[Lake] EDHOC prototyping and feedback
Brian Sipos <brian.sipos@gmail.com> Tue, 11 February 2025 03:26 UTC
Return-Path: <brian.sipos@gmail.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65565C180B60 for <lake@ietfa.amsl.com>; Mon, 10 Feb 2025 19:26:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6HvxvtMwDkA for <lake@ietfa.amsl.com>; Mon, 10 Feb 2025 19:26:10 -0800 (PST)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2BA8C169430 for <lake@ietf.org>; Mon, 10 Feb 2025 19:26:10 -0800 (PST)
Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-2fa286ea7e8so5462816a91.2 for <lake@ietf.org>; Mon, 10 Feb 2025 19:26:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739244370; x=1739849170; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=3efzvf6rjhZ8PTpnE2K+xkqRPl94jf/axxXHBMoK6IU=; b=YtUhhTlS8BJ1pErv+QFyTDjwLbgJovLj/YI89mefyACa/uk58qmcfBSJsKHFXAsI3l 1vESAd4TT2Gm8xwDM2rVmkqlLpJ4vSYm45ZNeeEX4F31JjJn2HaLR9I7Vgs7mflKsD9V ow0caA1D3/zoP8iGFopmJIh7KdaCeUMgVvCxRkuD5Af5TiR0ZHdLNIFd728K2CSdWPLj 6IDuZumByHVEYG1QIORpu8j/ECMMKjPIgPhnJmrwO+WrTfsDXOY/xi++pz0C/6yGxsyu p8HeEvtAl9pGjqmKQ5RNxINQOeubnu5QEXi4ORcZlDBQOpC8Fd2UyG6QPUsc3LYM8LUt sa7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739244370; x=1739849170; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3efzvf6rjhZ8PTpnE2K+xkqRPl94jf/axxXHBMoK6IU=; b=bm5hCtRr0f/IZm32OJXF63M/gxIazRPfrKLLwpZc+hyPqu8QyI7f3C2/K6n8P5FkYp HjU2/uw0QzWhGsaBz3xGImAeZjajbQdsIYKKeq0xw37axcZ4UmBapefLHI+R8Kpub3qf 1Vx2NKSs+5TzYMgr2t0DSYRICPJr0W+R7y69a4YyraEWlR8qg5RLK0KxnSJ6OEqRB2sy P447Xk2HI8K6FNKFj6qAHK3/z48cvHrHSjFFIWGT91oEpLdEkQV1uOVXSdVRZRru4OED eUZa0cRvDYEoplMfQXlZp9gA1N8WhgUUOQopLh0Vk247ymGFrsT0gkvpsSMtO4PCBs+t x20w==
X-Gm-Message-State: AOJu0YxvYKdCrjB/EL1f1uaImrToEThswj1PuNkVy6PpTl8yqsS6It++ jfKt4F8lsC2nTWj2/DNxCTLSXlhTL1JX/bMG7NVb2UjrzVUtIbEHJbhXSpipD7N6V65ZhN8hMmj Y1HknPBzdyMrGbO2VXRWdBbh4LZjHHQ==
X-Gm-Gg: ASbGnct0Zh05k4lV90vi15a+XznIZHKHHrnWAwlUTJgyBz920Y5OYI6GEMhPReeE0cB ozjd21XerY1G5snUfCOUq0HRsnjoqMqxZY9GBxhKiIFppIOEg5TweIFTJX3ugaLP5AHk8HJypR9 bCPzGL39iYzdJRx3Nv7Nvb+YpoyFLyQA==
X-Google-Smtp-Source: AGHT+IFCHJOM0Dp0LQrtN2r2Zf/flY9iy86TdBx8LUOj7a4z/dy/t4nV4IPIC0W0wqxb8bjAKckhCXjL1//E/ZEEB6A=
X-Received: by 2002:a17:90b:38c3:b0:2f4:434d:c7f0 with SMTP id 98e67ed59e1d1-2fa23f6e5f1mr28201731a91.12.1739244369629; Mon, 10 Feb 2025 19:26:09 -0800 (PST)
MIME-Version: 1.0
From: Brian Sipos <brian.sipos@gmail.com>
Date: Mon, 10 Feb 2025 22:26:00 -0500
X-Gm-Features: AWEUYZkNl-874R9D5T2uYaQAOlL2EQQe1yLmYIl5K2fqxbqHWhaf7v2PJXVD5i0
Message-ID: <CAM1+-giJ-Hy1dezh1t2hchywEwmiwHZtcc5M=qaOavy9mmPT4Q@mail.gmail.com>
To: lake@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d45918062dd562b4"
Message-ID-Hash: PIXRF6U7RXSIZTGK7FWT7FUNXDE4KZ2L
X-Message-ID-Hash: PIXRF6U7RXSIZTGK7FWT7FUNXDE4KZ2L
X-MailFrom: brian.sipos@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Lake] EDHOC prototyping and feedback
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/pCZp-yI8PXjnvDMdRFi1-vSpx88>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>
LAKE WG, I've gone through a trial implementation of EDHOC from RFC 9528 and overall find the definitions in the spec are clear and understandable. The detailed traces from RFC 9529 are also helpful to verify not just self-consistency (being able to establish a session with my own implementation) but absolute correctness against the test states. During testing I ran into only two intermediate states which were not composed as I had expected from just reading RFC 9528, and the differences were subtle. I think at least one of these represents an errata against the spec as written. 1. The composition of PLAINTEXT_2 in section 5.3.2 is defined as a CBOR sequence and the notation used in the ciphertext definition of "PLAINTEXT_2 XOR KEYSTREAM_2" implies that the PLAINTEXT_2 is treated here as a byte string, but when used later in Section 5.4.2 for the transcript hash "H(TH_2, PLAINTEXT_2, CRED_R)" the transcript-being-hashed uses PLAINTEXT_2 not as a byte string value (with a bstr head) but as the sequence itself. I don't think any of the text for either uses is wrong, just apparently unclear enough that my first attempt did treat PLAINTEXT_2 as a bstr item for the transcript hash. 2. The compressed encoding of ID_CRED_x used in PLAINTEXT_2 and PLAINTEXT_3, where a KID-only map is compressed to just the KID value, is apparently not used in the construction of internal MAC context_2 and context_3 data. This is not explicitly mentioned either in Section 5.3.2 or 5.4.2 respectively, and I think this does deserve an explicit mention in the spec that the context-encoded ID_CRED_x are different bytes than the plaintext-encoded form of the same structure. This is especially true since it appears that the C_x values do get compressed encoding for the context_x values, so there is some inconsistency. Not to say the spec or traces show incorrect behavior, just that the encoding details deserve explicit discussion in the spec. Overall I think the function of EDHOC is quite well designed, especially the extensibility via EAD values and the PRK exporter interface. One additional embedding design question I have: is there any technical benefit or drawback from registering more than one exporter label, as the OSCORE use does, vs simply use a single label with unique context data? Thanks for any and all feedback, Brian S.
- [Lake] EDHOC prototyping and feedback Brian Sipos
- [Lake] Re: EDHOC prototyping and feedback John Mattsson