Pascal Thubert (pthubert) writes: > > Even when the nonce reuse happens, I do not think there is any > > leak of the network-wide keys in that case. What is lost is the > > confidentiality of the those messages sharing nonce, i.e., only > > those messages are broken, not the whole network key. > > I'd really like to understand that. This is too deep for Archie > anyway. I'll change the text to indicate that a nonce-reuse attack > would be possible. Does the below work? > > " The cryptographic mechanisms used by IEEE Std. 802.15.4 include > the 2-byte short address in the calculation of the context. A > nonce-reuse attack may become feasible if a short address is > reassigned to another node while the same network-wide keys > are in operation. "
Looks good. > > > o Many cipher algorithms have some suggested limits on how many > > > bytes should be encrypted with that algorithm before a new key is > > > used. These numbers are typically in the many to hundreds of > > > gigabytes of data. On very fast backbone networks this becomes an > > > important concern. On LLNs with typical data rates in the > > > kilobits/second, this concern is significantly less. However, the > > > LLN may be expected to operate for decades at a time, and > > > operators are advised to plan for the need to rekey. > > > > Note, that TSCH in general allows maximally of 2^40 frames to be > > sent before ASN rolls over. In normal case the maximum packet size > > is 2^7 octets, meaning the total amount of bytes that can be > > transferred over TSCH network is 2^47 octects, meaning 2^43 blocks > > of AES. Currently only cipher supported by the TSCH is AES-CCM-128 > > (altough 802.15.4y will be adding support for other algorithms > > too), but I think the maximum number of blocks recommened for one > > key for AES is more than 2^43, so this should not be a problem at > > all. I.e., the ASN frame counter will be problem before this will > > be problem. Even if using the PHY with 2^11 max frame length that > > gives only 2^47 blocks at maximum. > > Many thanks, Tero, all this is really useful. What about: > > " With TSCH as it stands at the time of this writing, the ASN will > wrap after 2^40 timeslot durations, which means with the > default values around 350 years. Wrapping ASN is not expected > to happen within the lifetime of most LLNs. Yet, should the > ASN wrap, the network must be rekeyed to avoid a nonce-reuse > attack. > > Many cipher algorithms have some suggested limits on how many > bytes should be encrypted with that algorithm before a new key > is used. These numbers are typically in the many to hundreds > of gigabytes of data. On very fast backbone networks this > becomes an important concern. On LLNs with typical data rates > in the kilobits/second, this concern is significantly less. > With IEEE Std. 802.15.4 as it stands at the time of this > writing, the ASN will wrap before the limits of the current L2 > crypto (AES-CCM-128) are reached, so the problem should never > occur. > > In any fashion, if the LLN is expected to operate continuously > for decades then the operators are advised to plan for the > need to rekey. " That looks good also. -- kivi...@iki.fi _______________________________________________ 6tisch mailing list 6tisch@ietf.org https://www.ietf.org/mailman/listinfo/6tisch