IETF Logo Mail Archive

Re: [Secdispatch] EDHOC Summary

Göran Selander <goran.selander@ericsson.com> Thu, 28 March 2019 18:55 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99F53120302 for <secdispatch@ietfa.amsl.com>; Thu, 28 Mar 2019 11:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvTEC9kLch7q for <secdispatch@ietfa.amsl.com>; Thu, 28 Mar 2019 11:55:06 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5DEF12000F for <secdispatch@ietf.org>; Thu, 28 Mar 2019 11:55:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kdmuzRn0zsYpkxCon6eA6CvtXljIZXLUVlFJKlZjY+E=; b=Ws2ctJZAaLdIn2sPhCC5ZTjlomxm6mvSE1M35AL4IXq5Vs8dicjepsmZuFmeXp6whSM/EFAfxckWxqUIMykGaeopePPLKb+hAZQBrGZvMYuSxLG3+xa1vZQIkStxppw7+HeQ1BEYJTHkh4ra2ZVS5xpJubyn907hClqfqVm0WlU=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB3513.eurprd07.prod.outlook.com (10.170.247.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.14; Thu, 28 Mar 2019 18:55:02 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::2464:1071:5050:f397]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::2464:1071:5050:f397%2]) with mapi id 15.20.1771.006; Thu, 28 Mar 2019 18:55:02 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, "secdispatch@ietf.org" <secdispatch@ietf.org>
CC: Jim Schaad <ietf@augustcellars.com>
Thread-Topic: [Secdispatch] EDHOC Summary
Thread-Index: AdTlTpiwSQddzTDHR8ys25qjhhiyAAAC/P2AABFlNgA=
Date: Thu, 28 Mar 2019 18:55:02 +0000
Message-ID: <12B0A47F-8734-488A-AAD2-4FD5DF690FDD@ericsson.com>
References: <359EC4B99E040048A7131E0F4E113AFC01B3311A9F@marchand> <002701d4e55a$8e886db0$ab994910$@augustcellars.com>
In-Reply-To: <002701d4e55a$8e886db0$ab994910$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
x-originating-ip: [62.168.35.125]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6c3fffea-90ae-485b-de1b-08d6b3aee2a9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3513;
x-ms-traffictypediagnostic: HE1PR07MB3513:
x-ms-exchange-purlcount: 19
x-microsoft-antispam-prvs: <HE1PR07MB351349264CC94CE2CA8045C5F4590@HE1PR07MB3513.eurprd07.prod.outlook.com>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(376002)(366004)(346002)(39860400002)(189003)(78114003)(199004)(13464003)(11346002)(33656002)(256004)(71200400001)(71190400001)(105586002)(83716004)(110136005)(66574012)(19627235002)(316002)(2171002)(85202003)(410100003)(6246003)(58126008)(106356001)(8936002)(305945005)(81166006)(14444005)(8676002)(14454004)(4326008)(81156014)(7736002)(966005)(6116002)(68736007)(82746002)(85182001)(25786009)(86362001)(66066001)(3846002)(2906002)(2501003)(6306002)(446003)(486006)(478600001)(6512007)(5660300002)(53936002)(97736004)(99286004)(6486002)(102836004)(6346003)(76176011)(229853002)(6436002)(36756003)(2616005)(53546011)(561944003)(26005)(476003)(186003)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3513; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aubGcyBMYN/5h9GQ+jgtPWu11+SeXg8egeeia7KJkK8xckfcDQa/3T0xikSaKwkbBURBLB9m4S+J9rt3Vc5QZgVL0+sVClyYw7utTTwDird5bi8XUZhzSpGORBilkjSAmalLg3r2ClkVU79SRS5mfFNxwk/nv/s0t8V/W9DU9JE6lbF9t7QiRiU8dZRZIoV4ldlSQY17ZtwwEuDSpzwRhrVwRF+5IzF0QUOmHl7rMSy6AbFmr8dUw12hvwZkZ98WTGzM1bf4Pf3v3p3Cisym9W03XWx2rdi3wnMRchlPBVG8ePGimg15OLn4iUxjUcS8C+ztKyhkftpXvTHjuW57TDWAYxE/3DqYgpiqyOhg+tIYDuY2bRIUtXPVYmk6bQW9VvnG5eNiWjx2Pc79bOJYjhtgvERrkxb9QSpOIYtsJOA=
Content-Type: text/plain; charset="utf-8"
Content-ID: <0EDBD27554F1AD428D6DE2591E2071A3@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c3fffea-90ae-485b-de1b-08d6b3aee2a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 18:55:02.6137 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3513
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/NxEqY9CTeFNU2GT_5akLx6WXKdI>
Subject: Re: [Secdispatch] EDHOC Summary
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 18:55:11 -0000

Hi Roman, Ben, 

I agree, this seems to be a good way forward. 

Göran

On 2019-03-28, 12:37, "Secdispatch on behalf of Jim Schaad" <secdispatch-bounces@ietf.org on behalf of ietf@augustcellars.com> wrote:

    I am strongly in agreement with doing this.
    
    > -----Original Message-----
    > From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Roman
    > Danyliw
    > Sent: Thursday, March 28, 2019 11:32 AM
    > To: secdispatch@ietf.org
    > Subject: [Secdispatch] EDHOC Summary
    > 
    > Hi!
    > 
    > We have observed the continued discussion and interest in the topics
    > discussed at the March 2019 Virtual Interim Secdispatch meeting [1].  Our
    > assessment of the current state of this discuss and as well as proposed
    next
    > steps are below.
    > 
    > Regards,
    > Roman and Ben
    > 
    > [1]
    > https://mailarchive.ietf.org/arch/msg/secdispatch/9AfqrecZfFMlMGxSXOo4
    > ENZtrVk
    > 
    > ==[ Summary of ADs ]==
    > EDHOC Summary
    > 
    > -----[ 1. What is the problem we are faced with?
    > 
    > The community needs an AKE that is 'lightweight' (per slide #3 of [2]) and
    > enables forward security for constrained environments using OSCORE [13].
    > 'Lightweight' refers to:
    > 
    > ** resource consumption, measured by bytes on the wire, wall-clock time to
    > complete (i.e., the initial latency added to application protocols by the
    AKE),
    > or power (per slide #12 of [2])
    > ** the amount of new code required on end systems which already have an
    > OSCORE stack [4]
    > 
    > -----[ 2. Is the problem understood and narrowly scoped?
    > 
    > Use with OSCORE implicitly assumes that this AKE would support:
    > ** transport over CoAP, and
    > ** COSE algorithms
    > 
    > The specific constrained environments that we are considering use NB-IoT,
    > 6TiSCH, and LoRaWAN.  The desire is to optimize the AKE to be 'as [small]
    ....
    > as reasonably achievable' (per [3]) in these environments.
    > 
    > ** With respect to 6TiSCH, IETF consensus on the 6TiSCH WG charter has
    > already identified the need to "secur[e] the join process and mak[e] that
    fit
    > within the constraints of high latency, low throughput and small frame
    sizes
    > that characterize IEEE802.15.4 TSCH." [12].
    > ** With respect to NB-IoT and LoRaWAN, IETF consensus on the LPWAN WG
    > charter has identified the need to improve the transport capabilities of
    LPWA
    > networks such as NB-IoT and LoRa whose "common traits include ... frame
    > sizes ... [on] the order of tens of bytes transmitted a few times per day
    at
    > ultra-low speeds" [16]. This indicates IETF interest in supporting these
    radio
    > environments, though no security-specific requirements are included in the
    > charter.
    > 
    > It may be necessary to evaluate options that make different trade-offs
    > across a number of dimensions.
    > 
    > ** Per 'bytes on the wire', it is desirable for these AKE messages to fit
    into
    > the MTU size of these protocols; and if not possible, within as few frames
    as
    > possible.  Note that using multiple MTUs can have significant costs in
    terms of
    > time and power (listed below). For 6TiSCH specifically, as a time-sliced
    > network, this metric (or rather, the quantization into frame count) is
    > particularly noteworthy, since more frames contribute  to congestion for
    > spectrum (and concomitant error rates) in a non-linear way, especially in
    > scenarios when large numbers of independent nodes are attempting to
    > execute an AKE to join a network.
    > 
    > ** Per 'time', it is desirable for the AKE message exchange(s) to complete
    in
    > a reasonable amount of time, both for a single uncongested exchange and
    > when multiple exchanges are running in an interleaved fashion.  This
    latency
    > may not be a linear function depending on congestion and the specific
    radio
    > technology used.  For LoRaWAN, which is legally required to use a 1% (or
    > smaller) duty cycle, a payload split into two fragments instead of one
    > increases the time to complete the sending of this payload by 10,000% (per
    > slide #10 of [2]).
    > 
    > ** Per 'power', it is desirable for the transmission of AKE messages and
    > crypto to draw as little power as possible  The best mechanism for doing
    so
    > differs across radio technologies.  For example, NB-IoT uses licensed
    > spectrum and thus can transmit at higher power to improve coverage,
    > making the transmitted byte count relatively more important than for other
    > radio technologies.  In other cases, the radio transmitter will be active
    for a
    > full MTU frame regardless of how much of the frame is occupied by message
    > content, which makes the byte count less sensitive for the power
    > consumption.  Increased power consumption is unavoidable in poor network
    > conditions, such as most wide-area settings including LoRaWAN.
    > 
    > ** Per 'new code', it is desirable to introduce as little new code as
    possible
    > onto OSCORE-enabled devices to support this new AKE.  These devices have
    > on the order of 10s of kB of memory and 100s of kB of storage on which an
    > embedded OS; a COAP stack; CORE and AKE libraries; and target applications
    > would run.  It is expected that the majority of this space is  available
    for actual
    > application logic, as opposed to the support libraries.
    > 
    > A key question to answer is whether any new solution will reduce these
    > properties to a sufficient extent to merit investment.
    > 
    > -----[ 3. Do we believe it is possible to engineer a solution?
    > 
    > EDHOC [1] appears to be an existence proof that it is possible to produce
    an
    > AKE that meaningfully reduces the costs across at least two dimensions
    > identified in question #1 and 2 (bytes and time).
    > 
    > EDHOC appears to favorably outperform TLS/CoAP, the current technology,
    > relative to these dimensions.
    > 
    > ** Per 'bytes on the wire', MTU sizes and their alignment to the size of
    > messages of EDHOC vs. TLS/CoAP can be found in slide #33 of [2], and in
    [5].
    > Additional details for 6TiSCH in particular can be found in slide 36-37 of
    [2].
    > 
    > ** Per 'time', the latency due to back-off time estimates with EDHOC vs.
    > TLS/CoAP using LoRaWAN can be found in slide #39 of [2]
    > 
    > ** Per 'power', estimates of the power usage of EDHOC vs TLS/CoAP using
    > NB-IoT can be found in slide #35 of [2]
    > 
    > ** Per 'new code', being able to reuse primitives from the existing COSE
    > stack is expected to benefit the code size for EDHOC, but no hard data is
    yet
    > available for comparison.
    > 
    > Exploratory work with cTLS [10] and femtoTLS [11] has suggested that
    certain
    > optimizations used in EDHOC can also be applied to a TLS/CoAP-variant.
    How
    > this impacts the original assumptions and security analysis for (D)TLS is
    > unknown.
    > 
    > -----[ 4. Is this particular proposal a good basis for working on?
    > 
    > EDHOC shows gains in defining an AKE with forward secrecy that is
    > 'reasonably small[er]' than the baseline of (D)TLS.  Specifically, it
    appears that
    > EDHOC would enable:
    > ** for 6TiSCH, a more efficient network join operation, with network join
    > traffic fitting in one frame per flight (that is, the optimal possible
    behavior) in
    > up to a 5-hop network [17]
    > ** for LoRaWAN, an AKE with forward secrecy that avoids the unacceptable
    > backoff-induced latency
    > 
    > A limited interop was performed on draft-selander-ace-cose-ecdhe-05
    > (EDHOC) at IETF 98 between [14] and [15].  Despite the inherent challenges
    > of producing a new AKE that is secure, there is reason to have confidence
    in
    > the security claims made by EDHOC -- the security properties of -08 were
    > formally verified by [8][9].  Identified issues from this formal analysis
    [8]
    > were addressed in -11.  The CFRG crypto review panel conducted two
    > reviews [6][7].  These reviews confirmed that the security claims are
    > reasonable, attested that the identified issues found in the formal
    analysis
    > [8] were fixed, and provided additional recommendations.
    > 
    > Re-encoding of the TLS handshake as suggested by cTLS [10] may be
    > possible.  However, as of yet, cTLS is an incomplete specification, cTLS
    has no
    > formal security analysis, and is technically a new protocol.
    > 
    > -----[ Conclusion
    > 
    > There appears to be an understood and scoped problem that is feasible to
    > engineer.  Among the available starting points to address the problem
    > defined in question #1, EDHOC presents a viable choice.
    > 
    > Chartering a narrowly scoped, short-lived WG in this space with EDHOC as a
    > starting point seems to be an attractive path forward, but we would like
    to
    > receive community feedback on the degree of support for this approach.
    > 
    > -----[ References
    > [1] https://www.ietf.org/id/draft-selander-ace-cose-ecdhe-13.txt
    > [2] https://datatracker.ietf.org/meeting/interim-2019-secdispatch-
    > 01/materials/slides-interim-2019-secdispatch-01-sessa-edhoc.pdf
    > [3] https://mailarchive.ietf.org/arch/msg/secdispatch/-GPqswnS-
    > DRvrAKsPbdoes4Y4lE
    > [4]
    https://mailarchive.ietf.org/arch/msg/secdispatch/rJqvstLHo7aLfu-ODril-
    > wIVn_0
    > [5] https://docs.google.com/document/d/1wLoIexMLG3U9iYO5hzGzKjkvi-
    > VDndQBbYRNsMUlh-k
    > [6]
    > https://mailarchive.ietf.org/arch/msg/cfrg/6WN2C2RYGTIAInE2jIUco6L9pO8
    > [7]
    > https://mailarchive.ietf.org/arch/msg/cfrg/2OY2om1FjhNNBmUzwYJroHv7e
    > WQ
    > [8] https://alessandrobruni.name/papers/18-edhoc.pdf
    > [9] https://github.com/theisgroenbech/edhoc-proverif
    > [10] https://tools.ietf.org/html/draft-rescorla-tls-ctls-01
    > [11] https://github.com/bifurcation/mint/compare/ftls
    > [12] https://datatracker.ietf.org/doc/charter-ietf-6tisch/
    > [13] https://datatracker.ietf.org/doc/draft-ietf-core-object-security/
    > [14] https://github.com/alexkrontiris/EDHOC-C
    > [15] https://github.com/jimsch/EDHOC-csharp
    > [16] https://datatracker.ietf.org/doc/charter-ietf-lpwan/
    > [17]
    https://datatracker.ietf.org/doc/draft-ietf-6tisch-dtsecurity-zerotouch-
    > join
    > 
    > ==[ End ]==
    > 
    > _______________________________________________
    > Secdispatch mailing list
    > Secdispatch@ietf.org
    > https://www.ietf.org/mailman/listinfo/secdispatch
    
    _______________________________________________
    Secdispatch mailing list
    Secdispatch@ietf.org
    https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email