Re: [Lake] Summary of actions since IETF 109
Göran Selander <goran.selander@ericsson.com> Fri, 18 December 2020 13:17 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B86F93A06E7 for <lake@ietfa.amsl.com>; Fri, 18 Dec 2020 05:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJeTfr1J08lC for <lake@ietfa.amsl.com>; Fri, 18 Dec 2020 05:17:01 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2068.outbound.protection.outlook.com [40.107.21.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9106E3A0637 for <lake@ietf.org>; Fri, 18 Dec 2020 05:17:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JEfY142x23BKk/3EsZHT+eqUdFn/24B6WaCItoIjDNhfknvy2Wqm5ybezFJUpGVURtqm4IH3Q68H03YKQFfAdzbxdcL9ePET5BK6UD+0kzUYDhvg8gjhJAlsWpoqvXWfjy1bEL/JTfa744m+8i+QoUlLiGZ1laeNZfzEggBS3WJ2u+ZYE7Kf14F75l+qcB2SGB7ql0/fBOtbEpYFfsMQixoF0vWrNsRWlOXcigg/Fwms4kHxtN7aMdto4h4IDq2drNHS3xvNO35GncGkEfHezMa4kvPhN8TRs/2pW7Hn53eObVJwWymJfq6yXGls4RCu/s+V7++wW1UoSXBbWUcJ0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LBbNSnpxEfrtKecQNiNG3uFy77n/WbPs42bnydMs7l0=; b=Jx44BvdH598dWMGiD5aB3NYOpXWIXpSHeMnDZq9FHMy4MWAi7MCz9osQCx9WHG4Wpksi1aMOd1AM1RH0+GJ2feRJipgSjrPhRwYXoJLCJerO5S3Wbiuk4K2YvQnPZjDk+AAXK2cE8VGQYYdR9nIuNQbId/xXPyJ45kARpz9v1uO3fbmvogkEkqn1I+Zn2xGQZkZc7nn3ezXnJpyDiEI0StKKpEYgPHSG0y6OwOsfMj3kUu2IUTtqJ0xodWLnk0JGRJsoBRIDoH2zH9U3X4Tonwv7tD3+vbYnPbQyEQDn0MAPWDsy4M+8qwKOMm0u15iea7jn+rK1w5rCqSEGsAIHOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LBbNSnpxEfrtKecQNiNG3uFy77n/WbPs42bnydMs7l0=; b=fAmgD3NH2uj4Ck3a87bpmf7DE4UtLIFDJhqXphjieAigNCcizSNjAQlvpIu1cjpYiNeixSOaKkfKulNpX29eO5msVHWik0rbjKE2B+PwAtaVBtYsM/ayjxotAE6vMBUxjMlNY0r1ACIvCYiTjJL9L2+7X/smqft2ikmwAEKFcaQ=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0701MB2108.eurprd07.prod.outlook.com (2603:10a6:3:27::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.11; Fri, 18 Dec 2020 13:16:58 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86%7]) with mapi id 15.20.3676.015; Fri, 18 Dec 2020 13:16:58 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Summary of actions since IETF 109
Thread-Index: AQHW1UAQd23yy7cDeEKFnLKd2RHnnw==
Date: Fri, 18 Dec 2020 13:16:58 +0000
Message-ID: <ED713724-0BFF-43D8-A9E6-53E2F6FBFD19@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.20121303
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fdbf66d4-4e26-4cfd-b46d-08d8a357331d
x-ms-traffictypediagnostic: HE1PR0701MB2108:
x-microsoft-antispam-prvs: <HE1PR0701MB210890096239800F900027F6F4C30@HE1PR0701MB2108.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: piW2YpnwTKlJXRyDm/qqiKzE9FnO2EdfkbHrqEu31PbkjGfY4UepS64HwZjFCVSkuuIj+zpBrJdvfaCuJEGetJ+YyyFTNMgdnz7W7gnCgakN+mJr8MrqLy4tB3IFx/Fe+OcEQsMAsnc8Ye+lz2wTv1ZnwBK4S0zAAIWjvPSbONCYTyUCX/43L/JZxDrSNEVpqCGCG4+T352SFX9tu3wrROgJbq6Nq2/tkAoj2iA0mMe2BFmgeBVBt0DBn89Iyrn1SKOU94PemlX+hO158CtZ7Rkl2AVsvfvEhd7huif/szJbmYUL3rRhS/gYS/m5yYy7o3DmZov3ybCK58GyW7NhnjT2EGugRRJAtSq46HEIfDq6026vdg64BMHZ5BUNwdG/zHuuCkg6rMA2bqVfd6BgerQVKgB1HWIAigQmtwzqtgV2eLsLqO/0L4dHuHX3I5OFXC7ixJiCWWUEj0enijSTdYDlfoEYsDl979ZX87HVVf5RVvZzihScZSbdICamc1qbFO6W923S79GspJGpvrIlNA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(136003)(366004)(39860400002)(76116006)(6916009)(64756008)(2616005)(4001150100001)(86362001)(71200400001)(85182001)(966005)(66556008)(66446008)(316002)(8936002)(5660300002)(478600001)(26005)(85202003)(66946007)(6512007)(2906002)(66476007)(186003)(83380400001)(33656002)(6486002)(6506007)(36756003)(66574015)(8676002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Vq0rEq+vtbXhGEOr1B5Y64FVZUAZoQnQuskmE2S08au7DcD7vOlUrPk7Jg3baYJqb7uu4BPXq4T1rTI13NyyK5NY06XcYcmcFV5hUh9ALQJIp5LBbnIhBXwBB8Am35TNv3QgfaoHcWTVUR4W2GrA5ESeI0fZdmTphfROLCxwUCuQt/2ez67wVOlDDPfkkCwyD0EuQNNPh5XwRjpiLDlyLHz2OeH4ESEXks7MEBH04xGND0a9fs4JSlu868XlKXYx0g6FaPpO9fVOy1PB5/8KGls3MUJ5yRAYNNEOYU5xFcjKAHFK6Xnn9YaaXmtvzhNiUetyga4R6Uv8PViTdsaGrD4MFFy6UFA+NK12E/ZJcHnZLs9Wf4Sls1Wsw6sI4gXARlIFZS0NM0Guzt5AftVV6LsU1fsOL97MvyJzOwN2h/EsznhXQ2D0NDF6uKNVsXYz96JwHcLNiRulBN6qoYEUMehjOA1tkBrKlNvGhWVjY9PE5kUlS0bcAvYzxn7ZGcbcWfJGoO+EIVrwP3wYsmKTSHaXPc65JuK3CrBkhdoGp6XoSkE1Wsx/P7r2wm6m/cnezwuPpir0IGixX91ofbFYZgSyPJDDIR7do7wX1tQAfBtjhvccIal9OKB20Ctqi58roU1LCRSRVD/RQgt2u2lZvhqh1rUdGr+7qmfehNVVmXuGglT9WGWZbs39bGg9veMwgISfo0f1+nuKyTJkS1be5EquGBda/EPIyzRTs5ZRWpNVFUK5q9uk5w6R79dNG0VknXgxDnaw6iCxGm3jrlhhOTpCfQ1nyPsZw+zklMX8u6guAbDQWlTFYdZH94hWB5iTbOXWnKOANEeKT7bTJ3D1yupS7M/LuhsnyjopSv4iJzdW1qzHYcebvv4JL7gusimsgmGTOXGjPb1Flc1IRcpoDV6pC5hM9RHpIR1KIkrEKGnfPofuZlrKfpu2yLPTQ8BPYeoH6laAWp5pIaUCr2a1RTAZSL9jwpGfCzuS3PCAN2Rt5kmaGx8B241UtuXO4afm
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <6E92531F45648B41BA7D27A4D6559E13@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fdbf66d4-4e26-4cfd-b46d-08d8a357331d
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2020 13:16:58.7192 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O5Adp80MmcaS6FkNROlG80A8bB48H1AWhurm4fJokjPj8XSZYHLwBnxO4iD30iFL25KOD9aYjBBd2kegmaNuIUDOhOrZ0IhYfMcNHoNob44=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2108
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/tqaQoYfn6GcOZz9AE7jqqI7789Q>
Subject: Re: [Lake] Summary of actions since IETF 109
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 13:17:04 -0000
Hi, We just submitted -03 which contains the updates listed in the mail below. Additionally, the new version has a number of editorials. The main change is an updated presentation of the protocol elements addressing issue #40. This changed the structure of section 3, but the content is essentially unchanged. Here is a diff: https://tools.ietf.org/rfcdiff?url2=draft-ietf-lake-edhoc-03.txt Göran On 2020-12-17, 14:33, "Lake on behalf of John Mattsson" <lake-bounces@ietf.org on behalf of john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: Hi, The following updates has been made based on the issue discussion at IETF 109: Agreement/negotiation of parameters (#11, #23): -------------------------------------------------------------- A new appendix that describes the parameters that need to be agreed upon between Initiator and Responder has been added. Currently some overlap between the new appendix and the section “Communication/Negotiation of Protocol Features”. Rekeying OSCORE AEAD (#20): Forward and backward secrecy (#24): -------------------------------------------------------------- CORE WG discussed rekeying and forward secrecy at IETF 109. The discussion has continued after IETF 109. Preliminary conclusions are that a new CORE draft is needed to specify OSCORE AEAD counters, that RFC 8613 appendix B.2 (or and update) is needed for lightweight rekeying in OSCORE, and that it would be good if lightweight forward secrecy (FS) can be done in EDHOC to avoid changes in OSCORE. We think lightweight FS can be achieved by “hashing” the key PRK_4x3m with the EDHOC-Exporter. The nonce make sure that the “hash-chain” does not have short cycles. The following update has been made in GitHub: EHDOC-Exporter-FS( nonce ): PRK_4x3m = Extract( [ "TH_4", nonce ], PRK_4x3m ) FFS where the nonce comes from (EDHOC, OSCORE) and if it is a counter, a random number, or counter+random number. The use of OSCORE appendix B.2 together with the EHDOC-Exporter-FS function align on a high level with the mechanisms proposed by Karthik https://mailarchive.ietf.org/arch/msg/lake/vkJunXEQZ33HP9YpNByQesEW7l8/ Distinguish error message (#30): -------------------------------------------------------------- Text on how to distinguish error message has been added. This discussion has spawned several new discussions. Are there a need to distinguish message_1 from message_3 except the connection ID and 5-tuple? Is the error message something the implementor define or should EDHOC define the error messages? More ways to Identify certificates ('kid’, ‘c5u’, c5t’) (#32, #33): Verification of intended peer (#8): -------------------------------------------------------------- COSE WG have on ongoing discussion on how to identify a certificate with ‘kid’. Request to add ‘c5u’, c5t’ to the EDHOC test vectors. The CBOR certificate draft will add the subjects private key to enable this. We will add text on why SIGMA require a “subject name” and describe the kind of misbinding attacks this mitigates. This is a bit related to ongoing discussion on the security of ‘x5u’ in COSE. Shall we replace HKDF with a more general extract-and-expand to allow KMAC? (#19): -------------------------------------------------------------- Changed from HKDF-Extract and HKDF-Expand to general Extract-and-Expand. For SHA-2, HKDF is used, for SHAKE, KMAC is used. (Note that this does change anything when SHA-256 is used. We are also currently not planning on adding SHAKE cipher suites, but SHAKE (like all other COSE algorithms) can be used with private cipher suites. Shall we specify EDHOC in terms of KEM? (#17): -------------------------------------------------------------- We tried to implement EDHOC with the HPKE interfaces. The conclusion is that the signature mode maps quite well to the unauthenticated HPKE interfaces, with the difference that HPKE forces Extract-and-Expand and EDHOC uses Extract and Expand as separate functions and use the intermediate key to derive several keys with Expand. The Static Diffie-Hellman modes does not map well to HPKE as HPKE do GenerateKeyPair() inside Encap(), while EDHOC relies on doing GenerateKeyPair() outside of “Encap()” as an essential optimization. The conclusion is therefore that this change should not be done as it would change the key derivation too much as well as significantly increase message size. We should however consider to future proof EDHOC so it can be updated with PQC KEMs. Unclear if “Static DH” authentication with PQC KEMs provide any benefits compared to PQC signatures. How to do encryption without integrity in message_2 (#34): -------------------------------------------------------------- The agreement from IETF 109 was to specify new modes of AES and ChaCha20 for message_2 similar to TLS 1.3. After trying to implement this we think it is a bad idea as it makes things quite complicated for developers and complicated the specification. In EDHOC it is not enough with AES-ECB and the ChaCha20 block cipher as in TLS 1.3. EDHOC would need AES-CTR and the ChaCha20 stream cipher. This makes the specification a bit complicated and it makes it a bit complicated for developers with a COSE implementation as they have to dig out AES and ChaCha20 and implement stream cipher modes. We would like to bring this up for discussion again. We think both 1 and 2) would be better choices with low complexity for developers. 1. Generate keystream with HDKF-Expand. 2. Encrypt like in message_3 and remove the tag (if there is a well-defined tag). Register cipher suites with high security (#35): -------------------------------------------------------------- Several independent requests to include a cipher suite compatible with CNSA. One request to add a general non-constrained cipher suite. We have added the following two registered cipher suites to EDHOC. The first one is compatible with CNSA and the second uses the algorithms popular on the web. 4. A256GCM, SHA-384, P-384, ES384, P-384, A256GCM, SHA-384 5. A128GCM, SHA-256, X25519, ES256, P-256, A128GCM, SHA-256 We have also added additional text describing that EDHOC can be used with all COSE algorithms/curves by using the private cipher suites. Cheers, John -- Lake mailing list Lake@ietf.org https://www.ietf.org/mailman/listinfo/lake
- [Lake] Summary of actions since IETF 109 John Mattsson
- Re: [Lake] Summary of actions since IETF 109 Göran Selander