[Lake] Explanation of issue #52 - encryption of message_2

John Mattsson <john.mattsson@ericsson.com> Thu, 28 January 2021 14:05 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 118C23A1518 for <lake@ietfa.amsl.com>; Thu, 28 Jan 2021 06:05:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJjYOSRZZCHL for <lake@ietfa.amsl.com>; Thu, 28 Jan 2021 06:05:40 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140083.outbound.protection.outlook.com [40.107.14.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3751E3A1517 for <lake@ietf.org>; Thu, 28 Jan 2021 06:05:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iHsT8vv+Fi2gXLxTs9LVBD4Jbhs4LLMvwJV3qTukEyvTC+FR2mhmF7/fWTY9qAy7QeiYQgVfeGYKLRxBVbwYeiWxQtrFUbW7rYxiCFNDwUzobyAi5rmjzOrsTkTKPdMN2qyggQCN05yv3h21mSugTpPaVpUXLwr3JRuZvLGOj/pyG242Bdzcxrg4y9AiKbmqNv/lQIgpF1rkltOW47U2YIgxIprrElgQlrB32yb5yWLJUqGlH97f3XzuKtNBqVdUZqa655OVfS294quy1PXuTx6AkZAqlJaTHuVMOfltbSyQgJ0ZQ+0D/bYIwY8GlRxysU0bu5SiX4UDajCVGj1Aqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/Iffs6is00OYhj2X/G5UUH9SpQtA/9EJEtrEUuOIYv0=; b=UhLOxinunbHP5fwO16RUpgpk8vMiQW6lih5xOiPPvdF6uQXkxptpQB2U6eBKzxbCfn5hK+9fuL37a3eSbGBxx3rmaBaX7CNMiACyrvkjKLcNYsY2cQmGOeHithlk3AYEFoemVDPzg2682FMQfyhismLruxua0bMwz8hx78GnfTliJ3lCAQN6rKBZk6Vo8GuM4ojw651JeUMoUpC3bVqO1x/oUv6WCTU36Z61Dar7RcGVr7hJHqOX6gaJKfAbE0cmCgFExpwE9u+0bKcLWqWU76kDedqCzalpPZuTVD/Zk2qRXDO10RdEeZXiqqSVI0lPLWG8o9UiCanpq9jOgKYSLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/Iffs6is00OYhj2X/G5UUH9SpQtA/9EJEtrEUuOIYv0=; b=Nf22glJf1auXpStnMfxiUc+U8N64LnPOakWPaT0xzxNEH6D3EQHPI4tbOwSxZhPQ7zfUmfLZQHYPLK/+G6Yqw9A1ByqnOPJHR+zBn1ldtzKpNy4qzZu6c3M9ulFTtLDkL9OZfplBu83syuVdJokn8YphOZ4IZKV2PP+Q8DHbFnc=
Received: from (2603:10a6:3:4b::8) by HE1PR0702MB3563.eurprd07.prod.outlook.com (2603:10a6:7:80::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.8; Thu, 28 Jan 2021 14:05:35 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3805.015; Thu, 28 Jan 2021 14:05:35 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Explanation of issue #52 - encryption of message_2
Thread-Index: AQHW9X6lqq5qpvmjJ0qear0IiDcEfw==
Date: Thu, 28 Jan 2021 14:05:34 +0000
Message-ID: <C8FD65D4-7F05-4D54-A2C5-93F6FCD91430@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20121301
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c3ef8d08-2ac2-4f5b-b12d-08d8c395c845
x-ms-traffictypediagnostic: HE1PR0702MB3563:
x-microsoft-antispam-prvs: <HE1PR0702MB3563A15728A425D39D9C2E6489BA9@HE1PR0702MB3563.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qU9WNVgvHOy2DG8Anjw/5S1ZnhfFVtHJPRoh7tcV4GwKNgIYcabvHIGXk7o8z0VZapnGabR4H8uvHudVyKaZJAwOH2vmxmubL96NVzmYDUmEwpTExvBUxOf+VZmDidaKGNRi/vgF07XcOtVanQxtHStXMnkXlxaX9BGUzytBpZ7BmnnCXxIrjuM0baBl7rHn3o0nJrJ8LSWa8dTOhTw94o7lNH/ej131Y/HhFm5fDphXDI5U04FX32SE3ccDtzhQS4O4Jq0nz5GK0ufeh07DIr79E6KN+K8ivcNVxFRzt4t28I4YaVmLyXN2KulPy1KE3jg9stZly5CBg7ryBBiQKSLChsQ9KCinifzWbU3f7G4JYzJq4FxheEyhr9daib4ObDBJX11fs+PB1TjK8Aa3VmM7y1RmeYbAhnqAxA+/CwAc5k+3BO+cxAb84ov0DZszj+Gabu8nPrmOYOVwmAMBs+LvbHt6gwSOatGXyMwNj7dYfA0u45ul3nA+dr18iz5e3Rx164xPWfdfE/KH7YA8wTsv2aPpDNZkz6BPkT4wsPxd4yz7YU5USoyWtWg1VlHGpJkQC0mEQBN5YAQ7ucUZB3cQJpvi8XjA8fsypBFnzCNM3uYcczIgr6YqXiF34EaJPMTdS+2b6vxH5vVNie1pkgKotSefNicoQGWYXoaYgpY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(346002)(136003)(376002)(366004)(396003)(6506007)(83380400001)(316002)(8936002)(8676002)(966005)(6512007)(5660300002)(36756003)(33656002)(44832011)(478600001)(2616005)(6916009)(2906002)(76116006)(66556008)(64756008)(26005)(86362001)(186003)(66476007)(71200400001)(66446008)(15650500001)(66946007)(6486002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?VWREWXRTZmNtQytkdnpaeTVDblFDVFJnY0p5TWNiT0tvejBkaXRjVWFrQllp?= =?utf-8?B?WndlbGZtRmhZL2pDMXVtTjhpR2h0MktqYzM2NVRzbWR3Y2Y3RzBMTkQ3T3BP?= =?utf-8?B?SGppVmh5N05nK2FnSlBiSnVzVUc1cmM3TTE5MDE1eGY0OEdIY09NUktxRmxj?= =?utf-8?B?NEQxS0ZlblVTaHVnM3ovUVNDZnBXR3lJV2FLaVJPK3cwdmRsbmhZTkxmUVVx?= =?utf-8?B?a0FGSDFkUzZHcEdKWXNFVXdMZkZlYXdtcGVhb2M1cEo3T0tIdkp5NC9mMGNZ?= =?utf-8?B?M0xGN1V5TWFsdE1DVEJHbUJTT3BlNUdEVWhERXZlVnVoY1F4M0xiay8xM0NP?= =?utf-8?B?SG9nc1pyN1lUdjBGZVQvRk9weFdaM2Y1N1UzVkdRZ3lWVmZuK1p6aUlPSTFo?= =?utf-8?B?NU1ZQ1k1QXRxUHF0aEFQNkV5M3QycE9HYy8wUkhQSWpvR1BvUnp4NkNRYytu?= =?utf-8?B?OGtOdFhDaGJ1bmFoZisrOWRYVGRPYkNkODgvQTBiaXN0NXFVaG00OVhGMmpn?= =?utf-8?B?Qmc0aHpkL2RnamxPcTNpNUVCN3VyK3diVnJabDcyWHFIUnRPREFOV0ZLYjBz?= =?utf-8?B?eWVtdzFkVmRMejdsci9zeC95NHI4NFVsTlhCUVoxVGNNOVBTSkRzUjMxRzJD?= =?utf-8?B?N2pOZ3ZLTDhoMlFBTVMrV0VWTm9BODZUaHEzWHVJUElZQkFCanVrSDFEM3ho?= =?utf-8?B?bmRzTjY5eVErYzlGbWQ1SnROZDBuU2dmbytIUndYOEJuTGttVG8zRVptVnNX?= =?utf-8?B?eG0reDUzTi9KNFBuaGZnbDhnR1BkcmZUTjlHRFA1dldJNkVUbnQrN1FQL0RW?= =?utf-8?B?WlZ6Qzd5RnlDbUhlLytUbVZ5cnpNSUdzRTlEN05jNWdLNVpkOGM3VUhIWUFz?= =?utf-8?B?aEpVUFFQUEpxK3JDeUJPNTVlMEJmaWpjQWVlRnRDellEV0xXbDd2MHZLUFhi?= =?utf-8?B?RnlwcktLSWJHTGtUWWRoaGg5NGk0bndZL2tDNGx2bktRN2h2SXlJM2hPQ0p0?= =?utf-8?B?ZUpvY0pFdTVhQXU1U1ZubjJYekhCRGpRK3JBU3k3eUcvYm5admRZalo2ZTBV?= =?utf-8?B?REZOUkkxNUh1Znp6WDJZS3VONFhCN2VaWWxlK2RmSk81Y0QzbGdPMXlPVjAw?= =?utf-8?B?dzFDdGtvdU12T1kwSm5wRjZRZGhUU0tNVTFIWFFrc2Y1ZEEyM3RaQitEeERu?= =?utf-8?B?TFRjcG9zNXczS3Z6U0tnQVdOVXkyS1V3RnhwY1ljMFEyS2tJa2xycHQ0UmM5?= =?utf-8?B?Ryt1Mzg4ZnJZV3FLeE5td2QrZjNQK2hwemJQSWxCWGJUOWRKemlRQ0Y5RzhD?= =?utf-8?B?eXVlTmJwczJKVnZJMDJoSUNmUDF2c1FZU1prWS90WG1kbjl4ZkM2T1pJbVpU?= =?utf-8?B?L2tTa25MY1FJMHA4djl6MS82b0Z3QXhRRnZXVkdtQ0lkVXRkRHNxN1VMUTM4?= =?utf-8?B?a1dkdjdlRXlLbTNTSkFGbVNzZjArcENNMmU3RnBnPT0=?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <91E84E21FD3B924585459E0DB1DED211@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c3ef8d08-2ac2-4f5b-b12d-08d8c395c845
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2021 14:05:34.9189 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IDa8+CviQ3Sfbv5KojRmKH/A2PMJaB3AeWi4VESR+NiuG5jCoAnHAY/J7ZIUckIosDwycB8Ve9DHPlDH6A3suMaHngJUh1N8XsWA4g/RAqE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3563
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/kiSTd5Y5lYWvXkEGhuaTSbKRCmE>
Subject: [Lake] Explanation of issue #52 - encryption of message_2
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2021 14:05:42 -0000

Hi,

There was a AP on me from the last iterim to send an email discussing the requirements for encryption of message_2.

This is issue nr. 52 on GitHub
https://github.com/lake-wg/edhoc/issues/52

The main requirements as I see them are:

- Security requirements: conceal the identity of the server to any passive attackers. As described in the SIGMA paper an active attacker can get the identity by sending his/her own message_1. The security requirements here are lower than we normally require. So IND-CPA encryption with a key that only the Initiator and Responser have is good enough. 

- Expansion requirements: message_2 is already 1 byte to large for the currently estimated size requirements. Wwe will later have to compress it further by concatenating some byte strings with known length. The encryption can therefore not cause any message expansion so only IND-CPA is possible.

- Ease for developers requirement: We want to make the implementation easy for developers implementing EDHOC. We would e.g. like to avoid forcing them to implement stream cipher modes of AES and ChaCha.  

Based on the feedback from developers the solution in -04 is to use (HDKF-)Expand as a binary additive stream cipher. This provides better confidentiality than AES-CTR. The paper calculating AEAD limits for CCM is e.g. enthusiastic about the confidentiality properties of HMAC-SHA1 used as a stream cipher. 

Cheers,
John