed during the interim on 5 October 2022, this email triggers the working group last call for the version 17 of the EDHOC draft, the main item on the agenda of the LAKE working group.

The draft can be found at: https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/

Please state your position and comments to the list by 4 November 2022 so we can discuss them during the IETF 115 meeting in London.

Thanks,
Mališa, for the chairs