Re: [TLS] Consensus Call on MTI Algorithms
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 03 April 2015 09:14 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9DA1A1B4B for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 02:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QN0ZfUilxJO for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 02:14:26 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC7311A1B45 for <tls@ietf.org>; Fri, 3 Apr 2015 02:14:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1428052467; x=1459588467; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=LbOzclBRI4dLmDGVpzVx3S0NYTTnVEdHdaYf+YZIgYU=; b=KdfXd/TgHOx7u3yxC7THzoUW8V1RjzqYv4/m6vrq2JOENk+jS58FOnoi 5+2HFDjqVHn+aH3zud0asr4T+vo0OZc8aEbKvshBs2rvTK45cYTPMJdNi T5QEV4bwadNb2w4W4z99tLMfmqtJAWyodfWjcNk3yZOMsNEdFaZeloROI E=;
X-IronPort-AV: E=Sophos;i="5.11,516,1422874800"; d="scan'208";a="318819795"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 03 Apr 2015 22:14:24 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.245]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Fri, 3 Apr 2015 22:14:22 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nico Williams <nico@cryptonector.com>, Dave Garrett <davemgarrett@gmail.com>
Thread-Topic: [TLS] Consensus Call on MTI Algorithms
Thread-Index: AQHQbKeDwNeK1AEgwEC7Z+eGtfd7J5032jcAgAAvggCAAAfCAIAAsbcAgAAQGYCAATtLPv//MgCAgAAG/QCAAAfngIAABgwAgAGuO8k=
Date: Fri, 03 Apr 2015 09:14:21 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAFD49FE@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <CAOgPGoBk+E=cNV1ufBaQ0n7=CJQ34zukPixKCEdpmMLBX=Kg_w@mail.gmail.com> <FDDE70B3-6AB0-4702-A713-70B118CA22C1@gmail.com> <20150402194417.GJ10960@localhost> <201504021612.35877.davemgarrett@gmail.com>, <20150402203412.GK10960@localhost>
In-Reply-To: <20150402203412.GK10960@localhost>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QOyAP9sxBqnPXf5GgmO3FAJqQp4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus Call on MTI Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 09:14:28 -0000
Nico Williams <nico@cryptonector.com> writes: >Sure, that'd be nice (because different manufacturers of IoT devices will >want to know what to implement as a common denominator). The IoT environment doesn't work the way some people seem to think it does. IoT devices can be divided into two classes, those that can't run TLS and those that can. The class "those that can't run TLS" is a lot larger than you think, because a typical target might for example have 15% of an ARM7 TDMI and 18K RAM available, and restrictions like the fact that no operation can tie up the CPU for more than 2ms before it's killed by the system watchdog. So for "TLS" on these devices you've got a large class of systems that have to run some homebrew protocol invented by an embedded systems guy who's read the first three chapters of Applied Cryptography (this became particularly problematic when smart meters started to become widespread and regulators imposed requirements for certificate-based signed messaging and updates onto CPUs like TI MSP430s, Motorola ColdFires, and ARM Cortex-Ms, some clocked as high as 16MHz and with as much as 32kB of RAM (for everything, not just the crypto). The solution with smart meters was to cut corners as much as possible in order to make things fit, skipping certificate verification, assuming hardcoded public keys, and various other measures that are destined to become entertaining Black Hat or Defcon presentations in the future). For the other class, those that can run TLS, the reason for running it isn't to talk to another device running TLS (you use your homebrew protocol for that), it's so they can be controlled via a web interface. For these devices the profile is "whatever we need to implement to talk to a web browser/smart phone/web control/AJAX/whatever". That is the entire device profile. Since the underlying hardware can't handle this, you get approaches like the ones I've talked about in the past, 1024-bit keys for everything (perfectly OK for embedded device security, I've been waiting for the negotiated-ff-dhe draft to be approved so I can push out one that extends it to specify 1024- and 1280- bit parameter sets), pre-encoded cert chains memcpy()'d out into TLS streams (the device has zero PKI functionality because there isn't room), and so on, just whatever you can get away with and have the other side still talk to you (I've seen some truly ingenious solutions applied to systems that have to talk to web browsers but just can't handle the high resource requirements for TLS). If you want to do an IoT TLS profile (what would have been called an embedded device TLS profile before IoT became a buzzword) you need to look at how TLS is used in the embedded world, and for what purposes. Simply dreaming up something and calling it an IoT profile won't work, because vendors are already working with de facto profiles of "whatever we need to do to get things working". Peter.
- [TLS] Consensus Call on MTI Algorithms Joseph Salowey
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Dan Harkins
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Kurt Roeckx
- Re: [TLS] Consensus Call on MTI Algorithms Brian Smith
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Checkoway
- Re: [TLS] Consensus Call on MTI Algorithms Sean Turner
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Martin Thomson
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Rob Stradling
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Farrell
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Hubert Kario
- Re: [TLS] Consensus Call on MTI Algorithms Hanno Böck
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Rick Andrews
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Christian Huitema
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms James Cloos
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Daniel Kahn Gillmor