Re: [Lwip] [Ace] EDHOC standardization
John Mattsson <john.mattsson@ericsson.com> Wed, 21 November 2018 15:28 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9763128AFB for <lwip@ietfa.amsl.com>; Wed, 21 Nov 2018 07:28:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.861
X-Spam-Level:
X-Spam-Status: No, score=-3.861 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=E+7a40RE; dkim=pass (1024-bit key) header.d=ericsson.com header.b=IJu5wRX3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_oC-3FXPsAd for <lwip@ietfa.amsl.com>; Wed, 21 Nov 2018 07:28:31 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0C512426E for <lwip@ietf.org>; Wed, 21 Nov 2018 07:28:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1542814109; x=1545406109; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=RW4Fdckdy30OxaRfVdSKqL7EJqQRphDBvXnqLg6OwVo=; b=E+7a40RE7e9AMAQtKxdD/KOD1eGDpKQbC/FuQJXTcNrBspDkEFeAhi7xPcYqERG3 7OCrXCSkQZiD6GjjHJnuVzFCy53EzWkmfLVuYv8l7qd0LiDz8zuRiEgZmr2lmFOz UI2YxJFxz927M4rUpYb7Dgmnnkebq3bWM1j055/xC7Y=;
X-AuditID: c1b4fb30-f2dff700000043c4-64-5bf5799dd3c8
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 00.4A.17348.D9975FB5; Wed, 21 Nov 2018 16:28:29 +0100 (CET)
Received: from ESESSMR504.ericsson.se (153.88.183.126) by ESESBMB505.ericsson.se (153.88.183.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 21 Nov 2018 16:28:28 +0100
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESSMR504.ericsson.se (153.88.183.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 21 Nov 2018 16:28:27 +0100
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB503.ericsson.se (153.88.183.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 21 Nov 2018 16:28:27 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RW4Fdckdy30OxaRfVdSKqL7EJqQRphDBvXnqLg6OwVo=; b=IJu5wRX3ItYPUIy3F2cUPjFuilfX/bVQR6sqDkwQYVSxUA7ISA5U8mNJ5QN+W/IBh/3xlhtCr1xAcZG0ZjBf2naDFYkThHcMc7jfu9fYSugeYVt5Y3h8Yc9/v1vA+6SMIN2PG6of1Ckl9ogumgkM/ez4iVjoW/kdsGGaxUcch7s=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB0940.eurprd07.prod.outlook.com (10.162.27.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1361.14; Wed, 21 Nov 2018 15:28:25 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::18ff:fb34:36ea:bd64]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::18ff:fb34:36ea:bd64%4]) with mapi id 15.20.1361.013; Wed, 21 Nov 2018 15:28:25 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>, "lwip@ietf.org" <lwip@ietf.org>
CC: Benjamin Kaduk <kaduk@mit.edu>, "salvador.p.f@um.es" <salvador.p.f@um.es>
Thread-Topic: [Ace] EDHOC standardization
Thread-Index: AQHUcrwmx6N1o4AsH0uz6RMW3Bvpj6U+JgWAgBxb0gD///PTYIAAE0+A
Date: Wed, 21 Nov 2018 15:28:25 +0000
Message-ID: <70EF4B8F-BE24-474B-9877-0E2A11826561@ericsson.com>
References: <C79F1336-A297-4E64-AB32-2F5D474A200E@ericsson.com> <20181103145857.GG54966@kduck.kaduk.org> <7F78CC92-5C48-4BFC-8087-E25D4D95A74F@ericsson.com> <VI1PR0801MB21120B7A603F27BED75B4D9EFADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB21120B7A603F27BED75B4D9EFADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.83]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB0940; 6:D7r5YGBeUt483tz0s3auvTeSLtgEUJVGMrHkmWbsVtgd/QQ7Z2EKe6PkErSVsqBAjIUFMkOtHUBC4E64QbzMRc5sY77FfyW8WKt8aRECmA/UPOc5sAsv5S+lz9fs0CSZR91uPHxWcE+/d9gbAQjIM2nrTCtTmVNQ6wWQss753Q8MkvQCiDWTFZH4P1Leq9OAnYYJFP2W4Zu/NSlTzpzVSYtWfMscVeXJzIgHVmexKyCRrJsdUrqGDSY/wHX0U2fO4PLBnARp3VnO5joE9m1p8EnJOuqYh96KzCJj/7z23AJj8URKN9ULtHwFypXWNigdF7cCv54p4ywNEjaEdGHFAmX+ehMU0b1lX2NLVCPzSYo/eo4FkcpjS1/n0fiOlrgHVhgIVhhO5axHcA0Vvy9Uv7IQWTLwzD9/agBa5WZwFJ8lF4S1swL96JJ/GJbv96Nx9PbqAm9epKwQ0G8h1uJ7Tw==; 5:jhQc2NHLxovY6ffBdu+E1/z37z/H01pbGoqV5TKGq0WcLdV8qKGNZnyzcnCQbvifq0xhVNDCfRLWA5tfX//RoJCvVLzXwYrHl03glc324B7iJt6l4ku9Oh/1W7aQlXJmTRkwhAClgycTon5xQXwSD+Fey/SOo7BysUHfOyXbf/g=; 7:dPRsESmsKNJRkThfHk/hiE5t5Bi0OefOcVThC8mJfh68/cbDMmyyyXeV8qttB+3YNwK1U+gKzbS09slLFGy/53grGD7xv9IGnlLUcDWujZyF9he/D8Pw/1jGM5s4KXO680ysza9R5x52JUUxsjBJFQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 95362361-0cec-4aa7-3cb8-08d64fc5faf7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB0940;
x-ms-traffictypediagnostic: HE1PR07MB0940:
x-microsoft-antispam-prvs: <HE1PR07MB0940284494F9010F2B4661B189DA0@HE1PR07MB0940.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231442)(944501410)(52105112)(148016)(149066)(150057)(6041310)(20161123560045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB0940; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB0940;
x-forefront-prvs: 08635C03D4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(39860400002)(376002)(396003)(136003)(51914003)(40434004)(13464003)(189003)(199004)(53754006)(105586002)(478600001)(966005)(106356001)(5660300001)(2501003)(33656002)(25786009)(14454004)(97736004)(2201001)(86362001)(14444005)(5024004)(256004)(81156014)(53946003)(4326008)(53936002)(8676002)(44832011)(81166006)(2616005)(8936002)(6306002)(54906003)(93886005)(6512007)(82746002)(66066001)(6436002)(6116002)(2906002)(71200400001)(3846002)(71190400001)(83716004)(6246003)(53546011)(36756003)(486006)(6506007)(186003)(26005)(229853002)(110136005)(58126008)(102836004)(4744004)(6486002)(2900100001)(11346002)(76176011)(68736007)(476003)(316002)(7736002)(305945005)(446003)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0940; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: xk7zv3B/TuNxt98qHJU5mTTAG9Ze+4BPOfN0kPCsvR+Q9arkWbENCTENstyF4ne4TOwwBdRL1kZW/XCVfpUQ99DGBYjY4y/+Za8A2tK0AjQkaXew0IciB91J21klZGUkEH0FiQo71IGEpyjNfPbnQq/HoL5p1JQqlTXah64+cM3ERIEVV5UIOxhSqQMsRQK4z0mBHGsJ6bnh31CaMBs/ZjBfo7c0YKXtyPBoZRKh7+HLu2EnsHmAiDO/x00OPLLJFw9fmNlcr0B/S0KvrxoNe9aodWjeHUZT4tmxivQvbJNLLx2MMHjDox66EEYki+BCrE+MKTcEEg86Wf7FWEm4dd+OwR0Z5fUWHkAtdvPu9z4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <760C23E733FA304AA73B4B699F7BC158@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 95362361-0cec-4aa7-3cb8-08d64fc5faf7
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2018 15:28:25.5912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0940
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHe885285Wg7d5ezDCXEoqeckilkoXhBxRGfTBmKnNPKmp03ZU sgyl0rxVVk5zoZOYSaaYqWihI0Uxl5cSFRpC3kiXIPODigrWtrOgb7/n+f+fGzw0KXnHc6eT VZmMWqVMlfJFVPWVzmz/mpy16KDSpd2yjfUyUvbjpZGQNbRWE7Jag5PsQeOk4DRP3lTbhOR6 /SYhvz88QMpHzYXUJUohCktgUpOzGXXgyWuipKq1p2TGzBC6rZlaRvnoSz8qQUIa8DFon7Dw SpCIluB+BG2b26RNkOB1BO+fJ3CClQcMYwIu0BPQul6PbAGFy0kwjHchTnlBwM+VYpIL5hBU a9coWzM+DoKa7ny+jZ0xC4M1/YSNSXwBpjsK7B4n7AOtJR0CzuMLmqVVguOzMFKot29LYW/Y mp+z58X4FCw3bPG5YRsIRuor7QOEWAmPOod5NkbYFTaMTY5hbmBa0BHc2Rj03WMkxy5gnt+x +11wIOhmihy1MVBQUMXjPAdgWtMs4Hg/jOtK7ScDnuJD5ehjPif4g0WjcTS9ACbNgqPgGwLd ZCzHfmAuW3XkU2DGNMUvR0e1/+2nRbSVfaHlUyCHcjDVhXIOT6gonRVo7efvhaHqBaoO8RqR C8uw8WmJwcEBjDr5OsumqwJUTOYHZH2h3vbtoC5kXjzThzCNpHvEkdZ3kvCU2WxOWh8CmpQ6 i4sU1pQ4QZlzh1Gnx6mzUhm2D+2jKambWHaxTSHBicpMJoVhMhj1P5Wghe75KFKoenLv4PmQ bpVTau7qx0N5kTEBg/oZL+Mfn7E1MnIwfFoQ21K85OUb8d1I3KAuv3nV2zMRs+n8+fDNcz1+ iyFff23c4ilyoyzHmz3io81ZohOeYSttrOvv8AiDx87bUN9dK7NXk3RRli7C0JH3jFTF+Xmb Xq8+DFRW3M0RK4RSik1SHvEj1azyLyBMjB0+AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/peu0UqW7eC6MvkIAKKw8wLs-MR0>
Subject: Re: [Lwip] [Ace] EDHOC standardization
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 15:28:36 -0000
Hi Hannes, Good point, detailed data for EDHOC is available in Appendix E of draft-selander-ace-cose-ecdhe-10. https://tools.ietf.org/html/draft-selander-ace-cose-ecdhe-10#page-40 The assumptions there are the same: - Minimum number of algorithms and cipher suites offered - Curve25519, AES-CCM_8, SHA-256, EdDSA (same signature size as ECDSA) - Length of key identifiers: 4 bytes - Connection identifiers: 1 byte draft-selander-ace-cose-ecdhe-11 will contain similar information but with cipher suites. Cheers, John -----Original Message----- From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> Date: Wednesday, 21 November 2018 at 16:22 To: John Mattsson <john.mattsson@ericsson.com>, "ace@ietf.org" <ace@ietf.org>, "lwip@ietf.org" <lwip@ietf.org> Cc: Benjamin Kaduk <kaduk@mit.edu>, "salvador.p.f@um.es" <salvador.p.f@um.es> Subject: RE: [Ace] EDHOC standardization John, could you also add the detailed data for EDHOC as well? (And thanks for the details regarding the DTLS numbers.) Ciao Hannes -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of John Mattsson Sent: Wednesday, November 21, 2018 4:03 PM To: ace@ietf.org; lwip@ietf.org Cc: Benjamin Kaduk <kaduk@mit.edu>; salvador.p.f@um.es Subject: Re: [Ace] EDHOC standardization Hi all, Inspired by the discussion in this thread, I did more detailed calculations of the number of bytes when DTLS 1.3 is used for typical IoT use cases (PSK, RPK, Connection ID). The plan is to add this information to draft-ietf-lwig-security-protocol-comparison as this has been requested by several people. I think some bytes were missing in the earlier estimates for TLS 1.3, and as Ben commented, DTLS 1.3 adds some bytes compared to TLS 1.3. ============================================================================== Flight #1 #2 #3 Total ------------------------------------------------------------------------------ DTLS 1.3 RPK + ECDHE 149 373 213 735 DTLS 1.3 PSK + ECDHE 186 190 57 433 DTLS 1.3 PSK 136 150 57 343 ------------------------------------------------------------------------------ EDHOC RPK + ECDHE 38 121 86 245 EDHOC PSK + ECDHE 43 47 12 102 ============================================================================== Number of bytes Assumptions: - Minimum number of algorithms and cipher suites offered - Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 - Length of key identifiers: 4 bytes - Connection identifiers: 1 byte - The DTLS RPKs use point compression (saves 32 bytes) - No DTLS handshake message fragmentation - Only mandatory DTLS extentions, except for connection ID - Version 30 https://tools.ietf.org/html/draft-ietf-tls-dtls13-30 (EDHOC numbers are for the soon to be published -11 version with cipher suites) I hope this information is useful for people. Please comment if I missed something or if you have any suggestion of things to add or how to present things. I do not know currently how these numbers compare to DTLS 1.2. Below is detailed information about where the byte in different flights as well as the RPKs (SubjectPublicKeyInfo). Most of the bytes should have the correct value, but most of the length fields are just written as LL LL LL. Below is also information about how resumption, cached information [RFC 7924], and not using Connection ID affects the number of bytes. ====================================================== DTLS 1.3 Flight #1 RPK + ECDHE ====================================================== Record Header - DTLSPlaintext (13 bytes) 16 fe fd EE EE SS SS SS SS SS SS LL LL Handshake Header - Client Hello (10 bytes) 01 LL LL LL SS SS 00 00 00 LL LL LL Legacy Version (2 bytes) fe fd Client Random (32 bytes) 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Legacy Session ID (1 bytes) 00 Cipher Suites (TLS_AES_128_CCM_8_SHA256) (4 bytes) 00 02 13 05 Compression Methods (null) (2 bytes) 01 00 Extensions Length (2 bytes) LL LL Extension - Supported Groups (x25519) (8 bytes) 00 0a 00 04 00 02 00 1d Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 00 0d 00 04 00 02 08 07 Extension - Key Share (42 bytes) 00 33 00 26 00 24 00 1d 00 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Extension - Supported Versions (1.3) (7 bytes) 00 2b 00 03 02 03 04 Extension - Client Certificate Type (Raw Public Key) (6 bytes) 00 13 00 01 01 02 Extension - Server Certificate Type (Raw Public Key) (6 bytes) 00 14 00 01 01 02 Extension - Connection Identifier (43) (6 bytes) XX XX 00 02 01 42 13 + 10 + 2 + 32 + 1 + 4 + 2 + 2 + 8 + 8 + 42 + 7 + 6 + 6 + 6 = 149 bytes ------------------------------------------------------ DTLS 1.3 Flight #1 PSK + ECDHE ------------------------------------------------------ Differences compared to RPK + ECDHE + Extension - PSK Key Exchange Modes (6 bytes) 00 2d 00 02 01 01 + Extension - Pre Shared Key (51 bytes) 00 29 00 2F 00 0a 00 04 ID ID ID ID 00 00 00 00 00 21 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f - Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) - Extension - Client Certificate Type (Raw Public Key) (6 bytes) - Extension - Server Certificate Type (Raw Public Key) (6 bytes) 149 + 6 + 51 - 8 - 6 - 6 = 186 bytes ------------------------------------------------------ DTLS 1.3 Flight #1 PSK ------------------------------------------------------ Differences compared to PSK + ECDHE - Extension - Supported Groups (x25519) (8 bytes) - Extension - Key Share (42 bytes) 186 - 8 - 42 = 136 bytes ====================================================== DTLS 1.3 Flight #2 RPK + ECDHE ====================================================== Record Header - DTLSPlaintext (13 bytes) 16 fe fd EE EE SS SS SS SS SS SS LL LL Handshake Header - Server Hello (10 bytes) 02 LL LL LL SS SS 00 00 00 LL LL LL Legacy Version (2 bytes) fe fd Server Random (32 bytes) 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Legacy Session ID (1 bytes) 00 Cipher Suite (TLS_AES_128_CCM_8_SHA256) (2 bytes) 13 05 Compression Method (null) (1 bytes) 00 Extensions Length (2 bytes) LL LL Extension - Key Share (40 bytes) 00 33 00 24 00 1d 00 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Extension - Supported Versions (1.3) (6 bytes) 00 2b 00 02 03 04 Extension - Connection Identifier (43) (6 bytes) XX XX 00 02 01 43 Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL Handshake Header - Encrypted Extensions (10 bytes) 08 LL LL LL SS SS 00 00 00 LL LL LL Extensions Length (2 bytes) LL LL Extension - Client Certificate Type (Raw Public Key) (6 bytes) 00 13 00 01 01 02 Extension - Server Certificate Type (Raw Public Key) (6 bytes) 00 14 00 01 01 02 Handshake Header - Certificate Request (10 bytes) 0d LL LL LL SS SS 00 00 00 LL LL LL Request Context (1 bytes) 00 Extensions Length (2 bytes) LL LL Extension - Signature Algorithms (ecdsa_secp256r1_sha256) (8 bytes) 00 0d 00 04 00 02 08 07 Handshake Header - Certificate (10 bytes) 0b LL LL LL SS SS 00 00 00 LL LL LL Request Context (1 bytes) 00 Certificate List Length (3 bytes) LL LL LL Certificate Length (3 bytes) LL LL LL Certificate (59 bytes) // Point compression .... Certificate Extensions (2 bytes) 00 00 Handshake Header - Certificate Verify (10 bytes) 0f LL LL LL SS SS 00 00 00 LL LL LL Signature (68 bytes) ZZ ZZ 00 40 .... Handshake Header - Finished (10 bytes) 14 LL LL LL SS SS 00 00 00 LL LL LL Verify Data (32 bytes) 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Record Type (1 byte) 16 Auth Tag (8 bytes) e0 8b 0e 45 5a 35 0a e5 13 + 102 + 6 + 24 + 21 + 78 + 78 + 42 + 1 + 8 = 373 bytes ------------------------------------------------------ DTLS 1.3 Flight #2 PSK + ECDHE ------------------------------------------------------ Differences compared to RPK + ECDHE - Handshake Message Certificate (78 bytes) - Handshake Message CertificateVerify (78 bytes) - Handshake Message CertificateRequest (21 bytes) - Extension - Client Certificate Type (Raw Public Key) (6 bytes) - Extension - Server Certificate Type (Raw Public Key) (6 bytes) + Extension - Pre Shared Key (6 bytes) 00 29 00 02 00 00 373 - 78 - 78 - 21 - 6 - 6 + 6 = 190 bytes ------------------------------------------------------ DTLS 1.3 Flight #2 PSK ------------------------------------------------------ Differences compared to PSK + ECDHE - Extension - Key Share (40 bytes) 190 - 40 = 150 bytes ====================================================== DTLS 1.3 Flight #3 RPK + ECDHE ====================================================== Record Header (6 bytes) // DTLSCiphertext, Full ZZ ES SS 42 LL LL Handshake Header - Certificate (10 bytes) 0b LL LL LL SS SS XX XX XX LL LL LL Request Context (1 bytes) 00 Certificate List Length (3 bytes) LL LL LL Certificate Length (3 bytes) LL LL LL Certificate (59 bytes) // Point compression .... Certificate Extensions (2 bytes) 00 00 Handshake Header - Certificate Verify (10 bytes) 0f LL LL LL SS SS 00 00 00 LL LL LL Signature (68 bytes) 04 03 LL LL //ecdsa_secp256r1_sha256 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Handshake Header - Finished (10 bytes) 14 LL LL LL SS SS 00 00 00 LL LL LL Verify Data (32 bytes) // SHA-256 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f Record Type (1 byte) 16 Auth Tag (8 bytes) // AES-CCM_8 00 01 02 03 04 05 06 07 6 + 78 + 78 + 42 + 1 + 8 = 213 bytes ------------------------------------------------------ DTLS 1.3 Flight #3 PSK + ECDHE ----------------------------------------------------- Differences compared to RPK + ECDHE - Handshake Message Certificate (78 bytes) - Handshake Message Certificate Verify (78 bytes) 213 - 78 - 78 = 57 bytes ------------------------------------------------------ DTLS 1.3 Flight #3 PSK ----------------------------------------------------- Differences compared to PSK + ECDHE None 57 bytes ====================================================== DTLS 1.3 - Cached information [RFC 7924] ====================================================== - Cached information together with server X.509 can be used to move bytes from flight #2 to flight #1 (cached RPK increases the number of bytes compared to cached X.509) Differences compared to RPK + ECDHE Flight #1 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) + Extension - Client Cashed Information (39 bytes) 00 19 LL LL LL LL 01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 149 + 33 = 182 bytes Flight #2 - Extension - Server Certificate Type (Raw Public Key) (6 bytes) + Extension - Server Cashed Information (7 bytes) 00 19 LL LL LL LL 01 - Server Certificate (59 bytes -> 32 bytes) 373 - 26 = 347 bytes ============================================================================== Flight #1 #2 #3 Total ------------------------------------------------------------------------------ DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 DTLS 1.3 RPK + ECDHE 149 373 213 735 ============================================================================== ====================================================== DTLS 1.3 - Resumption ====================================================== To enable resumption, a 4th flight (New Session Ticket) is added Flight #4 - New Session Ticket Record Header - DTLSCiphertext, Full (6 bytes) HH ES SS 43 LL LL Handshake Header - New Session Ticket (10 bytes) 04 LL LL LL SS SS 00 00 00 LL LL LL Ticket Lifetime (4 bytes) 00 01 02 03 Ticket Age Add (4 bytes) 00 01 02 03 Ticket Nonce (2 bytes) 01 00 Ticket (6 bytes) 00 04 ID ID ID ID Extensions (2 bytes) 00 00 Auth Tag (8 bytes) // AES-CCM_8 00 01 02 03 04 05 06 07 6 + 10 + 4 + 4 + 2 + 6 + 2 + 8 = 42 bytes The resumption handshake is just a PSK handshake with 136 + 150 + 57 = 343 bytes ============================================================================== Flight #1 #2 #3 #4 Total ------------------------------------------------------------------------------ DTLS 1.3 RPK + ECDHE + NewSessionTicket 149 373 213 42 777 DTLS 1.3 PSK (resumption) 136 150 57 343 ============================================================================== ====================================================== DTLS 1.3 - Connection ID ====================================================== Without a Connection ID the DTLS 1.3 flight sizes changes as follows DTLS 1.3 Flight #1: -6 bytes DTLS 1.3 Flight #2: -7 bytes DTLS 1.3 Flight #3: -1 byte ============================================================================== Flight #1 #2 #3 Total ------------------------------------------------------------------------------ DTLS 1.3 RPK + ECDHE (no cid) 143 364 212 721 DTLS 1.3 PSK + ECDHE (no cid) 180 183 56 419 DTLS 1.3 PSK (no cid) 130 143 56 329 ============================================================================== ====================================================== DTLS Raw Public Keys ====================================================== SubjectPublicKeyInfo without point compression ----------------------------------------------------- 0x30 // Sequence 0x59 // Size 89 0x30 // Sequence 0x13 // Size 19 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01. // OID 1.2.840.10045.2.1 (ecPublicKey) 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID 1.2.840.10045.3.1.7 (secp256r1) 0x03 // Bit string 0x42 // Size 66 0x00 // Unused bits 0 0x04 // Uncompressed ...... 64 bytes X and Y Total of 91 bytes SubjectPublicKeyInfo with point compression ----------------------------------------------------- 0x30 // Sequence 0x59 // Size 89 0x30 // Sequence 0x13 // Size 19 0x06 0x07 0x2A 0x86 0x48 0xCE 0x3D 0x02 0x01. // OID 1.2.840.10045.2.1 (ecPublicKey) 0x06 0x08 0x2A 0x86 0x48 0xCE 0x3D 0x03 0x01 0x07 // OID 1.2.840.10045.3.1.7 (secp256r1) 0x03 // Bit string 0x42 // Size 66 0x00 // Unused bits 0 0x03 // Compressed ...... 32 bytes X Total of 59 bytes ====================================================== Helpful Sources of Information ====================================================== In addition to relevant RFCs and the estimates done by Jim, the following references were helpful: Every Byte Explained: The Illustrated TLS 1.3 Connection https://tls13.ulfheim.net/ Digital Certificates for the Internet of Things https://kth.diva-portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf /John -----Original Message----- From: Benjamin Kaduk <kaduk@mit.edu> Date: Saturday, 3 November 2018 at 15:59 To: John Mattsson <john.mattsson@ericsson.com> Cc: "salvador.p.f@um.es" <salvador.p.f@um.es>, "ace@ietf.org" <ace@ietf.org> Subject: Re: [Ace] EDHOC standardization On Fri, Nov 02, 2018 at 02:55:54PM +0000, John Mattsson wrote: > Hi Benjamin, Salvador > > While DTLS 1.3 have done a very good job of lowering the overhead of the record layer when application data is sent (see e.g. https://tools.ietf.org/html/draft-ietf-lwig-security-protocol-comparison-01 for a comparison between different protocols), I do not think the handshake protocol is much leaner (is it leaner at all?). (There are some handshake messages that are removed entirely.) > We tried to make an fair comparison between EDHOC and TLS 1.3 in the presentation at IETF 101 (see https://datatracker.ietf.org/meeting/101/materials/slides-101-ace-key-exchange-w-oscore-00) Since then, we have significantly optimized the encoding in EDHOC and the upcoming version (-11) is expected to have the following message sizes. > > Auth. PSK RPK x5t x5chain > -------------------------------------------------------------------- > EDHOC message_1 43 38 38 38 > EDHOC message_2 47 121 127 117 + Certificate chain > EDHOC message_3 12 86 92 82 + Certificate chain > -------------------------------------------------------------------- > Total 102 245 257 237 + Certificate chains > > As Salvador writes, the handshakes in TLS 1.3 and DTLS 1.3 are basically the same, so the numbers presented at IETF 101 should be a good estimate also for DTLS 1.3. > > Auth. PSK RPK > -------------------------------------------------------------------- > (D)TLS message_1 142 107 > (D)TLS message_2 135 264 > (D)TLS message_3 51 167 > -------------------------------------------------------------------- > Total 328 538 Thanks for the numbers! > The numbers above include ECDHE. For handshake messages, my understanding is that the DTLS 1.3 and TLS 1.3 record layer have exactly the same size. The DTLS 1.3 ones will be worse, due to the epoch and sequence number fields. -Ben _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- Re: [Lwip] [Ace] EDHOC standardization John Mattsson
- Re: [Lwip] [Ace] EDHOC standardization Hannes Tschofenig
- Re: [Lwip] [Ace] EDHOC standardization Hannes Tschofenig
- Re: [Lwip] [Ace] EDHOC standardization Jim Schaad
- Re: [Lwip] [Ace] EDHOC standardization John Mattsson
- Re: [Lwip] [Ace] EDHOC standardization John Mattsson
- [Lwip] (protocol flows) Re: [Ace] EDHOC standardi… Rene Struik
- Re: [Lwip] (protocol flows) Re: [Ace] EDHOC stand… John Mattsson
- Re: [Lwip] [Ace] EDHOC standardization John Mattsson
- Re: [Lwip] [Ace] EDHOC standardization Hannes Tschofenig