Hi,
We have submitted a new version 14 of EDHOC. Most of the changes are based on
comments from people implementing version 13 of EDHOC.
- The major change in version 14 is the inclusion of test vectors for both RPK
and PSK authentication. Since the last submission, there has been two new
implementations of EHDOC (-13) as well as a limited script that generates test
vectors. The included test vectors has been verified by an independent
implementation done by Martin Disch from University of Fribourg.
- With actual test vectors, the appendix with example messages is not needed
and has been removed.
- Based on comments from developers, the appendix explaining parts of COSE has
been integrated in the body of document.
- Text has been added to the IANA sections for cipher suite and method
registries including expert review considerations.
- New security consideration on Party U and Party V sending message_1 in
parallel to each other. The new considerations also mitigates so called
reflection attacks when PSK authentication is used.
- EDHOC now use COSEs HMAC algorithms in cipher suites, this should make it
easier for developers to understand and enables use of more algorithms. EDHOC
can now e.g. be made compliant with the CNSA suite.
- The error message now includes a connection identifier so that the receiving
endpoint can always map the error message to the correct protocol run.
- EDHOC now specifies an exact encoding of the COSE_Keys when they are included
in the signatures, this was missing in earlier versions.
- Based on implementation comments, a lot of smaller changes has been made to
text describing encoding, especially regarding byte string (non-CBOR byte
strings vs. encodings of CBOR byte string where the encoding itself is a byte
string). The goal has been to make the specification correct and easier to
understand.
Future plans:
- While the EDHOC message encoding is quite optimized there are some more bytes
that could be shaved off based on the known lengths of CoAP payload, plaintext,
PSK ciphertext, signature, ephemeral keys, etc. The plan is to analyze how many
bytes could be saved and if changes would complicate implementations.
- We think it is worth investigating the use of OPTLS-style authentication in
EDHOC, i.e. authentication provided by a MAC computed from an ephemeral-static
ECDH shared secret. Instead of signature authentication keys, U and V would
have Diffie-Hellman authentication keys G_U and G_V, respectively. This type
of authentication keys could easily be used with RPK and would provide
significant reductions in message sizes as the 64 bytes signature would be
replaced by an 8 bytes MAC. While the OPTLS proposal by Krawczyk et.al was not
chosen for TLS 1.3, there are currently two different individual drafts in the
TLS working group suggesting use of this type of authentication. Version 14 of
the draft already includes an appendix a high level description.
Cheers,
John
-----Original Message-----
From: "internet-dra...@ietf.org" <internet-dra...@ietf.org>
Date: Wednesday, 11 September 2019 at 15:46
To: Göran Selander <goran.selan...@ericsson.com>, Göran Selander
<goran.selan...@ericsson.com>, John Mattsson <john.matts...@ericsson.com>,
Francesca Palombini <francesca.palomb...@ericsson.com>
Subject: New Version Notification for draft-selander-ace-cose-ecdhe-14.txt
A new version of I-D, draft-selander-ace-cose-ecdhe-14.txt
has been successfully submitted by John Mattsson and posted to the
IETF repository.
Name: draft-selander-ace-cose-ecdhe
Revision: 14
Title: Ephemeral Diffie-Hellman Over COSE (EDHOC)
Document date: 2019-09-11
Group: Individual Submission
Pages: 71
URL:
https://www.ietf.org/internet-drafts/draft-selander-ace-cose-ecdhe-14.txt
Status:
https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe/
Htmlized: https://tools.ietf.org/html/draft-selander-ace-cose-ecdhe-14
Htmlized:
https://datatracker.ietf.org/doc/html/draft-selander-ace-cose-ecdhe
Diff:
https://www.ietf.org/rfcdiff?url2=draft-selander-ace-cose-ecdhe-14
Abstract:
This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a
very compact, and lightweight authenticated Diffie-Hellman key
exchange with ephemeral keys. EDHOC provides mutual authentication,
perfect forward secrecy, and identity protection. EDHOC is intended
for usage in constrained scenarios and a main use case is to
establish an OSCORE security context. By reusing COSE for
cryptography, CBOR for encoding, and CoAP for transport, the
additional code footprint can be kept very low.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
