Return-Path: X-Original-To: lwip@ietfa.amsl.com Delivered-To: lwip@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F71127B4C; Wed, 21 Nov 2018 07:25:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSerR98-1fGO; Wed, 21 Nov 2018 07:24:57 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F231812426E; Wed, 21 Nov 2018 07:24:56 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 21 Nov 2018 07:19:56 -0800 From: Jim Schaad To: 'John Mattsson' , , CC: 'Benjamin Kaduk' , References: <20181103145857.GG54966@kduck.kaduk.org> <7F78CC92-5C48-4BFC-8087-E25D4D95A74F@ericsson.com> In-Reply-To: <7F78CC92-5C48-4BFC-8087-E25D4D95A74F@ericsson.com> Date: Wed, 21 Nov 2018 07:24:46 -0800 Message-ID: <000001d481ae$57cd4530$0767cf90$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIp9wF581pJeZw9hZqduP10JmMEPAI3UqO1AhtGV/ykjNlxIA== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [Lwip] [Ace] EDHOC standardization X-BeenThere: lwip@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2018 15:25:03 -0000 John, In the analysis that I did I very deliberately used TLS not DTLS. The = main reason for using DTLS is because one is operating in the UDP = environment and one cannot have reliable in order delivery. Since EDHOC = is being built on top of CoAP, one can use CoAP to create reliable in = order delivery. Thus the extra bytes that DTLS has to deal with this = are not needed. Jim > -----Original Message----- > From: Ace On Behalf Of John Mattsson > Sent: Wednesday, November 21, 2018 7:03 AM > To: ace@ietf.org; lwip@ietf.org > Cc: Benjamin Kaduk ; salvador.p.f@um.es > Subject: Re: [Ace] EDHOC standardization >=20 > Hi all, >=20 > Inspired by the discussion in this thread, I did more detailed = calculations of the > number of bytes when DTLS 1.3 is used for typical IoT use cases (PSK, = RPK, > Connection ID). The plan is to add this information to = draft-ietf-lwig-security- > protocol-comparison as this has been requested by several people. I = think some > bytes were missing in the earlier estimates for TLS 1.3, and as Ben = commented, > DTLS 1.3 adds some bytes compared to TLS 1.3. >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Flight #1 #2 #3 = Total > = -------------------------------------------------------------------------= ----- > DTLS 1.3 RPK + ECDHE 149 373 213 = 735 > DTLS 1.3 PSK + ECDHE 186 190 57 = 433 > DTLS 1.3 PSK 136 150 57 = 343 > = -------------------------------------------------------------------------= ----- > EDHOC RPK + ECDHE 38 121 86 = 245 > EDHOC PSK + ECDHE 43 47 12 = 102 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Number of bytes >=20 > Assumptions: > - Minimum number of algorithms and cipher suites offered > - Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 > - Length of key identifiers: 4 bytes > - Connection identifiers: 1 byte > - The DTLS RPKs use point compression (saves 32 bytes) > - No DTLS handshake message fragmentation > - Only mandatory DTLS extentions, except for connection ID > - Version 30 https://tools.ietf.org/html/draft-ietf-tls-dtls13-30 >=20 > (EDHOC numbers are for the soon to be published -11 version with = cipher > suites) >=20 > I hope this information is useful for people. Please comment if I = missed > something or if you have any suggestion of things to add or how to = present > things. I do not know currently how these numbers compare to DTLS 1.2. >=20 > Below is detailed information about where the byte in different = flights as well > as the RPKs (SubjectPublicKeyInfo). Most of the bytes should have the = correct > value, but most of the length fields are just written as LL LL LL. = Below is also > information about how resumption, cached information [RFC 7924], and = not > using Connection ID affects the number of bytes. >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 Flight #1 RPK + ECDHE > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > Record Header - DTLSPlaintext (13 bytes) > 16 fe fd EE EE SS SS SS SS SS SS LL LL >=20 > Handshake Header - Client Hello (10 bytes) > 01 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Legacy Version (2 bytes) > fe fd >=20 > Client Random (32 bytes) > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Legacy Session ID (1 bytes) > 00 >=20 > Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes) > 00 02 13 05 >=20 > Compression Methods (null) (2 bytes) > 01 00 >=20 > Extensions Length (2 bytes) > LL LL >=20 > Extension - Supported Groups (x25519) (8 bytes) > 00 0a 00 04 00 02 00 1d >=20 > Extension - Signature Algorithms > (ecdsa_secp256r1_sha256) (8 bytes) > 00 0d 00 04 00 02 08 07 >=20 > Extension - Key Share (42 bytes) > 00 33 00 26 00 24 00 1d 00 20 > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 > 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Extension - Supported Versions (1.3) (7 bytes) > 00 2b 00 03 02 03 04 >=20 > Extension - Client Certificate Type (Raw Public Key) (6 > bytes) > 00 13 00 01 01 02 >=20 > Extension - Server Certificate Type (Raw Public Key) (6 > bytes) > 00 14 00 01 01 02 >=20 > Extension - Connection Identifier (43) (6 bytes) > XX XX 00 02 01 42 >=20 > 13 + 10 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 =3D 149 = bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #1 PSK + ECDHE > ------------------------------------------------------ >=20 > Differences compared to RPK + ECDHE >=20 > + Extension - PSK Key Exchange Modes (6 bytes) > 00 2d 00 02 01 01 >=20 > + Extension - Pre Shared Key (51 bytes) > 00 29 00 2F > 00 0a 00 04 ID ID ID ID 00 00 00 00 > 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 = 14 15 > 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) >=20 > - Extension - Client Certificate Type (Raw Public Key) (6 bytes) >=20 > - Extension - Server Certificate Type (Raw Public Key) (6 bytes) >=20 > 149 + 6 + 51 - 8 - 6 - 6 =3D 186 bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #1 PSK > ------------------------------------------------------ >=20 > Differences compared to PSK + ECDHE >=20 > - Extension - Supported Groups (x25519) (8 bytes) >=20 > - Extension - Key Share (42 bytes) >=20 > 186 - 8 - 42 =3D 136 bytes >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 Flight #2 RPK + ECDHE > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > Record Header - DTLSPlaintext (13 bytes) > 16 fe fd EE EE SS SS SS SS SS SS LL LL >=20 > Handshake Header - Server Hello (10 bytes) > 02 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Legacy Version (2 bytes) > fe fd >=20 > Server Random (32 bytes) > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Legacy Session ID (1 bytes) > 00 >=20 > Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes) > 13 05 >=20 > Compression Method (null) (1 bytes) > 00 >=20 > Extensions Length (2 bytes) > LL LL >=20 > Extension - Key Share (40 bytes) > 00 33 00 24 00 1d 00 20 > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 > 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Extension - Supported Versions (1.3) (6 bytes) > 00 2b 00 02 03 04 >=20 > Extension - Connection Identifier (43) (6 bytes) > XX XX 00 02 01 43 >=20 > Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL >=20 > Handshake Header - Encrypted Extensions (10 bytes) > 08 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Extensions Length (2 bytes) > LL LL >=20 > Extension - Client Certificate Type (Raw Public Key) (6 > bytes) > 00 13 00 01 01 02 >=20 > Extension - Server Certificate Type (Raw Public Key) (6 > bytes) > 00 14 00 01 01 02 >=20 > Handshake Header - Certificate Request (10 bytes) > 0d LL LL LL SS SS 00 00 00 LL LL LL >=20 > Request Context (1 bytes) > 00 >=20 > Extensions Length (2 bytes) > LL LL >=20 > Extension - Signature Algorithms > (ecdsa_secp256r1_sha256) (8 bytes) > 00 0d 00 04 00 02 08 07 >=20 > Handshake Header - Certificate (10 bytes) > 0b LL LL LL SS SS 00 00 00 LL LL LL >=20 > Request Context (1 bytes) > 00 >=20 > Certificate List Length (3 bytes) > LL LL LL >=20 > Certificate Length (3 bytes) > LL LL LL >=20 > Certificate (59 bytes) // Point compression > .... >=20 > Certificate Extensions (2 bytes) > 00 00 >=20 > Handshake Header - Certificate Verify (10 bytes) > 0f LL LL LL SS SS 00 00 00 LL LL LL >=20 > Signature (68 bytes) > ZZ ZZ 00 40 .... >=20 > Handshake Header - Finished (10 bytes) > 14 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Verify Data (32 bytes) > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Record Type (1 byte) > 16 >=20 > Auth Tag (8 bytes) > e0 8b 0e 45 5a 35 0a e5 >=20 > 13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 =3D 373 bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #2 PSK + ECDHE > ------------------------------------------------------ >=20 > Differences compared to RPK + ECDHE >=20 > - Handshake Message Certificate (78 bytes) >=20 > - Handshake Message CertificateVerify (78 bytes) >=20 > - Handshake Message CertificateRequest (21 bytes) >=20 > - Extension - Client Certificate Type (Raw Public Key) (6 bytes) >=20 > - Extension - Server Certificate Type (Raw Public Key) (6 bytes) >=20 > + Extension - Pre Shared Key (6 bytes) > 00 29 00 02 00 00 >=20 > 373 - 78 - 78 - 21 - 6 - 6 + 6 =3D 190 bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #2 PSK > ------------------------------------------------------ >=20 > Differences compared to PSK + ECDHE >=20 > - Extension - Key Share (40 bytes) >=20 > 190 - 40 =3D 150 bytes >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 Flight #3 RPK + ECDHE > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > Record Header (6 bytes) // DTLSCiphertext, Full ZZ ES SS 42 LL LL >=20 > Handshake Header - Certificate (10 bytes) > 0b LL LL LL SS SS XX XX XX LL LL LL >=20 > Request Context (1 bytes) > 00 >=20 > Certificate List Length (3 bytes) > LL LL LL >=20 > Certificate Length (3 bytes) > LL LL LL >=20 > Certificate (59 bytes) // Point compression > .... >=20 > Certificate Extensions (2 bytes) > 00 00 >=20 > Handshake Header - Certificate Verify (10 bytes) > 0f LL LL LL SS SS 00 00 00 LL LL LL >=20 > Signature (68 bytes) > 04 03 LL LL //ecdsa_secp256r1_sha256 > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Handshake Header - Finished (10 bytes) > 14 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Verify Data (32 bytes) // SHA-256 > 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 > 15 16 17 18 19 1a 1b 1c 1d 1e 1f >=20 > Record Type (1 byte) > 16 >=20 > Auth Tag (8 bytes) // AES-CCM_8 > 00 01 02 03 04 05 06 07 >=20 > 6 + 78 + 78 + 42 + 1 + 8 =3D 213 bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #3 PSK + ECDHE > ----------------------------------------------------- >=20 > Differences compared to RPK + ECDHE >=20 > - Handshake Message Certificate (78 bytes) >=20 > - Handshake Message Certificate Verify (78 bytes) >=20 > 213 - 78 - 78 =3D 57 bytes >=20 > ------------------------------------------------------ > DTLS 1.3 Flight #3 PSK > ----------------------------------------------------- >=20 > Differences compared to PSK + ECDHE >=20 > None >=20 > 57 bytes >=20 >=20 >=20 >=20 >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 - Cached information [RFC 7924] > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > - Cached information together with server X.509 can be used to move = bytes > from flight #2 to flight #1 > (cached RPK increases the number of bytes compared to cached X.509) >=20 > Differences compared to RPK + ECDHE >=20 > Flight #1 >=20 > - Extension - Server Certificate Type (Raw Public Key) (6 bytes) >=20 > + Extension - Client Cashed Information (39 bytes) > 00 19 LL LL LL LL > 01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 = 16 17 > 18 19 1a 1b 1c 1d 1e 1f >=20 > 149 + 33 =3D 182 bytes >=20 > Flight #2 >=20 > - Extension - Server Certificate Type (Raw Public Key) (6 bytes) >=20 > + Extension - Server Cashed Information (7 bytes) > 00 19 LL LL LL LL 01 >=20 > - Server Certificate (59 bytes -> 32 bytes) >=20 > 373 - 26 =3D 347 bytes >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Flight #1 #2 #3 = Total > = -------------------------------------------------------------------------= ----- > DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 = 742 > DTLS 1.3 RPK + ECDHE 149 373 213 = 735 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 - Resumption > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > To enable resumption, a 4th flight (New Session Ticket) is added >=20 > Flight #4 - New Session Ticket >=20 > Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL >=20 > Handshake Header - New Session Ticket (10 bytes) > 04 LL LL LL SS SS 00 00 00 LL LL LL >=20 > Ticket Lifetime (4 bytes) > 00 01 02 03 >=20 > Ticket Age Add (4 bytes) > 00 01 02 03 >=20 > Ticket Nonce (2 bytes) > 01 00 >=20 > Ticket (6 bytes) > 00 04 ID ID ID ID >=20 > Extensions (2 bytes) > 00 00 >=20 > Auth Tag (8 bytes) // AES-CCM_8 > 00 01 02 03 04 05 06 07 >=20 > 6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 =3D 42 bytes >=20 > The resumption handshake is just a PSK handshake with 136 + 150 + 57 = =3D 343 > bytes >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Flight #1 #2 #3 #4 = Total > = -------------------------------------------------------------------------= ----- > DTLS 1.3 RPK + ECDHE + NewSessionTicket 149 373 213 42 = 777 > DTLS 1.3 PSK (resumption) 136 150 57 = 343 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS 1.3 - Connection ID > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > Without a Connection ID the DTLS 1.3 flight sizes changes as follows >=20 > DTLS 1.3 Flight #1: -6 bytes > DTLS 1.3 Flight #2: -7 bytes > DTLS 1.3 Flight #3: -1 byte >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Flight #1 #2 #3 = Total > = -------------------------------------------------------------------------= ----- > DTLS 1.3 RPK + ECDHE (no cid) 143 364 212 = 721 > DTLS 1.3 PSK + ECDHE (no cid) 180 183 56 = 419 > DTLS 1.3 PSK (no cid) 130 143 56 = 329 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 >=20 >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > DTLS Raw Public Keys > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > SubjectPublicKeyInfo without point compression > ----------------------------------------------------- >=20 > 0x30 // Sequence > 0x59 // Size 89 >=20 > 0x30 // Sequence > 0x13 // Size 19 > 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01. // OID = 1.2.840.10045.2.1 > (ecPublicKey) > 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID > 1.2.840.10045.3.1.7 (secp256r1) >=20 > 0x03 // Bit string > 0x42 // Size 66 > 0x00 // Unused bits 0 > 0x04 // Uncompressed > ...... 64 bytes X and Y >=20 > Total of 91 bytes >=20 > SubjectPublicKeyInfo with point compression > ----------------------------------------------------- >=20 > 0x30 // Sequence > 0x59 // Size 89 >=20 > 0x30 // Sequence > 0x13 // Size 19 > 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01. // OID = 1.2.840.10045.2.1 > (ecPublicKey) > 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID > 1.2.840.10045.3.1.7 (secp256r1) >=20 > 0x03 // Bit string > 0x42 // Size 66 > 0x00 // Unused bits 0 > 0x03 // Compressed > ...... 32 bytes X >=20 > Total of 59 bytes >=20 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > Helpful Sources of Information > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > In addition to relevant RFCs and the estimates done by Jim, the = following > references were helpful: >=20 > Every Byte Explained: The Illustrated TLS 1.3 Connection > https://tls13.ulfheim.net/ >=20 > Digital Certificates for the Internet of Things https://kth.diva- > portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf >=20 > /John >=20 >=20 >=20 >=20 > =EF=BB=BF-----Original Message----- > From: Benjamin Kaduk > Date: Saturday, 3 November 2018 at 15:59 > To: John Mattsson > Cc: "salvador.p.f@um.es" , "ace@ietf.org" > > Subject: Re: [Ace] EDHOC standardization >=20 > On Fri, Nov 02, 2018 at 02:55:54PM +0000, John Mattsson wrote: > > Hi Benjamin, Salvador > > > > While DTLS 1.3 have done a very good job of lowering the overhead of = the > record layer when application data is sent (see e.g. > = https://tools.ietf.org/html/draft-ietf-lwig-security-protocol-comparison-= 01 for a > comparison between different protocols), I do not think the handshake = protocol > is much leaner (is it leaner at all?). >=20 > (There are some handshake messages that are removed entirely.) >=20 > > We tried to make an fair comparison between EDHOC and TLS 1.3 in the > presentation at IETF 101 (see > https://datatracker.ietf.org/meeting/101/materials/slides-101-ace-key- > exchange-w-oscore-00). Since then, we have significantly optimized the > encoding in EDHOC and the upcoming version (-11) is expected to have = the > following message sizes. > > > > Auth. PSK RPK x5t x5chain > > = -------------------------------------------------------------------- > > EDHOC message_1 43 38 38 38 > > EDHOC message_2 47 121 127 117 + = Certificate chain > > EDHOC message_3 12 86 92 82 + = Certificate chain > > = -------------------------------------------------------------------- > > Total 102 245 257 237 + = Certificate chains > > > > As Salvador writes, the handshakes in TLS 1.3 and DTLS 1.3 are = basically the > same, so the numbers presented at IETF 101 should be a good estimate = also for > DTLS 1.3. > > > > Auth. PSK RPK > > = -------------------------------------------------------------------- > > (D)TLS message_1 142 107 > > (D)TLS message_2 135 264 > > (D)TLS message_3 51 167 > > = -------------------------------------------------------------------- > > Total 328 538 >=20 > Thanks for the numbers! >=20 > > The numbers above include ECDHE. For handshake messages, my > understanding is that the DTLS 1.3 and TLS 1.3 record layer have = exactly the > same size. >=20 > The DTLS 1.3 ones will be worse, due to the epoch and sequence number = fields. >=20 > -Ben >=20 > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace