Hi, We have submitted a new version 14 of EDHOC. Most of the changes are based on comments from people implementing version 13 of EDHOC.
- The major change in version 14 is the inclusion of test vectors for both RPK and PSK authentication. Since the last submission, there has been two new implementations of EHDOC (-13) as well as a limited script that generates test vectors. The included test vectors has been verified by an independent implementation done by Martin Disch from University of Fribourg. - With actual test vectors, the appendix with example messages is not needed and has been removed. - Based on comments from developers, the appendix explaining parts of COSE has been integrated in the body of document. - Text has been added to the IANA sections for cipher suite and method registries including expert review considerations. - New security consideration on Party U and Party V sending message_1 in parallel to each other. The new considerations also mitigates so called reflection attacks when PSK authentication is used. - EDHOC now use COSEs HMAC algorithms in cipher suites, this should make it easier for developers to understand and enables use of more algorithms. EDHOC can now e.g. be made compliant with the CNSA suite. - The error message now includes a connection identifier so that the receiving endpoint can always map the error message to the correct protocol run. - EDHOC now specifies an exact encoding of the COSE_Keys when they are included in the signatures, this was missing in earlier versions. - Based on implementation comments, a lot of smaller changes has been made to text describing encoding, especially regarding byte string (non-CBOR byte strings vs. encodings of CBOR byte string where the encoding itself is a byte string). The goal has been to make the specification correct and easier to understand. Future plans: - While the EDHOC message encoding is quite optimized there are some more bytes that could be shaved off based on the known lengths of CoAP payload, plaintext, PSK ciphertext, signature, ephemeral keys, etc. The plan is to analyze how many bytes could be saved and if changes would complicate implementations. - We think it is worth investigating the use of OPTLS-style authentication in EDHOC, i.e. authentication provided by a MAC computed from an ephemeral-static ECDH shared secret. Instead of signature authentication keys, U and V would have Diffie-Hellman authentication keys G_U and G_V, respectively. This type of authentication keys could easily be used with RPK and would provide significant reductions in message sizes as the 64 bytes signature would be replaced by an 8 bytes MAC. While the OPTLS proposal by Krawczyk et.al was not chosen for TLS 1.3, there are currently two different individual drafts in the TLS working group suggesting use of this type of authentication. Version 14 of the draft already includes an appendix a high level description. Cheers, John -----Original Message----- From: "internet-dra...@ietf.org" <internet-dra...@ietf.org> Date: Wednesday, 11 September 2019 at 15:46 To: Göran Selander <goran.selan...@ericsson.com>, Göran Selander <goran.selan...@ericsson.com>, John Mattsson <john.matts...@ericsson.com>, Francesca Palombini <francesca.palomb...@ericsson.com> Subject: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt A new version of I-D, draft-selander-ace-cose-ecdhe-14.txt has been successfully submitted by John Mattsson and posted to the IETF repository. Name: draft-selander-ace-cose-ecdhe Revision: 14 Title: Ephemeral Diffie-Hellman Over COSE (EDHOC) Document date: 2019-09-11 Group: Individual Submission Pages: 71 URL: https://www.ietf.org/internet-drafts/draft-selander-ace-cose-ecdhe-14.txt Status: https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe/ Htmlized: https://tools.ietf.org/html/draft-selander-ace-cose-ecdhe-14 Htmlized: https://datatracker.ietf.org/doc/html/draft-selander-ace-cose-ecdhe Diff: https://www.ietf.org/rfcdiff?url2=draft-selander-ace-cose-ecdhe-14 Abstract: This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact, and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, perfect forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code footprint can be kept very low. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace