IETF Logo Mail Archive

Re: [Secdispatch] brief feedback on draft-selander-lake-reqs-00

Göran Selander <goran.selander@ericsson.com> Tue, 16 April 2019 13:08 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDD912002E for <secdispatch@ietfa.amsl.com>; Tue, 16 Apr 2019 06:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qWmgI22_P54 for <secdispatch@ietfa.amsl.com>; Tue, 16 Apr 2019 06:08:18 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130083.outbound.protection.outlook.com [40.107.13.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60CF6120362 for <secdispatch@ietf.org>; Tue, 16 Apr 2019 06:08:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dFM7A1Lv0K4iVUVtyjqOzZlL4K0t1P472+PWeR1F0MY=; b=R2Mgcm9H5Em69a76FELqbkRUG0mXEa3FlbIPs5HrUawVh7alJAihCxjy1VsSLUCeo/cl6E1p8246UNZ2MnL9AbsGkdYJfK9TzZHIdQGIgMKRyPIN7LGlLPw5sBOx92jCCfZTf2gGf0Spokj1vc1PoMoRmJhNBuzFzQaVyQoNXyY=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB0955.eurprd07.prod.outlook.com (10.162.27.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.9; Tue, 16 Apr 2019 13:08:12 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd%4]) with mapi id 15.20.1813.003; Tue, 16 Apr 2019 13:08:12 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Rene Struik <rstruik.ext@gmail.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: brief feedback on draft-selander-lake-reqs-00
Thread-Index: AQHU87p9WntCI6fI+k+wO/iZR8tY5qY+5PSA
Date: Tue, 16 Apr 2019 13:08:12 +0000
Message-ID: <EB9FBD43-5D5D-46D4-9741-A57B5F1CB0BB@ericsson.com>
References: <155507882604.16959.2935532240318784994.idtracker@ietfa.amsl.com> <D054DAE0-DD1C-494E-8E42-FA15DB0F618F@ericsson.com> <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
In-Reply-To: <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.213.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 260b7b7a-61dc-4606-1527-08d6c26c94bd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB0955;
x-ms-traffictypediagnostic: HE1PR07MB0955:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <HE1PR07MB0955D1DEE73F1637E1097918F4240@HE1PR07MB0955.eurprd07.prod.outlook.com>
x-forefront-prvs: 000947967F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(346002)(376002)(136003)(396003)(189003)(199004)(71200400001)(11346002)(105586002)(53936002)(316002)(6506007)(58126008)(2616005)(476003)(71190400001)(2501003)(85202003)(82746002)(85182001)(106356001)(486006)(76176011)(68736007)(25786009)(6512007)(966005)(6306002)(14454004)(14444005)(256004)(5660300002)(83716004)(478600001)(325944009)(86362001)(229853002)(99286004)(6436002)(7736002)(8676002)(305945005)(6246003)(53546011)(81166006)(26005)(102836004)(8936002)(81156014)(36756003)(66066001)(66574012)(6486002)(33656002)(3846002)(186003)(2906002)(110136005)(446003)(97736004)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0955; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PNBVn91ZbPaGZGN3Z8c7bmiQNwuMWi+4K9rmHfKIrCVHLm1KUAJN6T97wGBeww5RXbpyekYQLwOdTPtYl8Zc1ecUexwRCZjPAqvxeNeFtSDx6THCQ7lePRFVTO0wjMAXf++msLOs9+9sjDGZGkjziupAW4Apif7EMrYOjdId3Mi/JEKu3FccKUsTGiC5TBWO6iy+aCauKfK3MER3jGL4gDX//JnszLUy8TJnFA33i5beV7TrIXe8wGNzq5//y1OQLOuN+h95nCG2plGEXw/XfBN5a60E9G2DWL0eLW85c7FP8CLby5K0Rp2MUiZ5nYYoGMH/jDJu8dnzL03VCQEEEESIx2EtiNCivOhLhDKkPVa3eHWUDsG4C1P+00ANDer0tIORn2kMam4SLm+CzJl7F1LtAKJv09yr2+PrcMbXWFI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <9C65F72D12641140BA9C8F0DB0497827@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 260b7b7a-61dc-4606-1527-08d6c26c94bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 13:08:12.5238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0955
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/2cn3QJKYfTsjnOBHwUkHwwLdMQQ>
Subject: Re: [Secdispatch] brief feedback on draft-selander-lake-reqs-00
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 13:08:22 -0000

Hi Rene,

Please find responses inline. 

On 2019-04-15, 20:39, "Rene Struik" <rstruik.ext@gmail.com> wrote:

    Dear Goran:
    
    Some brief remarks on draft-selander-lake-reqs:
    a) duty cycle (see Section 4.2.1 - LoRaWaN):
    Duty cycle depends on context (e.g., duty cycle during Tx of a single 
    frame is always 100%). According to ETSI [1], Section 5.4.1, duty cycle 
    is relative to observation time window (Tobs) of 1 hour, where 
    conformance ([1], Section 5.4.2), is defined relative to normal use 
    during operational lifetime, where "the representative period shall be 
    the most active one in normal use of the device. As a guide "Normal use" 
    is considered as representing the behaviour of the device during 
    transmission of 99 % of transmissions generated during its operational 
    lifetime", and where "Procedures such as setup, commissioning and 
    maintenance are not considered part of normal operation". This does 
    suggest that inter-frame spacing is not necessarily 99 frames for each 
    frame sent, as this section seems to claim. In fact, if key agreement is 
    only done as part of network formation, it falls outside the duty cycle 
    regulatory requirement.

Two applications of EDHOC in the context of LoRaWAN were mentioned at the interim meeting. One is for the rekeying of LoRaWAN  AppKey, the other is for end-to-end security on application layer between device and cloud service, where LoRaWAN is the last hop. In both cases the message sizes over the LoRaWAN link are relevant for the performance. While the first case may be exempted, the second is independent of network formation. I will make this more clear in -01.

    b) few messages/few frames (Section 4.2 - Discussion):
    The suggestion that a 3-message protocol is a requirement seems to be 
    more an opinion/preference by the author, since lacking detailed 
    technical justification. {If sending an additional frame causes "the 
    probability of errors [to] increase exponentially", the medium access 
    control layer seems to be unfit for use. Or, do you mean that if error 
    probability is p, one gets prob no error in t frames equals (1-p)^t? If 
    so, with small p with viable networks and small t, one definitely has 
    (1-p)^t ~ 1 - t*p (i.e., almost linear degradation rather than the more 
    dramatically sounding exponential).}

For NB-IoT, the performance characteristics are not sensitive to the distribution of content into frames, but the time until encrypted traffic data can be sent is highly dependent on the number of roundtrips for completing the protocol. Therefore as few roundtrips as possible is important. The error probability is related to properties of slotted Aloha used by 6TiSCH, but is not critical for the argument so instead of going into details I will remove it in -01.

    c) conflicting requirements (Section 4.1 - AKE for OSCORE vs. Section 
    4.2 - Lightweight):
    There are trade-offs between communication overhead and security 
    properties, which generally should be explored in more detail before 
    imposing a requirement. As an example, a strict requirement for PFS may 
    necessitate increased communication overhead, since, e.g., a 
    communication failure during an AKC-scheme with strict PFS may preclude 
    reusing this keying material with a retry mechanism.

I didn't really understand this comment, in particular the last sentence. OSCORE is not required to be deployed with PFS, but there are applications were PFS is needed and the increased communication overhead of an AKE is acceptable.

    d) security considerations (Section 6):
    Contrary to what is suggested, the document is mostly about "size" 
    arguments and does not offer a definition of desired algorithmic and 
    operational security properties for sensor networks.

I will reformulate the sentence of this section in -01.

    e) protocol flavors (Section 2):
    The suggested protocol options include authenticated key agreement using 
    symmetric-key, raw public keys, and certified public keys. Another 
    option, which may be worth exploring (even if discarded based on sound 
    rationale) is a key agreement scheme where authentication is based on a 
    short secret authentication string (password) or a short public 
    authentic, yet not secret string that is provided by a user (see, e.g., 
    [3]).

Other credentials may be added later in the process, the ones currently listed are believed to be the most relevant.

    f) COSE algorithms (Section 4.1):
    The algorithms in the current COSE specification (RFC 8152) may not have 
    a rich enough set of primitives to instantiate the sought after 
    authenticated key agreement protocol. As an example, to my 
    understanding, COSE only facilitates use of static-ephemeral co-factor 
    Diffie-Hellman. Thus, some changes to the COSE specification may be 
    required if one wishes to use a protocol that uses co-factor 
    Diffie-Hellman based on ephemeral key shares. (Of course, this may be 
    easily facilitated, esp. if the underlying core crypto primitive is 
    already defined).

From a COSE point the EDHOC use of DH is Static-Static, but, as you remark, this can easily be added to COSE should that assumption change. 

    These comments illustrate that some requirements are less clear-cut than 
    as suggested in draft-selander-lake-reqs-00 and, that, in fact, there 
    may be more to this than just a "smaller is always better" argument.

The intent with this draft was not to write a very detailed requirements specification that one day will become an RFC. Its purpose was to meet a request to compile discussion spread out over different emails, including some general metrics which are expected to have a positive impact on the performance in common settings. 

Göran


    Rene
    
    Ref:
    [1] ETSI EN 300 220-1 V3.1.1 (2017-02);
    [2] ETSI EN 300 220-2 V3.1.1 (2017-02);
    [3] Authenticated Key Agreement - Using Short Authenticated Strings 
    (Serge Vaudenay, Crypto 2005)
    
    On 4/12/2019 12:20 PM, Göran Selander wrote:
    > On request I compiled the requirements for the lightweight AKE for OSCORE discussed on the list into a draft. This is not exactly the formulation by the security ADs but the main requirements should be there.
    >
    > Göran
    >
    > On 2019-04-12, 16:20, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:
    >
    >      
    >      A new version of I-D, draft-selander-lake-reqs-00.txt
    >      has been successfully submitted by Göran Selander and posted to the
    >      IETF repository.
    >      
    >      Name:		draft-selander-lake-reqs
    >      Revision:	00
    >      Title:		Requirements for a Lightweight AKE for OSCORE.
    >      Document date:	2019-04-12
    >      Group:		Individual Submission
    >      Pages:		7
    >      URL:            https://www.ietf.org/internet-drafts/draft-selander-lake-reqs-00.txt
    >      Status:         https://datatracker.ietf.org/doc/draft-selander-lake-reqs/
    >      Htmlized:       https://tools.ietf.org/html/draft-selander-lake-reqs-00
    >      Htmlized:       https://datatracker.ietf.org/doc/html/draft-selander-lake-reqs
    >      
    >      
    >      Abstract:
    >         This document contains the requirements for a lightweight
    >         authenticated key exchange protocol for OSCORE.
    >      
    >                                                                                        
    >      
    >      
    >      Please note that it may take a couple of minutes from the time of submission
    >      until the htmlized version and diff are available at tools.ietf.org.
    >      
    >      The IETF Secretariat
    >      
    >      
    >
    > _______________________________________________
    > Secdispatch mailing list
    > Secdispatch@ietf.org
    > https://www.ietf.org/mailman/listinfo/secdispatch
    
    
    -- 
    email: rstruik.ext@gmail.com | Skype: rstruik
    cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email