CoRE Working Group                                              L. Seitz
Internet-Draft                                          SICS Swedish ICT
Intended Status: Informational                               G. Selander
Expires: August 18, 2014                                        Ericsson

                                                       February 14, 2014


Design Considerations for Security Protocols in Constrained Environments
                draft-seitz-ace-design-considerations-00


Abstract

   Considerable effort has been spent on securing existing Internet
   standard authentication and authorization protocols such as TLS,
   Kerberos, and OAuth, among others. It would save a lot of effort if
   these protocols could be profiled to be feasible for constrained
   environments, with some easily obtainable security considerations.

   However, these protocols were typically not designed with constrained
   environments in mind, so profiling of an existing protocol may result
   in a far from optimal solution. Moreover they are not necessarily
   complying with their original design objectives outside their
   intended domain of application.

   This document examines the impact of typical characteristics of
   security protocols (e.g. cryptographic calculations, number and size
   of protocol messages) in a constrained environment.  The goal is to
   provide decision support when different resource usage optimizations
   are possible in the adaptation of a security protocol for this
   setting.


Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress".



Seitz & Selander        Expires August 18, 2014                 [Page 1]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html


Copyright and License Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1  Terminology . . . . . . . . . . . . . . . . . . . . . . . .  4
   2. Background  . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1. Device assumptions  . . . . . . . . . . . . . . . . . . . .  5
     2.2 Relevant Factors . . . . . . . . . . . . . . . . . . . . . .  5
     2.3 Security protocols in constrained environments . . . . . . .  6
   3. Protocol design considerations  . . . . . . . . . . . . . . . .  7
     3.1 Straightforward optimizations  . . . . . . . . . . . . . . .  7
       3.1.1 Smaller messages . . . . . . . . . . . . . . . . . . . .  7
       3.1.2 Fewer messages . . . . . . . . . . . . . . . . . . . . .  7
       3.1.3 Less computations  . . . . . . . . . . . . . . . . . . .  8
       3.1.4 Reduce RAM usage . . . . . . . . . . . . . . . . . . . .  8
       3.1.5 Reduce code size . . . . . . . . . . . . . . . . . . . .  8
     3.2 Trade-offs . . . . . . . . . . . . . . . . . . . . . . . . .  9
       3.2.1 Fewer vs smaller messages  . . . . . . . . . . . . . . .  9
       3.2.2 Crypto vs message exchange . . . . . . . . . . . . . . .  9
       3.2.3 Transmitting vs receiving messages . . . . . . . . . . .  9
       3.2.4 Distributing costs over deployment life time . . . . . . 10
       3.2.5 Outsourcing heavy computations . . . . . . . . . . . . . 10
       3.2.6 DoS mitigation and anti-spoofing in the Internet . . . . 10
       3.2.7 Outsourcing key management . . . . . . . . . . . . . . . 11
       3.2.8 Verifying authorization  . . . . . . . . . . . . . . . . 11



Seitz & Selander        Expires August 18, 2014                 [Page 2]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     7.1  Normative References  . . . . . . . . . . . . . . . . . . . 13
     7.2  Informative References  . . . . . . . . . . . . . . . . . . 13
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14












































Seitz & Selander        Expires August 18, 2014                 [Page 3]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


1.  Introduction

   When adapting security protocols for constrained nodes, one has to
   take into account the various resource limitations.  While it might
   be tempting to optimize the usage of a certain resource (e.g.
   minimizing RAM consumption), such an approach might produce a less-
   than-optimal overall solution, compared to a more holistic approach
   that leverages the combined effect of different optimization
   possibilities.

   The goal of this document is to summarize some characteristics of
   security protocols and weigh their impact against each other in order
   to allow effective trade-offs when adapting existing protocols to a
   constrained setting.  While there is some overlap with the scope of
   the Lightweight Implementation Guidance WG, this document is aimed
   more at security protocol profiling and design than actual
   implementation decisions that are the main focus of LWIG.

1.1  Terminology

   Certain security-related terms are to be understood in the sense
   defined in [RFC4949].  These terms include, but are not limited to,
   "authentication", "authorization", "confidentiality", "encryption",
   "data integrity", "message authentication code", and "verify".

   Terminology for constrained environments is defined in [I-D.ietf-
   lwig-terminology] e.g. "constrained device".


2. Background

   We are assuming a multi-party protocol setting with at least the
   following parties

      a) a resource server hosting resources
      b) a client seeking access to some resource, and
      c) an authorization server acting Trusted Third Party (TTP) for
         key distribution and access control handling.

   The resource server and/or the client is assumed to be constrained,
   but the authorization server is not.

   The authorization server can provide authentication and authorization
   means (e.g. cryptographic keys, access control information,
   certificates) for the other parties.

   There are various authentications and authorizations taking place in
   this multi-party protocol.  For example, the client and



Seitz & Selander        Expires August 18, 2014                 [Page 4]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   authorization server mutually authenticates and and the client is
   being authorized by the authorization server.  The resource server
   needs authenticate information provided by the authorization server,
   based on a previously established relationship (e.g. shared symmetric
   keys).  Finally when the client communicates with the resource
   server, the client's authorization needs to be verified, which might
   include authentication of the client.

   Note: Security protocols designed to handle authentication and
   authorization between two mutually unknown less-constrained peers are
   not necessarily adapted to the current setting, where optimizations
   can be made by relying on an relatively unconstrained TTP.

2.1. Device assumptions

   Devices may be constrained in different ways, as described in the
   LWIG terminology document [I-D.ietf-lwig-terminology].  This work is
   targeting class 1 devices, but may be applicable even the most
   constrained class of devices (C0) if supported by relevant proxy
   functionality.  Class 2 devices probably do not need any special
   considerations, since they can mostly support the same protocols as
   unconstrained devices.

   A device for which these considerations apply could e.g. run the
   following protocol stack, potentially supported by a proxy:

      o The application layer protocol is CoAP [I-D.ietf-core-coap],
        using UDP at the transport layer.
      o CoAP will be running on top of DTLS [RFC6347].
      o IPv6 [RFC4291] is assumed to be the Internet layer protocol on
        top of the adaptation layer 6LoWPAN [RFC4944].
      o IEEE 802.15.4 [IEEE802] is assumed as the Link layer protocol
        for wireless communication.  We assume that a large proportion
        of the target devices will communicate over wireless channels.


2.2 Relevant Factors

   From the LWIG terminology draft [I-D.ietf-lwig-terminology] we can
   list the following resources that need to be considered in general:

      o RAM memory (required state and buffers for running protocols)
      o Flash/ROM memory (required libraries and code complexity)
      o Computational power (required processing speed)
      o Electrical energy (battery consumption, if not mains-powered)
      o User interface and physical accessibility (for performing manual
        operations directly on the device)
      o Network (bit rate, loss rate, dynamic topology, fragmentation,



Seitz & Selander        Expires August 18, 2014                 [Page 5]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


        lack of advanced services)

   The consumers of these resources in the case of security protocols
   can be summarized as follows:

      o Cryptographic algorithms
          - based on symmetric cryptography
          - based on asymmetric cryptography
          - (orthogonal) implemented by a co-processor (e.g. AES, SHA,
            ECC)
      o Composing/parsing protocol messages (e.g. Base64 en/decoding,
        JSON, ASN.1, CBOR)
      o Sending/receiving protocol messages
      o Listening, while waiting to receive protocol messages


2.3 Security protocols in constrained environments

   One of the potential advantages with extending basic Internet
   Protocols to constrained nodes is that other standardized protocols
   can be applied too.

   In particular in the case of security protocols, there is a
   considerable effort spent to eliminate flaws and weaknesses that
   could otherwise be exploited for attacking the system.  It would save
   a lot of effort if it was possible to profile these protocols for
   running efficiently in a constrained environment while maintaining
   their security properties.

   However, the profiling of a protocol may result in a far from optimal
   solution.  For example assume that a constrained profile of a
   security protocol is made by reducing the message sizes.  Such a
   protocol may still be badly suited for constrained devices e.g.
   because the number of round trips is what makes the latency high, and
   reducing that would essentially change the security properties of the
   protocol.

   Moreover, as many of these protocols were not designed for a
   constrained environment, they are not necessarily complying with
   their original design objectives outside their intended domain of
   application.  Even security objectives that applied to the Internet
   may be violated: e.g. a DoS mitigation measure that is based on a
   processing commitment by a client (a "puzzle", see e.g. [RFC5201])
   may be inappropriate if the server is much more constrained than the
   client.

   This memo is intended to support the adaptation of an existing
   security protocol for a constrained environment by providing some



Seitz & Selander        Expires August 18, 2014                 [Page 6]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   considerations on resource consumption.  Furthermore this memo
   documents the assumptions that were made as a basis for these
   considerations.


3. Protocol design considerations

3.1 Straightforward optimizations

   This section lists some potential targets for resource optimizations.

3.1.1 Smaller messages

   Reducing message size will reduce composing/parsing and
   sending/receiving costs which is favorably impacting energy
   consumption and latency.  Some specific considerations:

      o Smaller than CoAP payload size (1024 bytes) avoids fragmentation
        at the application layer.
      o Smaller than the maximum MAC-layer frame size (e.g. 127 bytes
        for IEEE 802.15.4) avoids fragmentation at the link layer.
      o The largest messages are potentially those containing
        certificates or authorization tokens, so reducing their size
        significantly will have a large impact.

3.1.2 Fewer messages

   Removing message exchanges or round trips have potentially large
   impact on energy consumption and latency.

   Reducing the number of messages in a given security protocol is in
   general not possible without changing the essential security
   properties of the protocol.  Experiments by Google with TLS false
   start [I-D.bmoeller-tls-falsestart] and TLS snap start [I-D.agl-tls-
   snapstart] illustrate the difficulty of trying to reduce the number
   of messages in an established security protocol.

   Challenge-response based authentication protocols may potentially be
   replaced with other protocols with alternative measures to ensure
   freshness, such as time or sequence numbers.  Such an approach would
   require fewer message passes, but ensuring freshness can be
   problematic, since some constrained devices may not be able to
   reliably measure time.

   On the other hand, there are long lifetime battery powered IEEE
   802.15.4e devices implementing Time Slotted Channel Hopping (TSCH)
   which has good time synchronization properties, since that is
   required for communication.



Seitz & Selander        Expires August 18, 2014                 [Page 7]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


3.1.3 Less computations

   One way of reducing the complexity of required computations is to
   reduce the number of public key operations used during normal
   operations, e.g. by keeping existing sessions alive, or generating
   session resumption state on a less constrained device.  The drawback
   in this case is that either more RAM or more sending and receiving of
   messages are needed.

   An alternative is to replace public key operations with symmetric key
   operations.  Significant reductions in resource consumption can be
   achieved by using symmetric cryptography instead of asymmetric
   cryptography, since asymmetric cryptography generally requires larger
   libraries (e.g. BigInteger, elliptic curves), and consumes more RAM,
   processing power and energy than symmetric algorithms.

   However, it is not always possible to make this replacement as some
   of the properties of asymmetric cryptography, such as non-repudiation
   of signatures, and non-confidential key distribution do not apply for
   symmetric keys.  It may require a change in trust model, where a TTP
   is assumed e.g. for key management.

3.1.4 Reduce RAM usage

   Reducing the usage of RAM memory can be achieved by reducing the size
   of variable state information required by a protocol.  Different
   security protocols and -modes have different requirements in this
   respect.  Optimizations may potentially be done by profiling certain
   options of the protocol to predefined, default values.

   Another possibility is to simplify parsing and processing of protocol
   messages, leading to smaller libraries that need to be loaded into
   memory.  Further the size of the protocol messages, e.g. certificates
   and authorization tokens, directly affects the size of the buffers
   that need to be allocated for receiving and sending them, so keeping
   them small also helps.


3.1.5 Reduce code size

   The overall size of the code is influenced mainly by the size of the
   libraries needed for cryptography and parsing messages (ASN.1, JSON,
   XML).  In general asymmetric cryptography requires larger libraries
   (e.g. BigInteger, Elliptic curves) than symmetric cryptography.
   Minimal libraries for parsing ASN.1 and JSON are roughly comparable
   in size (around 6 kB) while even minimal XML parsers generally have a
   significantly larger size.




Seitz & Selander        Expires August 18, 2014                 [Page 8]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


3.2 Trade-offs

   This section looks at the more difficult question how to weigh
   different optimizations against each other.  We emphasize in this
   section the potential role of the authorization server as an enabler
   for some of the optimizations.

3.2.1 Fewer vs smaller messages

   When comparing reduction of message size versus sending fewer
   messages in total, if one takes into account the overhead of setting
   up a bearer, it is more efficient to send longer messages than
   shorter messages.  Considering fragmentation it is better to send
   messages shorter than the fragmentation limit.  Therefore optimal
   message size seems to be just below the fragmentation limit.  Note
   that fragmentation carries an additional performance penalty in
   excess of just adding the overhead of sending several fragments,
   since fragmenting a message increases the risk that a fragment is
   lost and that the message as a whole needs to be retransmitted.

3.2.2 Crypto vs message exchange

   It is known that in wireless constrained devices, the energy
   consumption for sending and receiving messages is high, and
   significantly higher than symmetric crypto operations [Margi10impact]
   and [Meu08engery].  Hence if it is possible to send fewer messages at
   the cost of delegating some symmetric crypto to the constrained
   device, such a trade off is favorable.  The potential drawback is
   increased latency and code size.  The latter could probably be
   avoided by reusing existing symmetric algorithms that are needed
   anyway.

   Results from [Meu08engery] indicate that energy consumption for
   public key operations is on par or greater than message exchange for
   a particular security protocol.  However, the efficiency of
   processing is increasing: The processing power follows Moore's law
   (up to point) and depends on the manufacturing technology while the
   transmission/reception power is based on laws of physics laws that
   don't change with manufacturing. So processing will be more and more
   energy efficient (up to a point) while the transmission/reception
   remains almost stable in terms of energy efficiency.

3.2.3 Transmitting vs receiving messages

   Results comparing energy consumption of transmitting versus receiving
   messages seem contradictory. While [Margi10impact] indicates that
   receiving a message is much cheaper in energy consumption, than
   sending, [Meu08engery] seems to suggest that both costs are roughly



Seitz & Selander        Expires August 18, 2014                 [Page 9]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   on par.

   An important point from [Meu08engery] is that one should consider the
   cost of listening for the next message in a protocol, while the other
   party is performing some computations. It is not obvious how much
   impact smart listening techniques such as Low Power Listening (LPL)
   or X-MAC [Bue06xmac] have.

   Our conclusion on this issue is that is warrants further
   investigation in order to determine whether it should influence
   protocol design and profiling or not.

3.2.4 Distributing costs over deployment life time

   Provisioning (e.g. access control lists) has a cost which potentially
   may be amortized over the lifetime of a deployment.  Security
   protocol establishment (e.g. DTLS handshake) may similarly have a
   high cost that but can be acceptable, if the established session can
   be used for a long time.  The drawback is that storage or RAM memory
   is consumed to save the state of the provisioned data or the
   established protocol.

3.2.5 Outsourcing heavy computations

   A method of saving computational effort is to outsource computations
   to a less constrained TTP e.g. authorization decisions and policy
   management to the authorization server.  Note however that this may
   be changing the trust model of the original protocol, and if the
   constrained device needs the result of the outsourced computation,
   this information must be transported in a secure way which in turn
   incurs a non-negligible cost.

3.2.6 DoS mitigation and anti-spoofing in the Internet

   As we have seen it is important in a wireless constrained environment
   to restrict the number of messages sent and received in a protocol.

   Some Internet security protocols include DoS mitigation or anti-
   spoofing mechanisms such as cookies (cf. [RFC6347]) or puzzles (cf.
   [RFC5201]) which adds message size and/or round trips.  These
   mechanisms were in general not designed for a constrained environment
   and may potentially make the protocol unnecessarily heavy without
   efficiently providing the desired effect.

   In fact the existence of a TTP allows for more efficient mechanisms,
   e.g. that a client first commits or proves source address to the
   authorization server which can assert such properties in an
   authorization token verified by a constrained server.



Seitz & Selander        Expires August 18, 2014                [Page 10]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


3.2.7 Outsourcing key management

   Securing communication between two mutually unknown less-constrained
   peers has a high cost in terms of additional round trips, e.g. to
   protect against requests from spoofed initiators, DoS mitigation,
   challenge response protocols etc.  In addition, both parties are
   often contributing to the generation of key material, which requires
   exchange of data used in key generation.  These costs are a
   consequence of the trust model and is clearly not adapted to the
   current setting, where optimizations can be made by relying on an
   relatively unconstrained authorization server.

   In addition to providing authorization decisions, the authorization
   server may support authentication and authorization between resource
   server and client by e.g.

      o providing symmetric keys to support authentication (cf.
        Kerberos).
      o providing protected assertions containing statements about
        client and server, including public key certificates.

3.2.8 Verifying authorization

   As noted above, it is desirable to verify authorization of a request
   as early as possible in a protocol, to reduce unnecessary message
   exchanges and processing.  However, if that involves verifying a
   digital signature, then the operation is in itself heavily resource
   consuming and would preferably only take place after it is known that
   the request is authorized.  This is obviously a "catch 22" and there
   are various options to attempt to design around this.

   In the present case, where we assume a TTP with a previously
   established relationship - say a shared symmetric key - with the
   resource server, the legitimacy of the request may e.g. be indicated
   with a Message Authentication Code instead of a digital signature
   over an authorization decision.

   Authentication of client and server may still require verification of
   digital signature if public keys are used.  However, as noted above,
   the authorization server may also support key distribution and
   provide symmetric keys for authentication (cf. Kerberos).


4.  Security Considerations

   This memo deals with design considerations for security protocols,
   including security trade-offs that can be made to save resources,
   some of which will come at the cost of weakening security.



Seitz & Selander        Expires August 18, 2014                [Page 11]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


   Since a security protocol itself consume resources, one factor that
   needs to be taken into consideration is the possibility for attackers
   to use these very security protocols in order to mount a denial of
   service attack.

   Each profiled or modified security protocol must bear its own
   security considerations.  Protocol designers need to carefully
   evaluate the feasibility of stronger (and thus more resource
   consuming) security against the risks incurred by a weaker security
   that is more easy to implement or execute on a constrained node.


5.  IANA Considerations

   This document has no actions for IANA.


6.  Acknowledgements The authors would like to thank Sumit Shingal and
   Vlasios Tsiatsis for contributing to the discussion and giving
   helpful comments.































Seitz & Selander        Expires August 18, 2014                [Page 12]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


7.  References

7.1  Normative References


   [I-D.ietf-core-coap]
              Shelby, Z., Hartke, K., Bormann, C., and B. Frank,
              "Constrained Application Protocol (CoAP)", draft-ietf-
              core-coap-18 (work in progress), June 2013.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, February 2006.

   [RFC4944]  Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
              "Transmission of IPv6 Packets over IEEE 802.15.4
              Networks", RFC 4944, September 2007.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", FYI
              36, RFC 4949, August 2007.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.


7.2  Informative References

   [I-D.ietf-lwig-terminology]
              Bormann, C., Ersue, M., and A. Keranen, "Terminology for
              Constrained Node Networks", draft-ietf-lwig-terminology-07
              (work in progress), February 2014.

   [IEEE802]
              IEEE Computer Society, "IEEE Standard for Local and
              metropolitan area networks  Part 15.4: Low-Rate Wireless
              Personal

   [I-D.bmoeller-tls-falsestart]
              Langley, A., Modadugu, N., and B. Moeller, "Transport
              Layer Security (TLS) False Start", draft-bmoeller-tls-
              falsestart-00 (expired draft), June 2010.

   [I-D.agl-tls-snapstart]
              Langley, A., "Transport Layer Security (TLS) Snap Start",
              draft-agl-tls-snapstart-00 (expired draft), June 2010.

   [Meu08engery]
              Meulenaer, G., Gosset ,F., Standaert, F., and L.
              Vandendorpe, "On the Energy Cost of Communication and



Seitz & Selander        Expires August 18, 2014                [Page 13]


INTERNET DRAFT     AAA Design Considerations for CoRE  February 14, 2014


              Cryptography in Wireless Sensor Networks", proceedings of
              the IEEE International Conference on Wireless and Mobile
              Computing, 2008.

   [Margi10impact]
              Margi, C., Oliveira, B., Sousa, G., Simplicio, M.,
              Barreto, P., Carvalho, T., Naeslund, M., and R. Gold,
              "Impact of Operating Systmes on Wireless Sensor Networks
              (Security) Applications and Testbeds", proceedings of the
              19th International Conference on Computer Communications
              and Networks (ICCCN), 2010.

   [Bue06xmac]
              Buettner, M., Yee, G., Anderson, E., and R. Han, "X-MAC: A
              Short Preamble MAC Protocol for Duty-Cycled Wireless
              Sensor Networks", proceedings of SenSys'06, 2006


   [RFC5201]  Moskowitz, R., Nikander, P., Jokela, P., Ed., and T.
              Henderson, "Host Identity Protocol", RFC 5201, April 2008.



Authors' Addresses

   Ludwig Seitz
   SICS Swedish ICT AB
   Scheelevagen 17
   22370 Lund
   SWEDEN
   EMail: ludwig@sics.se

   Goeran Selander
   Ericsson
   Farogatan 6
   16480 Kista
   SWEDEN
   EMail: goran.selander@ericsson.com













Seitz & Selander        Expires August 18, 2014                [Page 14]