Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensors-02
Mohit Sethi <mohit.m.sethi@ericsson.com> Thu, 09 March 2017 13:06 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1929D129572 for <lwip@ietfa.amsl.com>; Thu, 9 Mar 2017 05:06:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQzZ5L12zVjg for <lwip@ietfa.amsl.com>; Thu, 9 Mar 2017 05:06:43 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7DE12954C for <lwip@ietf.org>; Thu, 9 Mar 2017 05:06:42 -0800 (PST)
X-AuditID: c1b4fb30-45bff70000007a5b-c9-58c15361c3f4
Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id 99.92.31323.16351C85; Thu, 9 Mar 2017 14:06:41 +0100 (CET)
Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.68) with Microsoft SMTP Server id 14.3.319.2; Thu, 9 Mar 2017 14:06:40 +0100
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 53BEE4EE5E; Thu, 9 Mar 2017 15:08:29 +0200 (EET)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id D7FC74E94F; Thu, 9 Mar 2017 15:08:28 +0200 (EET)
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Zhen Cao <zhencao.ietf@gmail.com>
References: <CAFxP68yE9=FWVPGk+qPxJQOA-EcHRydeenmubkdNjWBc_7m=9A@mail.gmail.com> <13016_1488648631_58BAF9B6_13016_315_1_CAO0Djp0ritf6Qs97x=_J_MoHacTyoDFhifeaJ0KwEfRSvzK+FA@mail.gmail.com> <2697af18598c4ad6a8f5d4d4bdd093c9@aalto.fi> <b7961d7c-b8ea-10d0-4018-184786d93dca@gmx.net> <CAFxP68wdi9fL_X7c0mkGL_jKFjfTOfGZ4FyZdq-8_wb-KLN3ow@mail.gmail.com> <a050048a-4702-51b6-2225-52f348c992a4@gmx.net>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <7d3e794d-e343-b1a1-8413-916bb2ad251d@ericsson.com>
Date: Thu, 09 Mar 2017 15:06:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <a050048a-4702-51b6-2225-52f348c992a4@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrELMWRmVeSWpSXmKPExsUyM2K7k25i8MEIg7VNyhZLd95jtZi3T9hi +t4/jA7MHjtn3WX3WLxpP5vHkiU/mQKYo7hsUlJzMstSi/TtErgyHlx8z17wLrSiuf0qWwPj VocuRk4OCQETidu357KA2EIC6xgl/q6J6GLkArK3MkrMP/GdGcJZyyix+88WVghnHqPEkWuX GEFahAXsJPYtucEEYosIhEms3/KCHaJoCrPEpI+b2UESzALKEh86ZoDZbAJ6Ep3njjOD2LwC 9hLzGveDxVkEVCSa5n8Cu0NUIEJi/tNVTBA1ghInZz4Bi3MKWEvsf/sOqJcDaKa9xIOtZRDj 5SW2v53DDPGOmsTVc5uYId5Rl9jacYBxAqPwLCSTZiF0z0LSvYCReRWjaHFqcVJuupGRXmpR ZnJxcX6eXl5qySZGYMgf3PLbYAfjy+eOhxgFOBiVeHgLZA5ECLEmlhVX5h5ilOBgVhLhrQk6 GCHEm5JYWZValB9fVJqTWnyIUZqDRUmc12zl/XAhgfTEktTs1NSC1CKYLBMHp1QD4yQbtgMn HHXD5wQfW/rf5vZsX7328lC/sIyOU5sy2pk2Pp/zJnyTGI/XzqxaN8GNJzPSOmYotkb6vZh/ 1NegMLJxWoJMkpCeU4Xry5mP/69KXrOJbXos1855a5MnSgYu6fQyunSB3Xlr/JrXbjMcDOR3 fg3L8lt5mHfp2UD9FZck250S5d6FKLEUZyQaajEXFScCADyvrTp1AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/MRW45IqAC_pj4-rCEPJXwWX0npA>
Cc: "lwip@ietf.org" <lwip@ietf.org>
Subject: Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensors-02
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Lightweight IP stack <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 13:06:45 -0000
Hi Hannes I had refrained from responding earlier because there was an ongoing discussion about this draft within the IoT directorate. I wanted to wait for it to conclude before responding. But in any case, here is my response: This is how you want to solve the IoT security problem: Use ARM chips -> Run the mbed OS -> Use TLS/DTLS only for security -> add Trustzone based attestation for some extra features. Since we already have these tools in place, IoT security is solved and we should all move on. Unfortunately, while you may choose to close your eyes and ignore reality, others can't. The fact is that other platforms/protocols/OS exist, are needed and are used by folks out there. At no point do we suggest in the draft that using bad curves and small key sizes is good. In fact, I have said it earlier and I say it again, I am totally ok with removing the numbers for RSA key sizes less than 2048-bits. Recently in the ACE working group (for which you are co-chair) there was a suggestion from M St. Johns that 1024-bit RSA might perform better than ECDSA at similar security levels: https://mailarchive.ietf.org/arch/msg/ace/znba10pRL5c3D1aa9_azz9uyeAM. The numbers in our draft came in handy to show that it is not the case on the platform tested. The numbers are in the draft only for reference (and can be removed). At no point is it suggested that you shouldn't do software updates for your IoT devices. In fact this draft is talking about public-key crypto on IoT devices. You would typically use some signature verification for firmware and software updates. If I write a draft on performance of HTTP, would you ask me whether my machine had software updates or not? The draft does not try to build a product. At least not this draft. The draft also clearly recommends you to choose a 32-bit platform. We simply show that if you can do public-key crypto on an 8-bit platform, you can do it much faster and more efficiently on a 32-bit platform: > A recent trend in microcontrollers > is the introduction of 32-bit CPUs that are becoming cheaper and more > easily available than 8-bit CPUs, in addition to being more easily > programmable. I am fine with removing the numbers that you don't like. But in principle I like drafts that actually implement something than the other high-level so-called "guidance" documents. Regarding the stack, the draft does say that we use an ATmega2560 board, on which we implement message signing with public-key cryptography, CoAP, DHCP, UDP, IP, Ethernet. Yes, all this in less than 8 kB of RAM. And no, we don't say that this is enough for a real product. You would need more memory in a real product because you will have other things such as software updates etc. and other favorite features. If you have suggestions on how the text can be rephrased better, I am more than open to feedback. Thanks Mohit On 03/09/2017 01:21 PM, Hannes Tschofenig wrote: > Hi Zhen, > > thanks for the quick response. > > Here is how I read the document: Many years ago we played around with > some hardware, which happened to be in the office. We ran some security > tests and the results for state-of-the-art crypto was extremely slow. > Hence, we added other performance measurements using key length that > nobody would be able to use. Then, it looked much better. > > All security recommendations I have read suggest to use 112-bits+ keys > for modern implementations. > > Regarding your question: > >> Is this 112 bits of symmetric encryption mandatory for even tiny >> devices? > A clear "yes" also for tiny IoT devices. > > What I am still missing is a response to my question about the actual > software stack being used on that device. > > Ciao > Hannes > > On 03/09/2017 11:02 AM, Zhen Cao wrote: >> Hi Hannes, >> >> Thanks for the frank points, which are helpful to make documents more >> impactful. Please see my discussion in-line. >> >> On Mon, Mar 6, 2017 at 9:36 PM, Hannes Tschofenig >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >> >> Hi all, >> >> as I mentioned in the past I consider this document problematic. >> >> The selected hardware gives the impression that IoT devices need very >> low requirements. This gives inexperienced readers the wrong impression. >> >> >> I do not think this leads to any incorrect impressions. It clearly >> states the platform that this work has been carried out, and by informed >> selection of crypto libraries, security functions can be enabled on such >> IoT devices. It's much better than the other opposite impression that >> security is costly and could be avoid as far as we can. >> >> >> At no point in the document it explains why a typical software stack >> required for an IoT device would fit on hardware that has 2 kB of SRAM, >> and 32 kB of flash memory. What did you put on that device? (CoAP, DTLS, >> Resource Directory, SENML -- protocol talk about in Section 9) I suspect >> that there is no firmware update mechanism in place, which is a >> typically demanded feature for IoT devices in order to address bugs. >> >> Other IETF publications recommend key sizes of at least 112 bits >> (symmetric). Here is the relevant table from RFC 4492: >> >> >> Is this 112 bits of symmetric encryption mandatory for even tiny >> devices? If this is only a recommended value, we can encourage the >> contributors to generate some reference benchmarks for longer asymmetric >> key values. >> >> >> >> Symmetric | ECC | DH/DSA/RSA >> ------------+---------+------------- >> 80 | 163 | 1024 >> 112 | 233 | 2048 >> 128 | 283 | 3072 >> 192 | 409 | 7680 >> 256 | 571 | 15360 >> >> The document, however, describes RSA key sizes of 64, 128, 512 and 2014 >> bits! It makes no sense to illustrate performance, and memory >> requirements of key sizes that shouldn't be used in today's IoT >> hardware. >> >> The document says that it describes smart object implementation >> experience but clearly this is far away from real world product >> experience. The need for a random number generator is essentially >> missing and a reference to a software library does not help either. >> >> I believe you have started with some hardware and then created the >> software & performance measurements. The recommended approach is, >> however, to first think about security and the requirements and >> subsequently think about what hardware supports the security >> requirements and therefore mitigates the threats. >> >> >> The recommended approach is definitely right for any product design. >> But considering the various requirements with different security needs, >> it is pretty hard to cover all of them in one draft. How about to also >> include some discussion of the limitations of doing this in other >> scenarios that may break security. >> >> >> >> The document references several work in progress specifications. Also >> the pointers to specifications like HIP or IPsec for use with IoT >> devices is misleading since they are not reflecting industry practice. >> They are at best university research projects. >> >> >> Thanks for checking this. I think Mohit can try to figure out and >> change these inappropriate citations . >> >> Will wait for @Mohit's response anyway. >> >> Best regards, >> Zhen >> >> >> Ciao >> Hannes >> >> >> On 03/06/2017 10:35 AM, Mudugodu Seetarama Raghavendra wrote: >> > +1 >> > >> > >> > Regards, >> > >> > Raghavendra >> > >> > >> > >> > >> ------------------------------------------------------------------------ >> > *From:* Lwip <lwip-bounces@ietf.org >> <mailto:lwip-bounces@ietf.org>> on behalf of Rahul Jadhav >> > <rahul.ietf@gmail.com <mailto:rahul.ietf@gmail.com>> >> > *Sent:* Saturday, March 4, 2017 7:30 PM >> > *To:* lwip@ietf.org <mailto:lwip@ietf.org> >> > *Subject:* Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensors-02 >> > >> > The draft provides useful information to implementors about different >> > challenges related to security aspects especially towards using low-end >> > hardware. The deployment model described with the experiences will prove >> > helpful to implementors. Will be helpful to take this work forward. >> > >> > Regards, >> > Rahul >> > >> > On 22 February 2017 at 08:45, Zhen Cao <zhencao.ietf@gmail.com <mailto:zhencao.ietf@gmail.com> >> > <mailto:zhencao.ietf@gmail.com <mailto:zhencao.ietf@gmail.com>>> wrote: >> > >> > Hello everyone, >> > >> > This email starts the WGLC for draft-ietf-lwig-crypto-sensors-02 >> > (https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-02 >> <https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-02> >> > <https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-02 >> <https://tools.ietf.org/html/draft-ietf-lwig-crypto-sensors-02>>) >> > >> > Could you help review the document and send your comments to the >> > mailing list. Thank you in advance. >> > >> > The WGLC will end in two weeks from now. >> > >> > BR, >> > Zhen >> > >> > _______________________________________________ >> > Lwip mailing list >> > Lwip@ietf.org <mailto:Lwip@ietf.org> <mailto:Lwip@ietf.org >> <mailto:Lwip@ietf.org>> >> > https://www.ietf.org/mailman/listinfo/lwip >> <https://www.ietf.org/mailman/listinfo/lwip> >> > <https://www.ietf.org/mailman/listinfo/lwip >> <https://www.ietf.org/mailman/listinfo/lwip>> >> > >> > >> > >> > >> > _______________________________________________ >> > Lwip mailing list >> > Lwip@ietf.org <mailto:Lwip@ietf.org> >> > https://www.ietf.org/mailman/listinfo/lwip >> <https://www.ietf.org/mailman/listinfo/lwip> >> > >> >> >> _______________________________________________ >> Lwip mailing list >> Lwip@ietf.org <mailto:Lwip@ietf.org> >> https://www.ietf.org/mailman/listinfo/lwip >> <https://www.ietf.org/mailman/listinfo/lwip> >> >> > > > _______________________________________________ > Lwip mailing list > Lwip@ietf.org > https://www.ietf.org/mailman/listinfo/lwip
- [Lwip] WGLC for draft-ietf-lwig-crypto-sensors-02 Zhen Cao
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Rahul Jadhav
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Mudugodu Seetarama Raghavendra
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Hannes Tschofenig
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Zhen Cao
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Hannes Tschofenig
- Re: [Lwip] WGLC for draft-ietf-lwig-crypto-sensor… Mohit Sethi