Re: [secdir] [Lake] Secdir review of draft-ietf-lake-edhoc-18
John Mattsson <john.mattsson@ericsson.com> Thu, 26 January 2023 10:05 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5C0C1522D3; Thu, 26 Jan 2023 02:05:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbiG-A7l-nJz; Thu, 26 Jan 2023 02:05:31 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2079.outbound.protection.outlook.com [40.107.7.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F02EC1516F3; Thu, 26 Jan 2023 02:05:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GSbGk2HH4SOhj15Baz8Ry6FfSlOR2rS1wdYM3cSAiZogSpel2XAtkaM3G43EfOiBdHCIHRCoANYpoHCFsmX/6XUARLJqSexvgxdMn3gKJh9jYew3HO/Px2suueCZbYIh9M44JRzOWLEXR+LCp2DkFrOJRddz3Fv6LHW8IzaaAP0aeROrEqw2vP01tr9zfBQcGnBYJXgpDRIx7+Gegp+7bAJWcLBDDvjGhaKFapjbVFeDR5qEnvLAYQ6xxl71JGtfvJlysdV990wNbOOVBZRj5ktkW+m8A6rYzyxIL7yyDidpDMvPxb0/nsYjWH9Sv0tRq0bVZXoA4bxAM9BQo9jTRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sL8uqsGXkQSBVoX7yOJluakfzGdHPR80lRLQapKqTAQ=; b=V/IydJ/f2zn5hyKl3AgU4C3fdfbtW3FTguyNtDsaVXDwqlCj2dOKhLrH8NNx8GYJokq58wFjVhST0vF2AtzLSxmIW/KGROyShGyEVcJ8ym1lknJ/E3k0CGG3L1fMxV475EA1nqje3+0xvqqcd12vPgjb50B4eOPpLGB+4xcb4etqFvfz9kaS08nF/MfZ/FCX19u35dG6Kfbbs2Kr2eEKXuirSqDhqk0Sy5YmXZQZ20ZjKeYsvFzhOYw+QWJjR7CyfWVSScsRDVbmqyMJqpb4XQlNlshBdBS1A5K//vEkLLA4W+tDtwCyPNtmY0n3892vBlE00U63pYX5Uva2E/+z/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sL8uqsGXkQSBVoX7yOJluakfzGdHPR80lRLQapKqTAQ=; b=rctEWZKA4lI8ED2f4TWWzqUk/SWc8p+x92/n201Lo6Voo9x7v7kR7XpMi8pkFLtx8IY1Q1dFTfUo5seEx9A6JOw6EecHZLOslcEuzTpamakT97Bex1jUvlSmybrIlYoaMPavOVGxcafsh89RIe/e4yNTNqd8d5REZJXlhirh/jc=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AM7PR07MB6948.eurprd07.prod.outlook.com (2603:10a6:20b:1bd::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Thu, 26 Jan 2023 10:05:24 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.6002.033; Thu, 26 Jan 2023 10:05:24 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Marco Tiloca <marco.tiloca@ri.se>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Göran Selander <goran.selander@ericsson.com>, Radia Perlman <radiaperlman@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-lake-edhoc.all@ietf.org" <draft-ietf-lake-edhoc.all@ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Secdir review of draft-ietf-lake-edhoc-18
Thread-Index: AQHZL55/YN8RkdF7x0eIwm6TkpotVa6vZ9IAgABPjgCAABItyoAAraWAgAAE3RQ=
Date: Thu, 26 Jan 2023 10:05:24 +0000
Message-ID: <HE1PR0701MB3050209FC70CE89C31FBDBD989CF9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CAFOuuo5xrmSqHkca6YQLF9gZqEX27ziqvsw5B0mM5dYTU5O_+g@mail.gmail.com> <PAXPR07MB8844BEBBF579FFF102A85498F4C99@PAXPR07MB8844.eurprd07.prod.outlook.com> <PAXPR07MB8844A6073141A5ADB0CC87D9F4CE9@PAXPR07MB8844.eurprd07.prod.outlook.com> <HE1PR0701MB30500D8F1FA85BE91878BA4389CE9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <1cabe14a-2c5e-082e-96cf-8e03128c8a0e@ri.se>
In-Reply-To: <1cabe14a-2c5e-082e-96cf-8e03128c8a0e@ri.se>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AM7PR07MB6948:EE_
x-ms-office365-filtering-correlation-id: 943ac47b-b106-4965-6ee1-08daff84d7b1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T6xgwdJlnwsp2kAWpkVm6FMK3TkCthgmT0Ib2cVsk0tRuBLWMdYA0Gxbkc81yEP27v/T2ljc7b6FDYKruE6hUgmnMhjnh4v9A776qyI8NNrzzqekAEMtJxvxgJqAUUxJReflqEUwuhg/Tab1SdHw/XPI5hAkafqOUfcTfURSB+68/MHlJyU18ug/nxPVyH2YYA5DaFKgZKImU0CqZvXcaTWo1uMzxJxsSDjlYFvyA2WlEnqB8tIBj5vecr6gqEKlcJW4QRqABTWPJ+m6ek9oc05y/8RGZChmLBZNaW7WeRS+hhcoc3f9SYpXfLAlolprrm0dNb6l70En1D5W1MCBzFdAbX0dxBSPXCtE/cE0S7zBIv1+PZZh94OJ8x/u70nC1yzWzD7UpnfcsmjHHffJW3ZlDdHDVKscGUZ3Yc4YQeohX03TqWJLttPuQBbjvKWRxPEwhCHs0ZVSSS6t+BxAGhwqrLjVijmZ/k9wIbaPTME3p3B5zUQx3EA15kRcZUj0pOqtVQ3KWS0sYswispPH8P3R4kt2VLVUHNc5ajUiNWRGPMAvrejm4aAREgV/U1NorG1KS4VHggN+bBjqWCBlDNoeb4npIGbE+vMxTso7NMwm63h/U1Brm800DevPanWAg/NyZgCa6ih97Ub8iPzqpB7zl6duxviptBubcwVb1JsDRHhoYNlGYk3oCRu5pKb26/ASORcSd6KNOXYphn1b/g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(376002)(346002)(396003)(366004)(136003)(39860400002)(451199018)(966005)(30864003)(110136005)(316002)(71200400001)(5660300002)(38070700005)(33656002)(66446008)(66556008)(64756008)(41300700001)(38100700002)(52536014)(55016003)(8676002)(86362001)(66476007)(8936002)(91956017)(66946007)(76116006)(122000001)(44832011)(478600001)(7696005)(166002)(66574015)(83380400001)(2906002)(6506007)(53546011)(99936003)(82960400001)(186003)(26005)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4S8RVTPTaGzuFJ3mLNGWg6v+EKtwYkVqjsXWXGbvmdC2NUzrynIITkMFdnVvOOnkE0rK5+9K9Wsuruxos818BwrwsJ/Ceg4cDp2FntZemBHBHSjqXvm6YMpDewm2B3bFooNj5Q4GKUiKm8KzQxSkbHI/8JmNYjAtg+O4KLm8VhG4f3MLvmhEhGWT2jEoBeTSlinu5AQab6GfvWiDV/ad3ErZPOy66N4lGT601OuzB+tnZWiJh2CWe5MA9s5nAXYSJfA4E8vfmtNV+LcezyXzeu1xh58phCbJMkiImwpp+x9VVRFyLEhBKRgHRTrvamB0hPySC7GZ+PiUyIP+nJUG0v365ZW5+uQBUyJ5dSa6ZFxGnnIrhacFAtagmUA1hWc/UefsiY3Oz91GrVJ29rmMiVZzB3r/KfaB24w73OIrGYN2Y5Mm3wCkXP6rfNATiAlo1pVQhX+J/G6axEr2u3CPK5PvHinTPUxQqWYlkAkf8KIjqj1DJXmdKtkDVtnnAS5dgD0WzctrBtFPfG6PDP1uCtAi59PIqZwLP+iHuGxuTcpSfOigIZBuuf+DCkrQl2THbKRt3L9rNsvFwCney3LC+DA+aQmxe/gnG+675x33aWyZfpszpkWCc/EHpbt24//O1l707ru1Fpeois16wmCvo9pL0zSGKpFRgeiSEZvuIU/4FcncQxdH30RXg5PtfVGGRw4G2HvUV+BbTBTc00ykcrWsVgQxDW+mQIQ2h8EbvtrfvHqqmRXKTuhYU3+G+DbKtQCP3mt3HL+FLQ5PzXTFnvPc5pG4UGQrx+umfnNPJalwkYqENKR9BQOsVBJ84Fr0mmnxQ86om8TFjNt32hRfXxuxU3ZqQAbC2WIxwzgWx0j9NqFhmj76bLppMkZO38eHFtReb+d/KIjNgIfblLGpbCQQbgDNuRHSb4ucDvgd8j5A1/ZHN0EAubkzPtQXSkQYWT+PEQWsAK7UozktcfUJnxIT+XVmxv5twvfe53qXfr7zSDGcZWkMyqM7GX1Hexmlq262DDEUD8uOufbE6RvF68C27MjnD88Al857t9vpclbDUDpw4nCMybBJj8N05QXEGNh3kPYFJ+DoqizgOtJ/QuD2bK+EjfyPZvDo3RI3qZ6tZC3nTnINjeZ+aPDQLVCRTM9ERR+H5JHE8xKlcDoWy6SltT3hFZ41RRCDiQEMZK5vgz51Q8bgSbv35ZvpkGf94Kvo1UwEs0EgwzMusDmqBhMgK/+Q1XLwApUh2pHkWjXO3vBpVK1KPs/6iFo9xKdf6PpqnnhSd4oWEs6HPOaOVoINhiE+/eBzTZh5HIC4bnx6DGMipLvxHn/CdBhYdqnTpF8X7nQjJpL5C/C0SLTr+fcQTZ+qD7MHSfrUHwOYRe5G62Tnh2ACVKnDaVYEdzppHcIQKO8Zioybbxl3vbL5pHJ2Cg32O36EVAEfESGtjdw0GJr8/mash72sJgVB8QCsu1MBwxorN85W8J8TrotCbC7YKIEVCYNoqlXy3COuIkhsar3q+HA4swOqzbW7hPFOy1nXBSfs+gjA26Oh84VKpHEmijHxkun0QC45TYGs+iuS2Sbj6AMP3b7TDJJtm/bFfI/2qr5ixlJ5Hw6SC9Aj9LnePSf7q5UCZr1B4iFFfCo=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_525507D5-7343-4E4B-BACD-B5D778464E5E_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 943ac47b-b106-4965-6ee1-08daff84d7b1
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2023 10:05:24.5217 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y34K5rHjcktyNDI6OA8FNGcz3/mWwYeGBqb+SFWsRoM6mc/sFH9//kMRsVdu/2TiKdZmM0gA5C4iD9hQBDO6k6jPwzrmP99StbbD8PO74G8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6948
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-54Krf-jv1xig0YM61udrZ-LxBA>
Subject: Re: [secdir] [Lake] Secdir review of draft-ietf-lake-edhoc-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2023 10:05:35 -0000
Thanks Marco. That makes sense to me. Cheers, John From: Marco Tiloca <marco.tiloca@ri.se> Date: Thursday, 26 January 2023 at 10:48 To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Göran Selander <goran.selander@ericsson.com>, Radia Perlman <radiaperlman@gmail.com>, secdir@ietf.org <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-lake-edhoc.all@ietf.org <draft-ietf-lake-edhoc.all@ietf.org>, lake@ietf.org <lake@ietf.org> Subject: Re: [Lake] Secdir review of draft-ietf-lake-edhoc-18 Hi John, On 2023-01-26 00:40, John Mattsson wrote: Which changes should we do based on Radia’s comments? - Do we need to explain better that EDHOC always do ephemeral-ephemeral key exchange giving forward secrecy with respect to the long-term authentication keys? - I don’t think we should change the name of the “Static DH keys”. But we should explain that they are only used for authentication and that an ephemeral-ephemeral key exchange is still performed. - Is the term ephemeral DH confusing? Should the body talk about ephemeral-ephemeral instead? - Should Appendix J be thrown out? It is not used by KUDOS anymore. ==>MT I think it's better to keep Appendix J. Also based on the related discussions from the LAKE interim meeting on 2022-10-05: * EDHOC-KeyUpdate is used in the EDHOC & OSCORE profile of ACE [1], for peers not supporting KUDOS [2]. * Stephen suggested to keep that content altogether (even if as an Appendix), in order to ensure to take into account BCP 107 [3]. Best, /Marco [0] https://datatracker.ietf.org/doc/minutes-interim-2022-lake-02-202210051700/ <https://datatracker.ietf.org/doc/minutes-interim-2022-lake-02-202210051700/> [1] https://datatracker.ietf.org/doc/html/draft-ietf-ace-edhoc-oscore-profile-00#name-use-of-edhoc-keyupdate <https://datatracker.ietf.org/doc/html/draft-ietf-ace-edhoc-oscore-profile-00#name-use-of-edhoc-keyupdate> [2] https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/ <https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/> [3] https://datatracker.ietf.org/doc/html/rfc4107 <https://datatracker.ietf.org/doc/html/rfc4107> <== Cheers, John From: Göran Selander <goran.selander@ericsson.com> <mailto:goran.selander@ericsson.com> Date: Wednesday, 25 January 2023 at 23:21 To: Radia Perlman <radiaperlman@gmail.com> <mailto:radiaperlman@gmail.com>, secdir@ietf.org <mailto:secdir@ietf.org> <secdir@ietf.org> <mailto:secdir@ietf.org>, The IESG <iesg@ietf.org> <mailto:iesg@ietf.org>, draft-ietf-lake-edhoc.all@ietf.org <mailto:draft-ietf-lake-edhoc.all@ietf.org> <draft-ietf-lake-edhoc.all@ietf.org> <mailto:draft-ietf-lake-edhoc.all@ietf.org>, lake@ietf.org <mailto:lake@ietf.org> <lake@ietf.org> <mailto:lake@ietf.org> Subject: Re: Secdir review of draft-ietf-lake-edhoc-18 The formatting was messed up in the my response to Radia’s review which made it difficult to distinguish between the review and the response. Here is the same mail repeated but where my inline comments are prepended with [GS]. Hi Radia, Thanks very much for your secdir review. Please see comments inline. Updates are being tracked in PR #395. https://github.com/lake-wg/edhoc/pull/395 <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-0214171e5057b187&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fprotect2.fireeye.com%252Fv1%252Furl%253Fk%253D31323334-501d5122-313273af-454445555731-bb10ca2ae3c3bf76%2526q%253D1%2526e%253D427745ef-5c95-47a0-829a-3e732e155bd9%2526u%253Dhttps%25253A%25252F%25252Fgithub.com%25252Flake-wg%25252Fedhoc%25252Fpull%25252F395%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263280565%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DQPfvjZ5MyHzkY53BWuY%252B9XsCfScb2HYJif2aBo69Y4E%253D%26reserved%3D0> From: Radia Perlman <radiaperlman@gmail.com> <mailto:&lt;radiaperlman@gmail.com&gt;> Date: Tuesday, 24 January 2023 at 03:49 To: secdir@ietf.org <mailto:secdir@ietf.org> <secdir@ietf.org> <mailto:&lt;secdir@ietf.org&gt;>, The IESG <iesg@ietf.org> <mailto:&lt;iesg@ietf.org&gt;>, draft-ietf-lake-edhoc.all@ietf.org <mailto:draft-ietf-lake-edhoc.all@ietf.org> <draft-ietf-lake-edhoc.all@ietf.org> <mailto:&lt;draft-ietf-lake-edhoc.all@ietf.org&gt;> Subject: Secdir review of draft-ietf-lake-edhoc-18 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. There are a family of "lightweight" protocols designed for us in "constrained" environments (think IoT) that replace other IETF protocols that would be otherwise be used. The constraints may include lack of CPU power, lack of bandwidth, lack of non-volatile memory, and running over a non-IP network. EDHOC (Ephemeral Diffie-Hellman over COSE) specifies a protocol for establishing session keys for use with OSCORE that specifies how to cryptographically protect a session. So you can think of EDHOC as corresponding to IKE while OSCORE corresponds to ESP, or you can think of the pair EDHOC/OSCORE as corresponding to TLS. As you would expect, the protocol is functionally quite similar to both TLS and IKE, and the interesting security discussions would be around the justifications for the differences. The name EDHOC is misleading, since EDHOC supports four authentication variants, only one of which is Ephemeral Diffie-Hellman. The other three are where one of both endpoints use a static Diffie-Hellman key. [GS] There seems to be a misunderstanding here. All four methods are using ephemeral Diffie-Hellman, although some use additionally static DH for authentication and some use signature for authentication. The message fields G_X in message_1, and G_Y in message_2 are ephemeral public keys and the shared secret G_XY is the Input Key Material for the pseudorandom key PRK_2e for all methods. Is there some text that is unclear on this point which we can improve? TLS 1.3 decided to abandon all such variants because they do not provide forward secrecy, but I suppose it reasonable to revisit that decision in the context of a constrained environment. [GS] All four methods do provide forward secrecy according to the security analysis papers (see below). Static DH authenticated ephemeral DH is also used elsewhere, for example, the Noise XX pattern, which is similar to method 3. TLS 1.3 unfortunately did not abandon all variants that do not provide forward secrecy; psk-ke is even marked as “Recommended”; a decision that is proposed to be revisited in https://datatracker.ietf.org/doc/draft-mattsson-tls-psk-ke-dont-dont-dont/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-dde73b40fccabc36&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdatatracker.ietf.org%252Fdoc%252Fdraft-mattsson-tls-psk-ke-dont-dont-dont%252F%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263280565%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DC7ofNVNFb6jedCIIziwq0n2BWiHYFU4XR6mOza%252FD3Wc%253D%26reserved%3D0>. But I can think of no justification for the misleading name. The working group name (Lightweight Authenticated Key Exchange - LAKE) would be a more accurately descriptive name. [GS] That particular name change has actually been discussed and, at the time, was not preferred: https://mailarchive.ietf.org/arch/msg/lake/2uuzP5T2ijkYEMsbqzt03200U2s/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-35e29c81f9a59eeb&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmailarchive.ietf.org%252Farch%252Fmsg%252Flake%252F2uuzP5T2ijkYEMsbqzt03200U2s%252F%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263280565%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DD4NU3UNH8hkurB1UFgHF9ENNtm8e0R9hHK5T4mk%252BjDo%253D%26reserved%3D0> The authors may be confused about the definition of forward secrecy, since in Security Considerations they say this protocol provides forward secrecy and in Appendix J they refer to a key refresh technique that has some nice security properties but does not provide what is generally regarded as forward secrecy. [GS] All methods in the protocol do provide forward secrecy with respect to long term keys. Compromise of the long-term keys does not compromise session keys from previous connections. Compromise of one session key does not compromise old session keys in the same connection. The method of obtaining forward secrecy through iterated key derivation was introduced in LAKE by Karthik Bargavan: https://mailarchive.ietf.org/arch/msg/lake/-Fx-NVLrZohQ7p8Wy8VNpsDC_-M/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-e586f3ec064c471f&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmailarchive.ietf.org%252Farch%252Fmsg%252Flake%252F-Fx-NVLrZohQ7p8Wy8VNpsDC_-M%252F%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263280565%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DUh%252BBglhnRxoREWuN4wxL0wFYLzvjxxObpDSa%252FZmzWMI%253D%26reserved%3D0> Appendix J does not include a protocol since the WG decided this draft to focus on the public key authenticated ephemeral Diffie-Hellman, but the high level solution in Appendix J is the same as the key update in TLS 1.3 and RFC 8446 states that this mechanism provides forward secrecy. Other differences: They simplify the protocol compared to TLS by not including the variations allowing restart of a security context based on cached information. While this makes the code to implement the protocol simpler, it hurts performance. [GS] A resumption option with ephemeral DH would have roughly the same message size but would only require one Diffie-Hellman operation compared to three in full EDHOC. In many constrained radio environments message sizes are the most important parameter for performance. One perhaps more important reason to define a resumption option is that fetching credentials from a database, validating them, and doing revocation is slow. Variations of resumption for EDHOC, to specify in a companying document, is for discussion; one recent email on the topic: https://mailarchive.ietf.org/arch/msg/lake/sMUlR-8eOe5ZalCNpsQS69hlCc0/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-6fbf754a9d4c2cb9&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmailarchive.ietf.org%252Farch%252Fmsg%252Flake%252FsMUlR-8eOe5ZalCNpsQS69hlCc0%252F%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263438017%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DQfnBKi%252B6Wxz%252Flsw4H198QWprvOy5hG6OcEpYjHZZaos%253D%26reserved%3D0> There is also the KUDOS draft which provides updates on the OSCORE security context without using EDHOC: https://datatracker.ietf.org/doc/draft-ietf-core-oscore-key-update/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b880b524e64ed23e&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdatatracker.ietf.org%252Fdoc%252Fdraft-ietf-core-oscore-key-update%252F%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263447958%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3Di2%252F9Gi9fwXvleTCJ2V%252Ffllklk2lUmsv9bqXkoKQKgjk%253D%26reserved%3D0> The negotiation of cryptographic algorithms is based on suites (as early versions of TLS did) rather than a more ala carte approach that TLS has evolved towards. Further, while TLS has a system of initiator proposes and responder chooses cryptographic algorithms, in EDHOC's system the responder is constrained to choose the most preferred of the initiator's suites that it supports. Further, the initiator must guess the suite the responder will choose and the protocol may be very "chatty" the first time the protocol is run (or every time if the initiator does not cache the preferred suite of the responder). There would be an extra pair of messages for each suite the initiator prefers over the first one the responder accepts. [GS] One common setup for IoT devices is that there are only one or a few supported algorithms, and that supported algorithm is known at the time of deployment, in which case there is less risk for chatty negotiation. Regarding caching of cipher suites, 6.3.1 notes that ”After a successful run of EDHOC, the Initiator MAY remember the selected cipher suite to use in future EDHOC sessions.” With such setup we believe it should be possible to avoid too much chattiness. Happy for further input. Whether authentication is going to be based on Ephemeral or Static Diffie-Hellman keys is not negotiated. The initiator is expected to know (or the protocol gets more chatty). [GS] Negotation of method has been discussed in the WG. It could be included in the same low overhead proccedure as negotiation of cipher suite. But like the common case for cipher suites above it is expected that constrained devices only support a single method which is known at deployment time, so it is not clear that negotiation is needed for the most constrained settings (or a significant overhead in less constrained settings). Finally, rather than negotiating a symmetric encryption algorithm for use within EDHOC itself, EDHOC generates an extended PRF output which it XORs into messages to encrypt them. In practice, this strikes me as a clever hack to greatly simpify the specification while not substantially hurting performance. But others may disagree. There was a reference to an analysis of the security of the protocol (which is based on SIGMA). I didn't read it, but the design of the protocol looks sound to me. [GS] Just a note: We have updated the list of security analysis papers we are aware of and which we have taken into account (Section 8.1) and there are now 5 publications analysing different methods of the protocol using different techniques: [Bruni18] [Norrman20] [CottierPointcheval22] [Jacomme23] [GuentherIlunga22], see https://lake-wg.github.io/edhoc/draft-ietf-lake-edhoc.html#name-security-properties <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-863422f1b3a5a14d&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Feur05.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fprotect2.fireeye.com%252Fv1%252Furl%253Fk%253D31323334-501d5122-313273af-454445555731-81c5b24e4d1baec7%2526q%253D1%2526e%253D427745ef-5c95-47a0-829a-3e732e155bd9%2526u%253Dhttps%25253A%25252F%25252Flake-wg.github.io%25252Fedhoc%25252Fdraft-ietf-lake-edhoc.html%252523name-security-properties%26data%3D05%257C01%257Cmarco.tiloca%2540ri.se%257C0573e835d4604c96a0ff08daff2d8689%257C5a9809cf0bcb413a838a09ecc40cc9e8%257C0%257C0%257C638102868263448691%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%257C%257C%257C%26sdata%3DwSDDdk%252FHFeW8vTRkAV2DA0Ne543Yr%252F2T3auOCWPgI7w%253D%26reserved%3D0> Nits: >From Section 1.1: "This specification emphasizes the possibility to reference rather than to transport credentials in order to reduce message overhead, but the latter is also supported." -> "This specification supports the referencing of credentials in order to reduce message overhead, but credentials may alternatively be embedded." [GS] Done. In Section 3.9: "incompliance" -> "non-compliance" [GS] Based on a previous comment we already changed this to ”lack of compliance”. Thanks, Göran -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3d296ae5721cac2b&q=1&e=796763d1-d3a7-40d6-a1f3-e2af5448b2cf&u=https%3A%2F%2Fwww.ri.se%2F>
- [secdir] Secdir review of draft-ietf-lake-edhoc-18 Radia Perlman
- Re: [secdir] Secdir review of draft-ietf-lake-edh… Göran Selander
- Re: [secdir] Secdir review of draft-ietf-lake-edh… Göran Selander
- Re: [secdir] Secdir review of draft-ietf-lake-edh… John Mattsson
- Re: [secdir] Secdir review of draft-ietf-lake-edh… Radia Perlman
- Re: [secdir] Secdir review of draft-ietf-lake-edh… Peter.Blomqvist@sony.com
- Re: [secdir] [Lake] Secdir review of draft-ietf-l… John Mattsson
- Re: [secdir] [Lake] Secdir review of draft-ietf-l… Marco Tiloca