Re: [Secdispatch] brief feedback on draft-selander-lake-reqs-00
Göran Selander <goran.selander@ericsson.com> Tue, 16 April 2019 13:08 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDD912002E for <secdispatch@ietfa.amsl.com>; Tue, 16 Apr 2019 06:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qWmgI22_P54 for <secdispatch@ietfa.amsl.com>; Tue, 16 Apr 2019 06:08:18 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130083.outbound.protection.outlook.com [40.107.13.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60CF6120362 for <secdispatch@ietf.org>; Tue, 16 Apr 2019 06:08:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dFM7A1Lv0K4iVUVtyjqOzZlL4K0t1P472+PWeR1F0MY=; b=R2Mgcm9H5Em69a76FELqbkRUG0mXEa3FlbIPs5HrUawVh7alJAihCxjy1VsSLUCeo/cl6E1p8246UNZ2MnL9AbsGkdYJfK9TzZHIdQGIgMKRyPIN7LGlLPw5sBOx92jCCfZTf2gGf0Spokj1vc1PoMoRmJhNBuzFzQaVyQoNXyY=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB0955.eurprd07.prod.outlook.com (10.162.27.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.9; Tue, 16 Apr 2019 13:08:12 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd%4]) with mapi id 15.20.1813.003; Tue, 16 Apr 2019 13:08:12 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Rene Struik <rstruik.ext@gmail.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: brief feedback on draft-selander-lake-reqs-00
Thread-Index: AQHU87p9WntCI6fI+k+wO/iZR8tY5qY+5PSA
Date: Tue, 16 Apr 2019 13:08:12 +0000
Message-ID: <EB9FBD43-5D5D-46D4-9741-A57B5F1CB0BB@ericsson.com>
References: <155507882604.16959.2935532240318784994.idtracker@ietfa.amsl.com> <D054DAE0-DD1C-494E-8E42-FA15DB0F618F@ericsson.com> <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
In-Reply-To: <7a604b70-1c6a-e799-f30c-c9369e62d8d0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.213.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 260b7b7a-61dc-4606-1527-08d6c26c94bd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB0955;
x-ms-traffictypediagnostic: HE1PR07MB0955:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <HE1PR07MB0955D1DEE73F1637E1097918F4240@HE1PR07MB0955.eurprd07.prod.outlook.com>
x-forefront-prvs: 000947967F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(346002)(376002)(136003)(396003)(189003)(199004)(71200400001)(11346002)(105586002)(53936002)(316002)(6506007)(58126008)(2616005)(476003)(71190400001)(2501003)(85202003)(82746002)(85182001)(106356001)(486006)(76176011)(68736007)(25786009)(6512007)(966005)(6306002)(14454004)(14444005)(256004)(5660300002)(83716004)(478600001)(325944009)(86362001)(229853002)(99286004)(6436002)(7736002)(8676002)(305945005)(6246003)(53546011)(81166006)(26005)(102836004)(8936002)(81156014)(36756003)(66066001)(66574012)(6486002)(33656002)(3846002)(186003)(2906002)(110136005)(446003)(97736004)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0955; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PNBVn91ZbPaGZGN3Z8c7bmiQNwuMWi+4K9rmHfKIrCVHLm1KUAJN6T97wGBeww5RXbpyekYQLwOdTPtYl8Zc1ecUexwRCZjPAqvxeNeFtSDx6THCQ7lePRFVTO0wjMAXf++msLOs9+9sjDGZGkjziupAW4Apif7EMrYOjdId3Mi/JEKu3FccKUsTGiC5TBWO6iy+aCauKfK3MER3jGL4gDX//JnszLUy8TJnFA33i5beV7TrIXe8wGNzq5//y1OQLOuN+h95nCG2plGEXw/XfBN5a60E9G2DWL0eLW85c7FP8CLby5K0Rp2MUiZ5nYYoGMH/jDJu8dnzL03VCQEEEESIx2EtiNCivOhLhDKkPVa3eHWUDsG4C1P+00ANDer0tIORn2kMam4SLm+CzJl7F1LtAKJv09yr2+PrcMbXWFI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <9C65F72D12641140BA9C8F0DB0497827@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 260b7b7a-61dc-4606-1527-08d6c26c94bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 13:08:12.5238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0955
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/2cn3QJKYfTsjnOBHwUkHwwLdMQQ>
Subject: Re: [Secdispatch] brief feedback on draft-selander-lake-reqs-00
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 13:08:22 -0000
Hi Rene, Please find responses inline. On 2019-04-15, 20:39, "Rene Struik" <rstruik.ext@gmail.com> wrote: Dear Goran: Some brief remarks on draft-selander-lake-reqs: a) duty cycle (see Section 4.2.1 - LoRaWaN): Duty cycle depends on context (e.g., duty cycle during Tx of a single frame is always 100%). According to ETSI [1], Section 5.4.1, duty cycle is relative to observation time window (Tobs) of 1 hour, where conformance ([1], Section 5.4.2), is defined relative to normal use during operational lifetime, where "the representative period shall be the most active one in normal use of the device. As a guide "Normal use" is considered as representing the behaviour of the device during transmission of 99 % of transmissions generated during its operational lifetime", and where "Procedures such as setup, commissioning and maintenance are not considered part of normal operation". This does suggest that inter-frame spacing is not necessarily 99 frames for each frame sent, as this section seems to claim. In fact, if key agreement is only done as part of network formation, it falls outside the duty cycle regulatory requirement. Two applications of EDHOC in the context of LoRaWAN were mentioned at the interim meeting. One is for the rekeying of LoRaWAN AppKey, the other is for end-to-end security on application layer between device and cloud service, where LoRaWAN is the last hop. In both cases the message sizes over the LoRaWAN link are relevant for the performance. While the first case may be exempted, the second is independent of network formation. I will make this more clear in -01. b) few messages/few frames (Section 4.2 - Discussion): The suggestion that a 3-message protocol is a requirement seems to be more an opinion/preference by the author, since lacking detailed technical justification. {If sending an additional frame causes "the probability of errors [to] increase exponentially", the medium access control layer seems to be unfit for use. Or, do you mean that if error probability is p, one gets prob no error in t frames equals (1-p)^t? If so, with small p with viable networks and small t, one definitely has (1-p)^t ~ 1 - t*p (i.e., almost linear degradation rather than the more dramatically sounding exponential).} For NB-IoT, the performance characteristics are not sensitive to the distribution of content into frames, but the time until encrypted traffic data can be sent is highly dependent on the number of roundtrips for completing the protocol. Therefore as few roundtrips as possible is important. The error probability is related to properties of slotted Aloha used by 6TiSCH, but is not critical for the argument so instead of going into details I will remove it in -01. c) conflicting requirements (Section 4.1 - AKE for OSCORE vs. Section 4.2 - Lightweight): There are trade-offs between communication overhead and security properties, which generally should be explored in more detail before imposing a requirement. As an example, a strict requirement for PFS may necessitate increased communication overhead, since, e.g., a communication failure during an AKC-scheme with strict PFS may preclude reusing this keying material with a retry mechanism. I didn't really understand this comment, in particular the last sentence. OSCORE is not required to be deployed with PFS, but there are applications were PFS is needed and the increased communication overhead of an AKE is acceptable. d) security considerations (Section 6): Contrary to what is suggested, the document is mostly about "size" arguments and does not offer a definition of desired algorithmic and operational security properties for sensor networks. I will reformulate the sentence of this section in -01. e) protocol flavors (Section 2): The suggested protocol options include authenticated key agreement using symmetric-key, raw public keys, and certified public keys. Another option, which may be worth exploring (even if discarded based on sound rationale) is a key agreement scheme where authentication is based on a short secret authentication string (password) or a short public authentic, yet not secret string that is provided by a user (see, e.g., [3]). Other credentials may be added later in the process, the ones currently listed are believed to be the most relevant. f) COSE algorithms (Section 4.1): The algorithms in the current COSE specification (RFC 8152) may not have a rich enough set of primitives to instantiate the sought after authenticated key agreement protocol. As an example, to my understanding, COSE only facilitates use of static-ephemeral co-factor Diffie-Hellman. Thus, some changes to the COSE specification may be required if one wishes to use a protocol that uses co-factor Diffie-Hellman based on ephemeral key shares. (Of course, this may be easily facilitated, esp. if the underlying core crypto primitive is already defined). From a COSE point the EDHOC use of DH is Static-Static, but, as you remark, this can easily be added to COSE should that assumption change. These comments illustrate that some requirements are less clear-cut than as suggested in draft-selander-lake-reqs-00 and, that, in fact, there may be more to this than just a "smaller is always better" argument. The intent with this draft was not to write a very detailed requirements specification that one day will become an RFC. Its purpose was to meet a request to compile discussion spread out over different emails, including some general metrics which are expected to have a positive impact on the performance in common settings. Göran Rene Ref: [1] ETSI EN 300 220-1 V3.1.1 (2017-02); [2] ETSI EN 300 220-2 V3.1.1 (2017-02); [3] Authenticated Key Agreement - Using Short Authenticated Strings (Serge Vaudenay, Crypto 2005) On 4/12/2019 12:20 PM, Göran Selander wrote: > On request I compiled the requirements for the lightweight AKE for OSCORE discussed on the list into a draft. This is not exactly the formulation by the security ADs but the main requirements should be there. > > Göran > > On 2019-04-12, 16:20, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: > > > A new version of I-D, draft-selander-lake-reqs-00.txt > has been successfully submitted by Göran Selander and posted to the > IETF repository. > > Name: draft-selander-lake-reqs > Revision: 00 > Title: Requirements for a Lightweight AKE for OSCORE. > Document date: 2019-04-12 > Group: Individual Submission > Pages: 7 > URL: https://www.ietf.org/internet-drafts/draft-selander-lake-reqs-00.txt > Status: https://datatracker.ietf.org/doc/draft-selander-lake-reqs/ > Htmlized: https://tools.ietf.org/html/draft-selander-lake-reqs-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-selander-lake-reqs > > > Abstract: > This document contains the requirements for a lightweight > authenticated key exchange protocol for OSCORE. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Secdispatch] FW: New Version Notification for dr… Göran Selander
- [Secdispatch] brief feedback on draft-selander-la… Rene Struik
- Re: [Secdispatch] brief feedback on draft-selande… Göran Selander