[Lake] Static-DH-based Protocols for LAKE
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 23 October 2019 11:13 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89A31200F4 for <lake@ietfa.amsl.com>; Wed, 23 Oct 2019 04:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4fOD8sfRkeH for <lake@ietfa.amsl.com>; Wed, 23 Oct 2019 04:13:26 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F1A612008F for <lake@ietf.org>; Wed, 23 Oct 2019 04:13:26 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id r1so11826669wrs.9 for <lake@ietf.org>; Wed, 23 Oct 2019 04:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id :references:to:date; bh=z6JB8UP+XPu3O2KjxMDl1fW/wrRpDXS31f9YpI2y2qU=; b=Lpmh8r/vriR/8w4eO5aa0d/yEN2LUseQmoqFgtkEi+JwzmdXjVcyZ2igEGzkWNhcZH ai4s9pwWKOj0LBcSN9vizQxcjbifFif2nFhFJv1nMPqyP6gYxaHSqjhf3FWjroJupzeL w/kM5u/B11e6gusSbIx/Qpbli7BWjs/RFuRGJDS1yf4jtdWro9yf23q01qv3wJOJy560 8AIAWXkkVsxEvg/24oHrkvYZdKEObPvzamuoqV/BrR700P+EMkIgw9mmV7LOi2jvJROR 18q9uas2j6vvUtU6qQUBMfs8pc81K0Pcp668OSPMpQD+g/bz5a8ZMjrTfCWUBtK48wEH KRGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:references:to:date; bh=z6JB8UP+XPu3O2KjxMDl1fW/wrRpDXS31f9YpI2y2qU=; b=ODHkesCRUIFzK338UOFw2WeJGKUXU+vo4KjaVuwj9QtgTpPB2XQKzLRixmHBXF6h4N 5MVNlIw7Vr1rjpc6T+V+25r6z0oo10NMcrs62JRK6lY4jqMVHI7BqLFft4XbJhr9srlD jOAcCjdbaKdpWgW3cCRw3pe6zPE28PBEISj3O2/oDenn5yLiAb4DmjnMgTQ5G9kgNzMG UheDHls7IiQiQA9U0joCxCU6jOvO0W1igwQd9mOpcJdswXBJtgX5VIxvvSDIuGaMOzaI eO0yR2c8pP3Hz3vitqBorf3syxCydHUHhK4JxMTZ+yxeY/lNPwI+yWkBAESGsQBEoTqu c2cQ==
X-Gm-Message-State: APjAAAX/wZ8lvMaDEY+VsV1KQn3kbiQiBP9jYDjW+6/RnjALMsRJcK5w if4iOjjco5jKNZTBrGXr4+7JOSYDnR8=
X-Google-Smtp-Source: APXvYqxKJCuRmxStLnKS3QWY2tt1w5Yxf8EB7CLkjwgdtxMqIe5jkUZ9cskpXaG4t5ceb1v3dIWCIg==
X-Received: by 2002:a5d:610d:: with SMTP id v13mr1845586wrt.21.1571829204236; Wed, 23 Oct 2019 04:13:24 -0700 (PDT)
Received: from wifi-pro-83-029.paris.inria.fr (wifi-pro-83-029.paris.inria.fr. [128.93.83.29]) by smtp.gmail.com with ESMTPSA id p12sm9123870wrt.7.2019.10.23.04.13.23 for <lake@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Oct 2019 04:13:23 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <948ECECE-5425-4720-A0BA-F1E918F9F8F9@gmail.com>
References: <E28DDCCB-7F3B-4CFD-898C-93A9A80B7184@gmail.com>
To: lake@ietf.org
Date: Wed, 23 Oct 2019 13:13:22 +0200
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/zcS8QMHZ5jxuH3z2MrelKcXjPjo>
Subject: [Lake] Static-DH-based Protocols for LAKE
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 11:13:29 -0000
Hello All, In my team, we have been formally analyzing various key exchange protocols, including some that use static Diffie-Hellman keys for authentication. Some of these protocols would be particularly suited to LAKE, and I note that Appendix B of EDHOC draft 14 already hints at this. I wouldn’t be surprised if this has already been discussed before, so do let me know if I am repeating things everyone knows. For concreteness, I am sketching two protocols below and comparing them with EDHOC. If there is interest in the working group, we could write up a more detailed, more general document describing the protocols and their formal analysis. Static DH+PSK LAKE ================== I propose the following composite protocol that uses both static DH and PSK (where the PSK can be set to Zero if unavailable). We could easily remove PSKs from this protocol, but I left it in to show how the two authentication mechanism can be composed to obtain extra security. In particular, the PSK could include some external key material (e.g. a key generated from a PQ-KEM ), and the use of PSK can protect against some bad-randomness vulnerabilities. For those familiar with the Noise protocol framework, this protocol corresponds to XXpsk3, except that I am using EDHOC notation here to more clearly link the protocol to LAKE: I -> R: TYPE, SUITES_U, G_X, C_U, UAD_1 R->I: C_U, G_Y, C_V, AEAD(K_2a; ID_CRED_V), AEAD(K_2b; UAD_2) I->R: C_V, AEAD(K_3a; ID_CRED_U, ID_PSK), AEAD(K_3b; PAD_3) Many of the elements here are the same as EDHOC: - G_X = g^x: the initiator’s ephemeral public key - G_Y = g^y: the responder’s ephemeral public key Some things are different: - ID_CRED_V is used to retrieve g^v, the responder's static Diffie-Hellman key - ID_CRED_U is used to retrieve g^u, the initiator's static Diffie-Hellman key - ID_PSK is used to retrieve a PSK (potentially a string of zeroes) - K_2a is derived as KDF(g^xy, TH_2a) - K_2b is derived as KDF(K_2a, g^xv, TH_2b) - K_3a is derived as KDF(K_2b, g^uy, TH_3a) - K_3b is derived as KDF(K_3a, PSK, TH_3b) The transcripts are computed as usual: - TH_2a includes the first message and all elements of the second message up to C_V - TH_2b includes the first message and all elements of the second message up to the first AEAD - TH_3a includes the first two messages and all elements of the third message up to C_V - TH_3b includes the first two messages and all elements of the third message up to the first AEAD Security guarantees: Assuming standard assumptions on full strength cryptographic primitives - UAD_1 is insecure: no authenticity or confidentiality - UAD_2 is authenticated by R and can only be read by the client who knows x. - PAD_3 is secure: it can be read and written only by I and R. - All messages from PAD_3 onwards have forward secrecy and KCI resistance Message Sizes: Using the same overhead numbers as in the EDHOC draft - 1st message: 38 bytes - 2nd message: 58 bytes - 3rd message: 34 bytes Note: - These calculations assume 8-byte AEAD tags. With full 16-byte tags, the sizes would be: 38, 74, 42 - This protocol combines the security of PSK and Asymmetric authentication at little cost. Removing PSKs would change only the third message, bringing sizes to: 38,58,32 PSK LAKE ========= For completeness, here is the protocol using only PSKs and no static DH. In Noise notation, this corresponds to the NNpsk3 pattern. I -> R: TYPE, SUITES_U, G_X, C_U, UAD_1 R->I: C_U, G_Y, C_V, AEAD(K_2a; UAD_2) I->R: C_V, AEAD(K_3a; ID_PSK), AEAD(K_3b; PAD_3) Keys: - K_2a is derived as KDF(g^xy,TH_2a) - K_3a is derived as KDF(K_2a, TH_3a) - K_3b is derived as KDF(K_3a, TH_3b) Message sizes: assuming full-sized AEAD tags and the same overheads as EDHOC - 1st message: 38 bytes - 2nd message: 45 bytes - 3rd message: 13 bytes Note: - This protocol has the same structure as the more general protocol, except that it does not use static DH keys - An important difference between this proposal and the EDHOC PSK case, is that here, we seek to provide privacy for ID_PSK by putting it in the third message. - We could modify both protocols to send ID_PSK in the first message. This has a privacy cost, but the benefit that we can obtain server authentication already at the second message. MANY OTHER VARIANTS ====================== I have sketched the above variants only to give rough examples of what we think are lightweight protocols for which we can prove strong security properties. Many other variations are possible and may be worth considering. I am looking forward to your comments, especially if I am misunderstanding some requirements. Best regards, Karthik (Inria Prosecco)
- [Lake] Static-DH-based Protocols for LAKE Karthikeyan Bhargavan
- Re: [Lake] Static-DH-based Protocols for LAKE Michael Richardson
- Re: [Lake] Static-DH-based Protocols for LAKE Karthikeyan Bhargavan
- Re: [Lake] Static-DH-based Protocols for LAKE Göran Selander
- Re: [Lake] Static-DH-based Protocols for LAKE Karthikeyan Bhargavan