Minutes interim-2021-lake-02: Thu 16:00
minutes-interim-2021-lake-02-202104221600-01
Meeting Minutes | Lightweight Authenticated Key Exchange (lake) WG | |
---|---|---|
Date and time | 2021-04-22 14:00 | |
Title | Minutes interim-2021-lake-02: Thu 16:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2021-05-04 |
minutes-interim-2021-lake-02-202104221600-01
Lightweight Authenticated Key Exchange (LAKE) - Interim Meeting
Thursday, April 22nd, 2021 -- 14:00 - 15:00 UTC
Chairs:
- Mališa Vučinić
- Stephen Farrell
Useful Links:
Present:
- Mališa Vučinić (MV)
- Stephen Farrell (SF)
- Marco Tiloca (MT)
- Timothy Claeys (TC)
- Armando Miguel Garcia
- Carsten Bormann (CB)
- Göran Selander (GS)
- John Preuss Mattsson (JM)
- Jonathan Hammell
- Peter van der Stok (PS)
- Stefan Hristozov (SH)
- Rikard Höglund
- Michael Richardson (MR)
Agenda:
- Administrivia and Agenda Bash
-- chairs, 5 mins - Interop Report
-- TBD, 5 mins - uEDHOC Performance Evaluation
-- Stefan Hristozov, 10 mins - EDHOC Open Issues
-- TBD, 40 mins - AOB
(Meeting starts 16:04 CEST)
Minutes:
-
Administrivia and Agenda Bash (chairs, 5 mins)
- note well
- agenda bashing
-
Interop Report (Marco Tiloca, 5 mins)
- Five implementations (new implementation from Peter van der Stok)
- Results can be found in the google drive (spreadsheet)
- Test pairs
- Marco - Peter
- All authentication methods
- Ciphersuite 2 & 3 (first time ever)
- Marco - Stefan
- Some reachability issues
- Timothy - Christian
- Marco - Christian
- More testing (Marco, Timothy, Christian) coming up
- MV: C-based implementation, can you elaborate ?
- PS: Based on libcoap, issues with mbedtls for ciphersuite 0 & 1, ran on Pi4 and desktop
- MV: Christian's implementation build on Timothy's py-edhoc?
- MT: Yes
- Marco - Peter
-
uEDHOC Performance Evaluation on Constrained devices (Stefan Hristozov, 10 mins)
- Two EDHOC implementations (for microcontrollers and Linux) + implementation for microcontrollers with TEE
- TEE implementation:
- Seperate sensitive code (secure world) from non-sensitive (non-secure world)
- Overview performance tests:
- Evaluated cipher suite 0
- Native CBOR certificates
- Crypto uses tinycrypt and c25519
- Four different microcontrollers, TEE platform Cortex-M33
- Message sizes analyzed for 4 of 16 different scenarios (overall really short messages)
- Results for devices without TEE --
- Flash usage split in crypto and protocol logic
- RAM requirements, generalLY responder and initiator have similar requirements
- Roughly 4k (Certs)
- Roughly 2.5k (RPKs)
- Computing time, on weaker devices such as Cortex-M0 (when there are signatures and certs), can take a fair amount of time: 39 seconds
- Results for devices with TEE --
- Overhead flash roughly 2K
- Increased RAM usage with TEE (due to the fact that there are 2 seperate stacks with 2 virtual CPUs --> cannot reuse buffers)
- In general no problem for state-of-the-art microcontrollers
- No additional overhead in computing when using TEE
-
Implementations without TEE are open source:
- permissive licenses
- WIP integration with Zephyr OS (WIP)
-
MV: really useful to have an exhaustive performance study.
- MV: Surprised by the 39s results on the Cortex-M0, you didn't use any OS, so the CPU was monopolized by the calculations ?
- SH: Reasons for slow time: no acceleration, only 16Mhz CPU
- JM: Dominating factor is crypto?
- SH: Yes, scale of the X-asxis is logarithmic, scales from 1.3ms (for protocol logic) to more than 30s (for the crypto)
- MV: Timothy do you have any results on EDHOC-C
- TC: Only on flash size (roughly the same)
- MR: Reason TEE is not open source?
- SH: I cannot maintain both repositories, takes a lot of time + a political decision --> TEE version might be commercialized, bot no external reason why it cannot be open source
(Time: 16:31 CEST)
-
Main Changes -05 -> -06 (Göran Selander)
- Main changes:
- optional byte: to detect message 1 (depends on applicability statement)
- updates on error codes
- Change on recommendation for CoAp
- unchangesd test vectors
- applicability statement
- deterministic CBOR
- Always determinstic CBOR (e.g. credential encoding)
- Message deduplication
- Appendix on CDDL and change log
- Removed section on documents listing EDHOC
- Circular and not really needed
- Section on TEEs
- Clarifications (reviews PS & MT)
- Update references
- Main changes:
-
EDHOC Open Issues (John Mattsson & Göran Selander, 40 mins)
- No major issues -> mostly optimization
- Issue: EDHOC and availibility -- If processing fails in any way -> discontinue and send error message. This is subject to a DoS attack (attacker sends a single byte and processing will fail). Soften this requirement?
- MV: An attacker can forge an error message and discontinue the handshake?
- JM: Yes, but an attacker can even send a single byte to discontinue the handshake
- JM: Maybe a MAC to error message, maybe not worth the complexity
- MV: what would we gain?
- JM: TLS first no error message with cryptographically protected, now some are
- SF: IPSec you can have unexpected messages (difference with TLS)
- SF: Will applications multiplex protected and unprotected traffic over the same port/URI ?
- JM: Maybe someone else can answer this question better
- JM: Small connection identifiers so easy to spoof (make a message be processed as message 3)
- CB: The use cases exist (multiplexing over same port/URI), normally sort/demultiplex traffic before start interpreting as EDHOC
-
Scope of the applicability statement
- List of things you need to agree on. Changed in draft to a policy framework (cipher suite and credentials were allowed?)
- Applicability statement has been tuned down again (no longer policy statement)
- CB: All TLS libraries allow you disable certain ciphers and I expect EDHOC to allow the same
- PS: How do they agree on the applicability statement?
- CB: Same issue in TLS (switching off older TLS version breaks sometimes the protocol)
- PS: not clear if C_1 is used
- GS: Should there be an extensive list of parameters to agree on?
- GS: from the applicability statement (e.g. on this URI), C_1 is used or not used, should be clear from the context
- MV: do we want the complexity of the CORR value ?
-
Forbidding multiple calls to EDHOC exporter
- No guidance on how to use the exporter?
- Prefix labels or context parameter (IANA registry)
- MV: personal opinion is that a seperate context parameter makes more sense
-
Next steps
- GS: Small design team/hackaton to solve the issues we keep running into.
- GS: Both hackaton and design questions planned for mid-May
- MV: Next interim early June/end May so the design team and hackaton can report
- JM: Pull request for 2 issues (issues related to intermediate hashes and encoding connection identifiers)
- JM: Need to discuss the level of optimization (now optimization to 45 bytes).
- MV: Optimization level based on 6TiSCH, coordinate offline
- GS: Marco send out doodle for Interim?
- MT: Yes
-
AOB
- None
(Meeting ends)