On Wed, Sep 30, 2020 at 3:32 AM Hannes Tschofenig <hannes.tschofe...@arm.com> wrote: > > Hi Watson, > > through Arm I deal with customers who use microcontrollers that have all > sorts of limitations. So, the question is not so much whether these > limitations exist but rather whether you care and what exactly these > limitations are (CPU processing, RAM, flash memory, energy, networking > bandwidth, cost, physical size limitations, limitations caused by the > environment these devices operate in, etc.). > > PSK is the most efficient mechanism we have. Not only does it perform > extremely well when it comes to CPU performance it also reduces the size of > code size, and RAM utilization. Also the bandwidth requirements are minimal. > Of course, regular 32-bit microcontrollers are all able to do public key > crypto operations (see a presentation I did a while ago in the LWIG group -- > https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf). There are, > however, some environments where you just cannot wait multiple seconds for a > handshake to complete.
This presentation doesn't mention many well known optimization opportunities, and seems to show an M3+ device having ~100ms for an operation. Obviously this is more expensive than the M0, but in some cases it's worth paying. Then of course one can optimize the handshake through extensions. RSA verification (not signing) is very cheap. Recommended N doesn't stop people from using PSK when appropriate if other constraints make it the most appropriate choice. > > In discussions in the IETF I notice for some the IoT computing world starts > with Cortex A-class devices, as they are found in Raspberry Pis, tablets and > phones. Those are high performance processors where crypto is lightning fast. > But don't forget the other family of processors, of which there are probably > more than a 80 billion out in the wild already. > > Ciao > Hannes > > -----Original Message----- > From: TLS <tls-boun...@ietf.org> On Behalf Of Watson Ladd > Sent: Wednesday, September 30, 2020 2:29 AM > To: Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > Cc: tls@ietf.org > Subject: Re: [TLS] The future of external PSK in TLS 1.3 > > On Tue, Sep 29, 2020 at 12:49 PM Blumenthal, Uri - 0553 - MITLL > <u...@ll.mit.edu> wrote: > > > > I share Achim's concerns. > > > > But I believe the explanations will turn out mostly useless in the real > > world, as the "lawyers" of the industry are guaranteed to steer away from > > something "not recommended". > > > > In one word: bad. > > Why is PSK so necessary? There are very few devices that can't handle the > occasional ECC operation. The key management and forward secrecy issues with > TLS-PSK are real. Steering applications that can afford the CPU away from PSK > and toward hybrid modes is a good thing and why this registry exists imho. > > > -- > Astra mortemque praestare gradatim > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
