| draft-ietf-lwig-security-protocol-comparison-03.txt | draft-ietf-lwig-security-protocol-comparison-04.txt | |||
|---|---|---|---|---|
| LWIG Working Group J. Mattsson | LWIG Working Group J. Mattsson | |||
| Internet-Draft F. Palombini | Internet-Draft F. Palombini | |||
| Intended status: Informational Ericsson AB | Intended status: Informational Ericsson AB | |||
| Expires: September 12, 2019 March 11, 2019 | Expires: September 10, 2020 M. Vucinic | |||
| INRIA | ||||
| March 09, 2020 | ||||
| Comparison of CoAP Security Protocols | Comparison of CoAP Security Protocols | |||
| draft-ietf-lwig-security-protocol-comparison-03 | draft-ietf-lwig-security-protocol-comparison-04 | |||
| Abstract | Abstract | |||
| This document analyzes and compares the sizes of key exchange flights | This document analyzes and compares the sizes of key exchange flights | |||
| and the per-packet message size overheads when using different | and the per-packet message size overheads when using different | |||
| security protocols to secure CoAP. The analyzed security protocols | security protocols to secure CoAP. The analyzed security protocols | |||
| are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group | are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group | |||
| OSCORE. The DTLS and TLS record layers are analyzed with and without | OSCORE. The DTLS and TLS record layers are analyzed with and without | |||
| 6LoWPAN-GHC compression. DTLS is analyzed with and without | 6LoWPAN-GHC compression. DTLS is analyzed with and without | |||
| Connection ID. | Connection ID. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 12, 2019. | This Internet-Draft will expire on September 10, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 28 ¶ | |||
| 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 | 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 | |||
| 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 | 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 | 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 | |||
| 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 | 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 | |||
| 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 | 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 | |||
| 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 | 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 | |||
| 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 | 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 | |||
| 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 | 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 | |||
| 2.4.2. Message Sizes Certificates . . . . . . . . . . . . . 26 | 2.4.2. Message Sizes PSK . . . . . . . . . . . . . . . . . . 25 | |||
| 2.4.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 26 | 2.4.3. message_1 . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 2.4.4. message_1 . . . . . . . . . . . . . . . . . . . . . . 26 | 2.4.4. message_2 . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 2.4.5. message_2 . . . . . . . . . . . . . . . . . . . . . . 26 | 2.4.5. message_3 . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 2.4.6. message_3 . . . . . . . . . . . . . . . . . . . . . . 27 | 2.4.6. Summary . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 2.4.7. Summary . . . . . . . . . . . . . . . . . . . . . . . 27 | 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 27 | 3. Overhead for Protection of Application Data . . . . . . . . . 27 | |||
| 3. Overhead for Protection of Application Data . . . . . . . . . 28 | 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 28 | 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 30 | 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 30 | 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 29 | |||
| 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 30 | 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 30 | |||
| 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 31 | 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 31 | |||
| 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 32 | 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 32 | 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 32 | 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 32 | |||
| 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33 | 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 32 | |||
| 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 33 | 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 33 | |||
| 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 34 | 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 34 | 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 | |||
| 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 | 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 35 | 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 | |||
| 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 36 | ||||
| 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 35 | |||
| 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 38 | 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 38 | 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 39 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 38 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 6. Informative References . . . . . . . . . . . . . . . . . . . 39 | 6. Informative References . . . . . . . . . . . . . . . . . . . 38 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 41 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 1. Introduction | 1. Introduction | |||
| This document analyzes and compares the sizes of key exchange flights | This document analyzes and compares the sizes of key exchange flights | |||
| and the per-packet message size overheads when using different | and the per-packet message size overheads when using different | |||
| security protocols to secure CoAP over UPD [RFC7252] and TCP | security protocols to secure CoAP over UPD [RFC7252] and TCP | |||
| [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], | [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], | |||
| DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], | DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], | |||
| EDHOC [I-D.selander-ace-cose-ecdhe], OSCORE | EDHOC [I-D.selander-lake-edhoc], OSCORE [RFC8613], and Group OSCORE | |||
| [I-D.ietf-core-object-security], and Group OSCORE | ||||
| [I-D.ietf-core-oscore-groupcomm]. | [I-D.ietf-core-oscore-groupcomm]. | |||
| The DTLS and TLS record layers are analyzed with and without 6LoWPAN- | The DTLS and TLS record layers are analyzed with and without 6LoWPAN- | |||
| GHC compression. DTLS is anlyzed with and without Connection ID | GHC compression. DTLS is anlyzed with and without Connection ID | |||
| [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be | [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be | |||
| familiar with some of the terms described in RFC 7925 [RFC7925], such | familiar with some of the terms described in RFC 7925 [RFC7925], such | |||
| as ICV. Section 2 compares the overhead of key exchange, while | as ICV. Section 2 compares the overhead of key exchange, while | |||
| Section 3 covers the overhead for protection of application data. | Section 3 covers the overhead for protection of application data. | |||
| 2. Overhead of Key Exchange Protocols | 2. Overhead of Key Exchange Protocols | |||
| skipping to change at page 4, line 25 ¶ | skipping to change at page 4, line 25 ¶ | |||
| following overheads apply for all Connection IDs of the same length, | following overheads apply for all Connection IDs of the same length, | |||
| when Connection ID is used. | when Connection ID is used. | |||
| The EDHOC overhead is dependent on the key identifiers included. The | The EDHOC overhead is dependent on the key identifiers included. The | |||
| following overheads apply for Sender IDs of the same length. | following overheads apply for Sender IDs of the same length. | |||
| All the overhead are dependent on the tag length. The following | All the overhead are dependent on the tag length. The following | |||
| overheads apply for tags of the same length. | overheads apply for tags of the same length. | |||
| Figure 1 compares the message sizes of EDHOC | Figure 1 compares the message sizes of EDHOC | |||
| [I-D.selander-ace-cose-ecdhe] with the DTLS 1.3 [I-D.ietf-tls-dtls13] | [I-D.selander-lake-edhoc] with the DTLS 1.3 [I-D.ietf-tls-dtls13] and | |||
| and TLS 1.3 [RFC8446] handshakes with connection ID. | TLS 1.3 [RFC8446] handshakes with connection ID. | |||
| ===================================================================== | ===================================================================== | |||
| Flight #1 #2 #3 Total | Flight #1 #2 #3 Total | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| DTLS 1.3 RPK + ECDHE 150 373 213 736 | DTLS 1.3 RPK + ECDHE 150 373 213 736 | |||
| DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 | DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 | |||
| DTLS 1.3 PSK + ECDHE 184 190 57 431 | DTLS 1.3 PSK + ECDHE 184 190 57 431 | |||
| DTLS 1.3 PSK 134 150 57 341 | DTLS 1.3 PSK 134 150 57 341 | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| EDHOC RPK + ECDHE 39 114 80 233 | EDHOC RPK + ECDHE 37 46 20 103 | |||
| EDHOC PSK + ECDHE 41 45 11 97 | EDHOC PSK + ECDHE 38 44 10 92 | |||
| ===================================================================== | ===================================================================== | |||
| Figure 1: Comparison of message sizes in bytes with Connection ID | Figure 1: Comparison of message sizes in bytes with Connection ID | |||
| Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] | Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] | |||
| and TLS 1.3 [RFC8446] handshakes without connection ID. | and TLS 1.3 [RFC8446] handshakes without connection ID. | |||
| ===================================================================== | ===================================================================== | |||
| Flight #1 #2 #3 Total | Flight #1 #2 #3 Total | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| skipping to change at page 16, line 12 ¶ | skipping to change at page 16, line 12 ¶ | |||
| Total of 59 bytes | Total of 59 bytes | |||
| 2.3. TLS 1.3 | 2.3. TLS 1.3 | |||
| In this section, the message sizes are calculated for TLS 1.3. The | In this section, the message sizes are calculated for TLS 1.3. The | |||
| major changes compared to DTLS 1.3 are that the record header is | major changes compared to DTLS 1.3 are that the record header is | |||
| smaller, the handshake headers is smaller, and that Connection ID is | smaller, the handshake headers is smaller, and that Connection ID is | |||
| not supported. Recently, additional work has taken shape with the | not supported. Recently, additional work has taken shape with the | |||
| goal to further reduce overhead for TLS 1.3 (see | goal to further reduce overhead for TLS 1.3 (see | |||
| [I-D.schaad-ace-tls-cbor-handshake] ). | [I-D.rescorla-tls-ctls]). | |||
| TLS Assumptions: | TLS Assumptions: | |||
| o Minimum number of algorithms and cipher suites offered | o Minimum number of algorithms and cipher suites offered | |||
| o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 | o Curve25519, ECDSA with P-256, AES-CCM_8, SHA-256 | |||
| o Length of key identifiers: 1 bytes | o Length of key identifiers: 1 bytes | |||
| o TLS RPK with point compression (saves 32 bytes) | o TLS RPK with point compression (saves 32 bytes) | |||
| skipping to change at page 24, line 29 ¶ | skipping to change at page 24, line 29 ¶ | |||
| 2.3.3.3. flight_3 | 2.3.3.3. flight_3 | |||
| There are no differences in overhead compared to Section 2.3.2.3. | There are no differences in overhead compared to Section 2.3.2.3. | |||
| TLS 1.3 PSK flight_3 gives 57 bytes of overhead. | TLS 1.3 PSK flight_3 gives 57 bytes of overhead. | |||
| 2.4. EDHOC | 2.4. EDHOC | |||
| This section gives an estimate of the message sizes of EDHOC with | This section gives an estimate of the message sizes of EDHOC with | |||
| different authentication methods. Note that the examples in this | different authentication methods. All examples are given in CBOR | |||
| section are not test vectors, the cryptographic parts are just | diagnostic notation and hexadecimal. | |||
| replaced with byte strings of the same length. All examples are | ||||
| given in CBOR diagnostic notation and hexadecimal. | ||||
| 2.4.1. Message Sizes RPK | 2.4.1. Message Sizes RPK | |||
| 2.4.1.1. message_1 | 2.4.1.1. message_1 | |||
| message_1 = ( | message_1 = ( | |||
| 1, | 13, | |||
| 0, | 0, | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244 | |||
| 1e1f', | 1A7C', | |||
| h'c3' | -2 | |||
| ) | ) | |||
| message_1 (38 bytes): | message_1 (37 bytes): | |||
| 01 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0d 00 58 20 8d 3e f5 6d 1b 75 0a 43 51 d6 8a c2 50 a0 e8 83 | |||
| 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 | 79 0e fc 80 a5 38 a4 44 ee 9e 2b 57 e2 44 1a 7c 21 | |||
| 2.4.1.2. message_2 | 2.4.1.2. message_2 | |||
| plaintext = << | ||||
| h'a1', | ||||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | ||||
| 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b | ||||
| 3c3d3e3f' | ||||
| >> | ||||
| The header map { 4 : h'a1' } is encoded as the two bytes h'a1'. The | ||||
| length of plaintext is 68 bytes so assuming a 64-bit MAC value the | ||||
| length of ciphertext is 76 bytes. | ||||
| message_2 = ( | message_2 = ( | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'52FBA0BDC8D953DD86CE1AB2FD7C05A4658C7C30AFDBFC3301047069451B | |||
| 1e1f', | AF35', | |||
| h'c4', | 8, | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'DCF6FE9C524C22454DEB' | |||
| 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b | ||||
| 3c3d3e3f404142434445464748494a4b' | ||||
| ) | ) | |||
| message_2 (114 bytes): | message_2 (46 bytes): | |||
| 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 | 58 20 52 fb a0 bd c8 d9 53 dd 86 ce 1a b2 fd 7c 05 a4 65 8c | |||
| 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 58 51 00 01 | 7c 30 af db fc 33 01 04 70 69 45 1b af 35 08 4a dc f6 fe 9c | |||
| 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 | 52 4c 22 45 4d eb | |||
| 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 | ||||
| 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D | ||||
| 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B | ||||
| 2.4.1.3. message_3 | 2.4.1.3. message_3 | |||
| The plaintext and ciphertext in message_3 are assumed to be of equal | ||||
| sizes as in message_2. | ||||
| message_3 = ( | message_3 = ( | |||
| h'c4', | 8, | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'53C3991999A5FFB86921E99B607C067770E0' | |||
| 1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b | ||||
| 3c3d3e3f404142434445464748494a4b' | ||||
| ) | ) | |||
| message_3 (80 bytes): | message_3 (20 bytes): | |||
| 41 C4 58 51 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0 | |||
| 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 | ||||
| 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 | ||||
| 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B | ||||
| 2.4.2. Message Sizes Certificates | ||||
| When the certificates are distributed out-of-band and identified with | ||||
| the x5t header parameter and a SHA256/64 hash value, the header map | ||||
| will be 13 bytes (assuming labels in the range -24...23). | ||||
| { TDB1 : [ TDB6, h'0001020304050607' ] } | ||||
| When the certificates are identified with the x5chain header | ||||
| parameter, the message sizes depends on the size of the (truncated) | ||||
| certificate chains. The header map will be 3 bytes + the size of the | ||||
| certificate chain (assuming a label in the range -24...23). | ||||
| { TDB3 : h'0001020304050607...' } | ||||
| 2.4.3. Message Sizes PSK | 2.4.2. Message Sizes PSK | |||
| 2.4.4. message_1 | 2.4.3. message_1 | |||
| message_1 = ( | message_1 = ( | |||
| 4, | 17, | |||
| 0, | 0, | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'3662C4A71D624E8A4D9DFF879ABC6E2A0E745F82F497F7AFBEBFF3B01A8F | |||
| 1e1f', | AB57', | |||
| h'c3', | 14, | |||
| h'a2' | -17 | |||
| ) | ) | |||
| message_1 (40 bytes): | message_1 (38 bytes): | |||
| 04 00 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 11 00 58 20 36 62 c4 a7 1d 62 4e 8a 4d 9d ff 87 9a bc 6e 2a | |||
| 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C3 41 A2 | 0e 74 5f 82 f4 97 f7 af be bf f3 b0 1a 8f ab 57 0e 30 | |||
| 2.4.5. message_2 | ||||
| Assuming a 0 byte plaintext and a 64-bit MAC value the ciphertext is | ||||
| 8 bytes | ||||
| 2.4.4. message_2 | ||||
| message_2 = ( | message_2 = ( | |||
| h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d | h'A3967F6CF99B6DDC7E7C219D0D119A383F754001DF33515971EC6C842553 | |||
| 1e1f', | B776', | |||
| h'c4', | -24, | |||
| h'0001020304050607' | h'4F355451E069226F' | |||
| ) | ) | |||
| message_2 (45 bytes): | message_2 (44 bytes): | |||
| 58 20 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 | 58 20 a3 96 7f 6c f9 9b 6d dc 7e 7c 21 9d 0d 11 9a 38 3f 75 | |||
| 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 41 C4 48 61 62 63 | 40 01 df 33 51 59 71 ec 6c 84 25 53 b7 76 37 48 4f 35 54 51 | |||
| 64 65 66 67 68 | e0 69 22 6f | |||
| 2.4.6. message_3 | ||||
| The plaintext and ciphertext in message_3 are assumed to be of equal | 2.4.5. message_3 | |||
| sizes as in message_2. | ||||
| message_3 = ( | message_3 = ( | |||
| h'c4', | -24, | |||
| h'0001020304050607' | h'763BD2F3C10F0D45' | |||
| ) | ) | |||
| message_3 (11 bytes): | message_3 (10 bytes): | |||
| 41 C4 48 00 01 02 03 04 05 06 07 | 37 48 76 3b d2 f3 c1 0f 0d 45 | |||
| 2.4.7. Summary | 2.4.6. Summary | |||
| The previous examples of typical message sizes are summarized in | The previous examples of typical message sizes are summarized in | |||
| Figure 5. | Figure 5. | |||
| ===================================================================== | ===================================================================== | |||
| PSK RPK x5t x5chain | PSK RPK x5t x5chain | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| message_1 40 38 38 38 | message_1 38 37 37 37 | |||
| message_2 45 114 126 116 + Certificate chain | message_2 44 46 117 110 + Certificate chain | |||
| message_3 11 80 91 81 + Certificate chain | message_3 10 20 91 84 + Certificate chain | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| Total 96 232 255 235 + Certificate chains | Total 92 103 245 231 + Certificate chains | |||
| ===================================================================== | ===================================================================== | |||
| Figure 5: Typical message sizes in bytes | Figure 5: Typical message sizes in bytes | |||
| 2.5. Conclusion | 2.5. Conclusion | |||
| To do a fair comparison, one has to choose a specific deployment and | To do a fair comparison, one has to choose a specific deployment and | |||
| look at the topology, the whole protocol stack, frame sizes (e.g. 51 | look at the topology, the whole protocol stack, frame sizes (e.g. 51 | |||
| or 128 bytes), how and where in the protocol stack fragmentation is | or 128 bytes), how and where in the protocol stack fragmentation is | |||
| done, and the expected packet loss. Note that the number of byte in | done, and the expected packet loss. Note that the number of byte in | |||
| skipping to change at page 29, line 36 ¶ | skipping to change at page 28, line 36 ¶ | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| DTLS 1.2 29 30 31 | DTLS 1.2 29 30 31 | |||
| DTLS 1.3 11 12 13 | DTLS 1.3 11 12 13 | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| DTLS 1.2 (GHC) 16 17 18 | DTLS 1.2 (GHC) 16 17 18 | |||
| DTLS 1.3 (GHC) 12 13 14 | DTLS 1.3 (GHC) 12 13 14 | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| OSCORE request 13 14 15 | OSCORE request 13 14 15 | |||
| OSCORE response 11 11 11 | OSCORE response 11 11 11 | |||
| Figure 7: Overhead in bytes as a function of Connection/Sender ID | Figure 7: Overhead in bytes as a function of Connection/Sender | |||
| (Sequence Number = '05') | ID (Sequence Number = '05') | |||
| Protocol Overhead Overhead (GHC) | Protocol Overhead Overhead (GHC) | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| DTLS 1.2 21 8 | DTLS 1.2 21 8 | |||
| DTLS 1.3 3 4 | DTLS 1.3 3 4 | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| TLS 1.2 13 9 | TLS 1.2 13 9 | |||
| TLS 1.3 6 7 | TLS 1.3 6 7 | |||
| ------------------------------------------------------------- | ------------------------------------------------------------- | |||
| OSCORE request 5 | OSCORE request 5 | |||
| skipping to change at page 36, line 46 ¶ | skipping to change at page 35, line 46 ¶ | |||
| Ciphertext (including encrypted content type): | Ciphertext (including encrypted content type): | |||
| ae a0 15 56 67 92 ec | ae a0 15 56 67 92 ec | |||
| ICV: | ICV: | |||
| 4d ff 8a 24 e4 cb 35 b9 | 4d ff 8a 24 e4 cb 35 b9 | |||
| When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters | When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters | |||
| (epoch, sequence number, length) gives 15 bytes overhead. | (epoch, sequence number, length) gives 15 bytes overhead. | |||
| 3.6. OSCORE | 3.6. OSCORE | |||
| This section analyzes the overhead of OSCORE | This section analyzes the overhead of OSCORE [RFC8613]. | |||
| [I-D.ietf-core-object-security]. | ||||
| The below calculation Option Delta = '9', Sender ID = '' (empty | The below calculation Option Delta = '9', Sender ID = '' (empty | |||
| string), and Sequence Number = '05', and is only an example. Note | string), and Sequence Number = '05', and is only an example. Note | |||
| that Sender ID = '' (empty string) can only be used by one client per | that Sender ID = '' (empty string) can only be used by one client per | |||
| server. | server. | |||
| OSCORE request (19 bytes, 13 bytes overhead): | OSCORE request (19 bytes, 13 bytes overhead): | |||
| 92 09 05 | 92 09 05 | |||
| ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 | ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 | |||
| skipping to change at page 39, line 31 ¶ | skipping to change at page 38, line 31 ¶ | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This document is purely informational. | This document is purely informational. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 6. Informative References | 6. Informative References | |||
| [I-D.ietf-core-object-security] | ||||
| Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | ||||
| "Object Security for Constrained RESTful Environments | ||||
| (OSCORE)", draft-ietf-core-object-security-15 (work in | ||||
| progress), August 2018. | ||||
| [I-D.ietf-core-oscore-groupcomm] | [I-D.ietf-core-oscore-groupcomm] | |||
| Tiloca, M., Selander, G., Palombini, F., and J. Park, | Tiloca, M., Selander, G., Palombini, F., and J. Park, | |||
| "Group OSCORE - Secure Group Communication for CoAP", | "Group OSCORE - Secure Group Communication for CoAP", | |||
| draft-ietf-core-oscore-groupcomm-03 (work in progress), | draft-ietf-core-oscore-groupcomm-06 (work in progress), | |||
| October 2018. | November 2019. | |||
| [I-D.ietf-tls-dtls-connection-id] | [I-D.ietf-tls-dtls-connection-id] | |||
| Rescorla, E., Tschofenig, H., Fossati, T., and T. Gondrom, | Rescorla, E., Tschofenig, H., and T. Fossati, "Connection | |||
| "Connection Identifiers for DTLS 1.2", draft-ietf-tls- | Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection- | |||
| dtls-connection-id-02 (work in progress), October 2018. | id-07 (work in progress), October 2019. | |||
| [I-D.ietf-tls-dtls13] | [I-D.ietf-tls-dtls13] | |||
| Rescorla, E., Tschofenig, H., and N. Modadugu, "The | Rescorla, E., Tschofenig, H., and N. Modadugu, "The | |||
| Datagram Transport Layer Security (DTLS) Protocol Version | Datagram Transport Layer Security (DTLS) Protocol Version | |||
| 1.3", draft-ietf-tls-dtls13-30 (work in progress), | 1.3", draft-ietf-tls-dtls13-34 (work in progress), | |||
| November 2018. | November 2019. | |||
| [I-D.schaad-ace-tls-cbor-handshake] | [I-D.rescorla-tls-ctls] | |||
| Schaad, J., "TLS Handshake in CBOR", draft-schaad-ace-tls- | Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS | |||
| cbor-handshake-00 (work in progress), March 2019. | 1.3", draft-rescorla-tls-ctls-03 (work in progress), | |||
| November 2019. | ||||
| [I-D.selander-ace-cose-ecdhe] | [I-D.selander-lake-edhoc] | |||
| Selander, G., Mattsson, J., and F. Palombini, "Ephemeral | Selander, G., Mattsson, J., and F. Palombini, "Ephemeral | |||
| Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace- | Diffie-Hellman Over COSE (EDHOC)", draft-selander-lake- | |||
| cose-ecdhe-12 (work in progress), February 2019. | edhoc-00 (work in progress), November 2019. | |||
| [IoT-Cert] | [IoT-Cert] | |||
| Forsby, F., "Digital Certificates for the Internet of | Forsby, F., "Digital Certificates for the Internet of | |||
| Things", June 2017, <https://kth.diva- | Things", June 2017, <https://kth.diva- | |||
| portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf>. | portal.org/smash/get/diva2:1153958/FULLTEXT01.pdf>. | |||
| [OlegHahm-ghc] | [OlegHahm-ghc] | |||
| Hahm, O., "Generic Header Compression", July 2016, | Hahm, O., "Generic Header Compression", July 2016, | |||
| <https://github.com/OlegHahm/ghc>. | <https://github.com/OlegHahm/ghc>. | |||
| skipping to change at page 41, line 15 ¶ | skipping to change at page 40, line 15 ¶ | |||
| [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., | [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., | |||
| Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained | Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained | |||
| Application Protocol) over TCP, TLS, and WebSockets", | Application Protocol) over TCP, TLS, and WebSockets", | |||
| RFC 8323, DOI 10.17487/RFC8323, February 2018, | RFC 8323, DOI 10.17487/RFC8323, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8323>. | <https://www.rfc-editor.org/info/rfc8323>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, | ||||
| "Object Security for Constrained RESTful Environments | ||||
| (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8613>. | ||||
| [Ulfheim-TLS13] | [Ulfheim-TLS13] | |||
| Driscoll, M., "Every Byte Explained The Illustrated TLS | Driscoll, M., "Every Byte Explained The Illustrated TLS | |||
| 1.3 Connection", March 2018, <https://tls13.ulfheim.net>. | 1.3 Connection", March 2018, <https://tls13.ulfheim.net>. | |||
| Acknowledgments | Acknowledgments | |||
| The authors want to thank Ari Keraenen, Carsten Bormann, Goeran | The authors want to thank Ari Keraenen, Carsten Bormann, Goeran | |||
| Selander, and Hannes Tschofenig for comments and suggestions on | Selander, and Hannes Tschofenig for comments and suggestions on | |||
| previous versions of the draft. | previous versions of the draft. | |||
| All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. | All 6LoWPAN-GHC compression was done with [OlegHahm-ghc]. | |||
| Authors' Addresses | Authors' Addresses | |||
| John Mattsson | John Preuss Mattsson | |||
| Ericsson AB | Ericsson AB | |||
| Email: john.mattsson@ericsson.com | Email: john.mattsson@ericsson.com | |||
| Francesca Palombini | Francesca Palombini | |||
| Ericsson AB | Ericsson AB | |||
| Email: francesca.palombini@ericsson.com | Email: francesca.palombini@ericsson.com | |||
| Malisa Vucinic | ||||
| INRIA | ||||
| Email: malisa.vucinic@inria.fr | ||||
| End of changes. 45 change blocks. | ||||
| 166 lines changed or deleted | 118 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||