Re: [Secdispatch] EDHOC Summary
Jim Schaad <ietf@augustcellars.com> Thu, 28 March 2019 11:37 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B6F120276 for <secdispatch@ietfa.amsl.com>; Thu, 28 Mar 2019 04:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rkbBOKMoIYH for <secdispatch@ietfa.amsl.com>; Thu, 28 Mar 2019 04:37:09 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C08F12024E for <secdispatch@ietf.org>; Thu, 28 Mar 2019 04:37:08 -0700 (PDT)
Received: from Jude (31.133.151.98) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Mar 2019 04:37:01 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: secdispatch@ietf.org
References: <359EC4B99E040048A7131E0F4E113AFC01B3311A9F@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B3311A9F@marchand>
Date: Thu, 28 Mar 2019 12:36:57 +0100
Message-ID: <002701d4e55a$8e886db0$ab994910$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKfGLPmwj7uBgha/YkI9i6FfschWqSMg5/w
Content-Language: en-us
X-Originating-IP: [31.133.151.98]
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/HjsFeAn1XeZmy-bNW-GRsu7-Fcw>
Subject: Re: [Secdispatch] EDHOC Summary
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 11:37:12 -0000
I am strongly in agreement with doing this. > -----Original Message----- > From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Roman > Danyliw > Sent: Thursday, March 28, 2019 11:32 AM > To: secdispatch@ietf.org > Subject: [Secdispatch] EDHOC Summary > > Hi! > > We have observed the continued discussion and interest in the topics > discussed at the March 2019 Virtual Interim Secdispatch meeting [1]. Our > assessment of the current state of this discuss and as well as proposed next > steps are below. > > Regards, > Roman and Ben > > [1] > https://mailarchive.ietf.org/arch/msg/secdispatch/9AfqrecZfFMlMGxSXOo4 > ENZtrVk > > ==[ Summary of ADs ]== > EDHOC Summary > > -----[ 1. What is the problem we are faced with? > > The community needs an AKE that is 'lightweight' (per slide #3 of [2]) and > enables forward security for constrained environments using OSCORE [13]. > 'Lightweight' refers to: > > ** resource consumption, measured by bytes on the wire, wall-clock time to > complete (i.e., the initial latency added to application protocols by the AKE), > or power (per slide #12 of [2]) > ** the amount of new code required on end systems which already have an > OSCORE stack [4] > > -----[ 2. Is the problem understood and narrowly scoped? > > Use with OSCORE implicitly assumes that this AKE would support: > ** transport over CoAP, and > ** COSE algorithms > > The specific constrained environments that we are considering use NB-IoT, > 6TiSCH, and LoRaWAN. The desire is to optimize the AKE to be 'as [small] ... > as reasonably achievable' (per [3]) in these environments. > > ** With respect to 6TiSCH, IETF consensus on the 6TiSCH WG charter has > already identified the need to "secur[e] the join process and mak[e] that fit > within the constraints of high latency, low throughput and small frame sizes > that characterize IEEE802.15.4 TSCH." [12]. > ** With respect to NB-IoT and LoRaWAN, IETF consensus on the LPWAN WG > charter has identified the need to improve the transport capabilities of LPWA > networks such as NB-IoT and LoRa whose "common traits include ... frame > sizes ... [on] the order of tens of bytes transmitted a few times per day at > ultra-low speeds" [16]. This indicates IETF interest in supporting these radio > environments, though no security-specific requirements are included in the > charter. > > It may be necessary to evaluate options that make different trade-offs > across a number of dimensions. > > ** Per 'bytes on the wire', it is desirable for these AKE messages to fit into > the MTU size of these protocols; and if not possible, within as few frames as > possible. Note that using multiple MTUs can have significant costs in terms of > time and power (listed below). For 6TiSCH specifically, as a time-sliced > network, this metric (or rather, the quantization into frame count) is > particularly noteworthy, since more frames contribute to congestion for > spectrum (and concomitant error rates) in a non-linear way, especially in > scenarios when large numbers of independent nodes are attempting to > execute an AKE to join a network. > > ** Per 'time', it is desirable for the AKE message exchange(s) to complete in > a reasonable amount of time, both for a single uncongested exchange and > when multiple exchanges are running in an interleaved fashion. This latency > may not be a linear function depending on congestion and the specific radio > technology used. For LoRaWAN, which is legally required to use a 1% (or > smaller) duty cycle, a payload split into two fragments instead of one > increases the time to complete the sending of this payload by 10,000% (per > slide #10 of [2]). > > ** Per 'power', it is desirable for the transmission of AKE messages and > crypto to draw as little power as possible The best mechanism for doing so > differs across radio technologies. For example, NB-IoT uses licensed > spectrum and thus can transmit at higher power to improve coverage, > making the transmitted byte count relatively more important than for other > radio technologies. In other cases, the radio transmitter will be active for a > full MTU frame regardless of how much of the frame is occupied by message > content, which makes the byte count less sensitive for the power > consumption. Increased power consumption is unavoidable in poor network > conditions, such as most wide-area settings including LoRaWAN. > > ** Per 'new code', it is desirable to introduce as little new code as possible > onto OSCORE-enabled devices to support this new AKE. These devices have > on the order of 10s of kB of memory and 100s of kB of storage on which an > embedded OS; a COAP stack; CORE and AKE libraries; and target applications > would run. It is expected that the majority of this space is available for actual > application logic, as opposed to the support libraries. > > A key question to answer is whether any new solution will reduce these > properties to a sufficient extent to merit investment. > > -----[ 3. Do we believe it is possible to engineer a solution? > > EDHOC [1] appears to be an existence proof that it is possible to produce an > AKE that meaningfully reduces the costs across at least two dimensions > identified in question #1 and 2 (bytes and time). > > EDHOC appears to favorably outperform TLS/CoAP, the current technology, > relative to these dimensions. > > ** Per 'bytes on the wire', MTU sizes and their alignment to the size of > messages of EDHOC vs. TLS/CoAP can be found in slide #33 of [2], and in [5]. > Additional details for 6TiSCH in particular can be found in slide 36-37 of [2]. > > ** Per 'time', the latency due to back-off time estimates with EDHOC vs. > TLS/CoAP using LoRaWAN can be found in slide #39 of [2] > > ** Per 'power', estimates of the power usage of EDHOC vs TLS/CoAP using > NB-IoT can be found in slide #35 of [2] > > ** Per 'new code', being able to reuse primitives from the existing COSE > stack is expected to benefit the code size for EDHOC, but no hard data is yet > available for comparison. > > Exploratory work with cTLS [10] and femtoTLS [11] has suggested that certain > optimizations used in EDHOC can also be applied to a TLS/CoAP-variant. How > this impacts the original assumptions and security analysis for (D)TLS is > unknown. > > -----[ 4. Is this particular proposal a good basis for working on? > > EDHOC shows gains in defining an AKE with forward secrecy that is > 'reasonably small[er]' than the baseline of (D)TLS. Specifically, it appears that > EDHOC would enable: > ** for 6TiSCH, a more efficient network join operation, with network join > traffic fitting in one frame per flight (that is, the optimal possible behavior) in > up to a 5-hop network [17] > ** for LoRaWAN, an AKE with forward secrecy that avoids the unacceptable > backoff-induced latency > > A limited interop was performed on draft-selander-ace-cose-ecdhe-05 > (EDHOC) at IETF 98 between [14] and [15]. Despite the inherent challenges > of producing a new AKE that is secure, there is reason to have confidence in > the security claims made by EDHOC -- the security properties of -08 were > formally verified by [8][9]. Identified issues from this formal analysis [8] > were addressed in -11. The CFRG crypto review panel conducted two > reviews [6][7]. These reviews confirmed that the security claims are > reasonable, attested that the identified issues found in the formal analysis > [8] were fixed, and provided additional recommendations. > > Re-encoding of the TLS handshake as suggested by cTLS [10] may be > possible. However, as of yet, cTLS is an incomplete specification, cTLS has no > formal security analysis, and is technically a new protocol. > > -----[ Conclusion > > There appears to be an understood and scoped problem that is feasible to > engineer. Among the available starting points to address the problem > defined in question #1, EDHOC presents a viable choice. > > Chartering a narrowly scoped, short-lived WG in this space with EDHOC as a > starting point seems to be an attractive path forward, but we would like to > receive community feedback on the degree of support for this approach. > > -----[ References > [1] https://www.ietf.org/id/draft-selander-ace-cose-ecdhe-13.txt > [2] https://datatracker.ietf.org/meeting/interim-2019-secdispatch- > 01/materials/slides-interim-2019-secdispatch-01-sessa-edhoc.pdf > [3] https://mailarchive.ietf.org/arch/msg/secdispatch/-GPqswnS- > DRvrAKsPbdoes4Y4lE > [4] https://mailarchive.ietf.org/arch/msg/secdispatch/rJqvstLHo7aLfu-ODril- > wIVn_0 > [5] https://docs.google.com/document/d/1wLoIexMLG3U9iYO5hzGzKjkvi- > VDndQBbYRNsMUlh-k > [6] > https://mailarchive.ietf.org/arch/msg/cfrg/6WN2C2RYGTIAInE2jIUco6L9pO8 > [7] > https://mailarchive.ietf.org/arch/msg/cfrg/2OY2om1FjhNNBmUzwYJroHv7e > WQ > [8] https://alessandrobruni.name/papers/18-edhoc.pdf > [9] https://github.com/theisgroenbech/edhoc-proverif > [10] https://tools.ietf.org/html/draft-rescorla-tls-ctls-01 > [11] https://github.com/bifurcation/mint/compare/ftls > [12] https://datatracker.ietf.org/doc/charter-ietf-6tisch/ > [13] https://datatracker.ietf.org/doc/draft-ietf-core-object-security/ > [14] https://github.com/alexkrontiris/EDHOC-C > [15] https://github.com/jimsch/EDHOC-csharp > [16] https://datatracker.ietf.org/doc/charter-ietf-lpwan/ > [17] https://datatracker.ietf.org/doc/draft-ietf-6tisch-dtsecurity-zerotouch- > join > > ==[ End ]== > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch
- [Secdispatch] EDHOC Summary Roman Danyliw
- Re: [Secdispatch] EDHOC Summary Jim Schaad
- Re: [Secdispatch] EDHOC Summary Michael Richardson
- Re: [Secdispatch] EDHOC Summary Alexey Melnikov
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Jim Schaad
- Re: [Secdispatch] EDHOC Summary Salz, Rich
- Re: [Secdispatch] EDHOC Summary John Mattsson
- Re: [Secdispatch] EDHOC Summary Kathleen Moriarty
- Re: [Secdispatch] EDHOC Summary Michael Richardson
- Re: [Secdispatch] EDHOC Summary Antonio Skarmeta
- Re: [Secdispatch] EDHOC Summary sandoche Balakrichenan
- Re: [Secdispatch] EDHOC Summary Benjamin Kaduk
- Re: [Secdispatch] EDHOC Summary DAN GARCIA CARRILLO
- Re: [Secdispatch] EDHOC Summary Stephen Farrell
- Re: [Secdispatch] EDHOC Summary Kathleen Moriarty
- Re: [Secdispatch] EDHOC Summary Carsten Bormann
- Re: [Secdispatch] EDHOC Summary Jesús Sánchez-Gómez
- Re: [Secdispatch] [core] EDHOC Summary Jari Arkko
- Re: [Secdispatch] [core] EDHOC Summary Pascal Thubert (pthubert)
- Re: [Secdispatch] [core] EDHOC Summary Laurent Toutain
- Re: [Secdispatch] [lp-wan] [core] EDHOC Summary ana minaburo
- Re: [Secdispatch] [lp-wan] [core] EDHOC Summary Renzo Navas
- Re: [Secdispatch] EDHOC Summary Roman Danyliw
- [Secdispatch] EDHOC Summary Blomqvist, Peter
- Re: [Secdispatch] EDHOC Summary Shahid Raza
- Re: [Secdispatch] EDHOC Summary Martin Thomson
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary John Mattsson
- Re: [Secdispatch] EDHOC Summary Christopher Wood
- Re: [Secdispatch] EDHOC Summary Martin Thomson
- Re: [Secdispatch] EDHOC Summary John Mattsson
- Re: [Secdispatch] EDHOC Summary Carsten Bormann
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Eric Rescorla
- Re: [Secdispatch] EDHOC Summary Richard Barnes
- Re: [Secdispatch] EDHOC Summary Eric Rescorla
- Re: [Secdispatch] EDHOC Summary Richard Barnes
- Re: [Secdispatch] EDHOC Summary Michael Richardson
- Re: [Secdispatch] EDHOC Summary Richard Barnes
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Tero Kivinen
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Tero Kivinen
- Re: [Secdispatch] EDHOC Summary Carsten Bormann
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Jim Schaad
- Re: [Secdispatch] EDHOC Summary Owen Friel (ofriel)
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Göran Selander
- Re: [Secdispatch] EDHOC Summary Hannes Tschofenig
- Re: [Secdispatch] EDHOC Summary Benjamin Kaduk
- Re: [Secdispatch] EDHOC Summary Benjamin Kaduk
- Re: [Secdispatch] EDHOC Summary Benjamin Kaduk