Markdown Version | Session Recording

Session Date/Time: 17 Sep 2024 13:00

LAKE

Summary

This interim meeting focused on two key technical topics: a presentation and discussion on Password Authenticated Key Exchanges (PKEs) and their relevance to Ed-Hoc, followed by preliminary evaluation results of two Pre-Shared Key (PSK) authentication variants for Ed-Hoc. The working group clarified its direction on PSK usage, indicating a preference for high-entropy keys and considering PKEs for future human-password use cases. Initial performance evaluations favored PSK Variant 2 due to better identity protection. The meeting also included planning for IETF 121 in Dublin, deciding to request a 90-minute slot, and a brief discussion on the future of the GREASE draft within the working group.

Key Discussion Points

• Agenda Bash:
  • Christian Amsüss requested to add a discussion on the future of the GREASE draft in LAKE at the end of the meeting, which was accepted and placed before AOB.
• PKEs Presentation by Scott Flinn (Cisco Systems):
  • Context: LAKE is extending Ed-Hoc to include PSK authentication for session resumption and initial authentication.
  • Current Proposals (Variant 1 & 2): Perform anonymous ECDH, stir PSK into derived keys, exchange encrypted data. Assumed to fail on PSK mismatch and protect against passive eavesdropping.
  • Weakness (for human-selected PSKs): Vulnerable to active offline dictionary attacks if the PSK is guessable. An attacker can mimic a peer, capture authentication data, and then offline-guess the PSK.
  • PKE Solution: Bind key exchange and password to prevent separation, requiring an online attempt for each password guess, making dictionary attacks infeasible.
  • Limitations & Costs of PKEs: Cannot help if PSK is already known (e.g., sticky note). Requires larger changes to Ed-Hoc, takes longer to specify, uses more exotic crypto, and does not provide anonymity (responder needs to know which PSK to use).
  • CFRG Activities: CFRG endorsed CPACE (balanced PKE, both sides know password) and OPAQUE (augmented PKE, one side knows password). Neither are RFCs yet.
  • CPACE Integration in Ed-Hoc (Example): CPACE modifies the Diffie-Hellman generator based on the password and a random value (Sid). Requires minor protocol changes but uses an ATOR function, which is not common in most crypto libraries.
  • OPAQUE: Assumes one side knows the password and the other does not (e.g., client registration with server). Model might not fit current LAKE PSK use cases.
• Discussion: Do we need a PKE for Ed-Hoc?:
  • It was reiterated that for high-entropy, machine-generated PSKs (e.g., for session resumption, automated provisioning), current Ed-Hoc PSK proposals are secure and PKEs are not needed.
  • For human-selected passwords, PKEs provide significantly better security against dictionary attacks.
  • Rafa: Current Ed-Hoc PSK discussions assumed high-entropy keys. Referenced TLS 1.3 security considerations on sufficient entropy.
  • Christian Amsüss: The Ed-Hoc PSK document should not just state keys must be high-entropy, but point to PKE material if human-selected passwords are ever considered, providing a path forward.
  • Stephen Farrell: Questioned if "in-between" use cases exist (e.g., short codes printed on devices). No one came forward with such compelling use cases.
  • Paul Wouters: Asked if PKEs are always strong enough given limited device connections.
  • Christian Amsüss & John Preuß Mattsson: Ed-Hoc can support many connections, so offline attacks are still a concern. PKEs might lose identity protection and use more exotic/less-trusted crypto.
• Preliminary Evaluation Results of draft-lopez-lake-ad-hoc-psk-01 by Ela Lopez:
  • Goal: Integrate and evaluate two PSK variants (Variant 1 and Variant 2) for Ed-Hoc.
  • Variants:
    • Variant 1: ID_CRED_PSK sent in the clear in Message 1. Authentication happens earlier.
    • Variant 2: ID_CRED_PSK sent encrypted in Message 3. Authentication delayed.
  • Evaluation Environment: NRF52840 hardware (Cortex-M4, 64MHz), embedded TLS library (not cryptocell). Cipher suite: ECDH on P-256, SHA-256, AES-128-CCM.
  • Metrics: Security/Privacy, Message Size, Energy Consumption, Memory Consumption, Number of Operations.
  • Preliminary Results:
    • Message Size: V1 (93 bytes), V2 (88 bytes). V1 has an extra byte for ID_CRED_PSK and 9 extra bytes for Mac 2. V2 has 5 extra bytes from concatenated ciphertexts.
    • Number of Operations: Both variants have 2 asymmetric and 4 symmetric operations.
    • Memory/Energy: Still in process for detailed dynamic memory. Energy consumption (measured with power profiler) showed similar initiator time, with V1 having slightly lower charge than V2 for the initiator.
    • Security/Privacy: V1 offers less identity protection (ID_CRED_PSK in clear). V2 offers better identity protection, but authentication timing is later.
  • Scott Flinn's Comment: Variant 2 is slightly stronger against dictionary attacks as the attacker would need to mimic the responder.
  • Rafa Leal: Noted that if comparing 3 messages, V2 needs a Message 4 to achieve equivalent mutual authentication and implicit key confirmation as V1's 3 messages.
  • John Preuß Mattsson: V2 seems to be better for performance and identity protection. Formal verification will be important.
  • Sense of the room: Preference for Variant 2 due to better identity protection and slightly better performance. Authors encouraged to focus on V2.
• Next Steps: IETF 121 Planning in Dublin:
  • Topics: Remote attestation (Joan), zero-touch join (Joan), PSK draft (Ela), potential new drafts, fast testing tools (Upsala University).
• Future of GREASE in LAKE (draft-amsuss-lake-grease-extensions):
  • Christian Amsüss: The document registers extensions that do nothing to prevent collisions and ensure robustness, similar to TLS GREASE. Code points need registering.
  • Christian's Question: Should the working group continue this, or should it go to ISE?
  • Militia: The topic fits the LAKE charter.
  • Stephen Farrell: Encouraged working group members to read the draft.
• Any Other Business:
  • Yoran Johnsson: Mentioned interest in Key Management Protocol for IEEE 802.15.4 in IEEE, where Ed-Hoc is a candidate. Encouraged interested parties to reach out to Tera and Yoran for offline discussions.

Decisions and Action Items

• PSK for Ed-Hoc:
  • Decision: The working group will proceed with PSK-based authentication primarily for use cases involving high-entropy, machine-generated keys.
  • Action Item (Authors of PSK draft):
    • Update the draft to clarify that PSK is assumed to be a high-entropy key suitable for the protocol.
    • Consider including a reference to PKEs in the security considerations section of the PSK document, indicating their suitability for human-selected passwords and explaining why the current proposal is not designed for that.
    • Focus further development and evaluation on Variant 2 of the PSK authentication method based on preliminary evaluation results and working group preference.
• IETF 121 Meeting Planning:
  • Decision: The chairs will request a 90-minute meeting slot for LAKE at IETF 121 in Dublin to accommodate planned and new agenda items.
  • Action Item (Chairs): Request the 90-minute meeting slot by the deadline and avoid Friday afternoon.
• GREASE Draft (draft-amsuss-lake-grease-extensions):
  • Decision: The working group will continue with the GREASE draft as it fits the charter.
  • Action Item (Christian Amsüss): Update the draft and submit a new version to prevent expiry.
  • Action Item (Christian Amsüss): Prepare a brief presentation for IETF 121 in Dublin to discuss the draft further and potentially call for working group adoption.

Next Steps

• Authors of the PSK draft are encouraged to incorporate the working group's feedback, focusing on Variant 2 and clarifying security considerations for high-entropy keys, and publish a new version before the IETF 121 cutoff.
• Christian Amsüss to update and submit the GREASE draft, and prepare for discussion at IETF 121.
• The chairs will finalize the IETF 121 meeting request and work with authors to build the agenda.
• Further exploration of PKEs will be considered if compelling use cases for human-selected passwords with Ed-Hoc are identified and brought to the working group.
• Individuals interested in Key Management for IEEE 802.15.4 are encouraged to reach out to Tera and Yuran.