Hi Salvador, Michael, Regarding your comments on negotiation and out-of-band. We have gotten similar comments from Klaus Hartke regarding cipher suites and out-of-band. I added your comments to the open issue on GitHub
https://github.com/EricssonResearch/EDHOC/issues/57 We agree with you both, this can and should be optimized, but some kind of negotiation is still needed. The current plan for the next version is to introduce cipher suites and to let the cipher suite with value 0 indicate that algorithms have been negotiated out-of-band. For the constrained deployments targeted by EDHOC, I think this might be the best trade-off between negotiation, overhead, and simplicity. While I think TLS 1.3 did the right thing to split up the cipher suites, I agree that for most constrained IoT deployments, the implemented algorithm(s) will often be the same for all nodes and fixed for long periods of time. As you stated Salvador, this would be an an important optimization. The message sizes would look as follows: PSK RPK x5t x5chain -------------------------------------------------------------------- message_1 43 38 38 38 message_2 47 121 127 117 + Certificate chain message_3 12 86 92 82 + Certificate chain -------------------------------------------------------------------- Total 102 245 257 237 + Certificate chains Figure 6: Typical message sizes in bytes Cheers, John Michael Richardson wrote: > we have implemented a previous version of EDHOC > (draft-selander-ace-cose-ecdhe) and want to share some experiences. That's very cool. Some questions for you! > Our work so far has focused on implementation and evaluation of version > -08 of EDHOC over CoAP using real IoT hardware. The obtained results > show a significant performance improvement compared to other key > establishment protocols, such as DTLS handshake (version 1.2), > especially with respect to length and number of exchanged messages. What did you use for authentication? RSA? ECDSA? EDDSA? PSK? Were they raw public keys, or was it in a certificate? Did you try a certificate in one direction and a raw public key in the other? Did you offer more than 1 algorithm when you negotiated? > We have reviewed version -10 and noted the reduction of message > length. Based on our experience, we propose that also removing the > overhead due to security parameter negotiation could be an important > optimization, and relevant in many use cases where these parameters are > available through an out-of-band process. If the list of valid algorithms is available securely by out-of-band processes, then couldn't use this mechanism to do key agreement instead, saving 100% of the bytes on the wire? :-) We need to do security parameter negotiation in order to be agile against future algorithm attacks, and there will be algorithm attacks in the 20 to 40 year lifespans that we expect... and we need to leave space for replacing the DH process with some QMDH process. The CBOR encoding is really really very nice for this, and I wish we had CBOR when we did IKEv2. > Accordingly and taking into account that EDHOC provides a basic > security functionality for any context where security needs to be > enabled, we are currently considering the application of this protocol > in different IoT deployments, such as LoRaWAN networks, OSCORE-enabled > scenarios or its integration with capabilities. We therefore would like > to see the progress of EDHOC in standardization. I don't see how LORaWAN has enough bytes available for even EDHOC. I think that LoRaWAN needs a key agreement protocol that can be run once while the sensor is attached to the installer's smartphone. The important thing is that one is able to use the key agrement protocol over IPs A<->B, in order to setup a context that can be used between IPs C<-->D. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
