--- 1/draft-ietf-lwig-security-protocol-comparison-04.txt 2020-11-02 08:14:30.310641839 -0800 +++ 2/draft-ietf-lwig-security-protocol-comparison-05.txt 2020-11-02 08:14:30.346642330 -0800 @@ -1,20 +1,20 @@ LWIG Working Group J. Mattsson Internet-Draft F. Palombini Intended status: Informational Ericsson AB -Expires: September 10, 2020 M. Vucinic +Expires: May 6, 2021 M. Vucinic INRIA - March 09, 2020 + November 02, 2020 Comparison of CoAP Security Protocols - draft-ietf-lwig-security-protocol-comparison-04 + draft-ietf-lwig-security-protocol-comparison-05 Abstract This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP. The analyzed security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, EDHOC, OSCORE, and Group OSCORE. The DTLS and TLS record layers are analyzed with and without 6LoWPAN-GHC compression. DTLS is analyzed with and without Connection ID. @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 10, 2020. + This Internet-Draft will expire on May 6, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -63,62 +63,57 @@ 2.2.4. Cached Information . . . . . . . . . . . . . . . . . 12 2.2.5. Resumption . . . . . . . . . . . . . . . . . . . . . 13 2.2.6. Without Connection ID . . . . . . . . . . . . . . . . 14 2.2.7. DTLS Raw Public Keys . . . . . . . . . . . . . . . . 15 2.3. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.1. Message Sizes RPK + ECDHE . . . . . . . . . . . . . . 16 2.3.2. Message Sizes PSK + ECDHE . . . . . . . . . . . . . . 22 2.3.3. Message Sizes PSK . . . . . . . . . . . . . . . . . . 23 2.4. EDHOC . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4.1. Message Sizes RPK . . . . . . . . . . . . . . . . . . 24 - 2.4.2. Message Sizes PSK . . . . . . . . . . . . . . . . . . 25 - 2.4.3. message_1 . . . . . . . . . . . . . . . . . . . . . . 25 - 2.4.4. message_2 . . . . . . . . . . . . . . . . . . . . . . 25 - 2.4.5. message_3 . . . . . . . . . . . . . . . . . . . . . . 26 - 2.4.6. Summary . . . . . . . . . . . . . . . . . . . . . . . 26 - 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 26 - 3. Overhead for Protection of Application Data . . . . . . . . . 27 - 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 27 - 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 29 - 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 29 - 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 29 - 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 30 - 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 31 - 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 31 - 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 31 - 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 32 - 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 32 - 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 33 - 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 33 - 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 33 - 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 - 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 34 - 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 34 - 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 35 - - 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 37 - 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 37 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 38 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 - 6. Informative References . . . . . . . . . . . . . . . . . . . 38 - Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 + 2.4.2. Summary . . . . . . . . . . . . . . . . . . . . . . . 25 + 2.5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 25 + 3. Overhead for Protection of Application Data . . . . . . . . . 26 + 3.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 3.2. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . 28 + 3.2.1. DTLS 1.2 . . . . . . . . . . . . . . . . . . . . . . 28 + 3.2.2. DTLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 28 + 3.2.3. DTLS 1.2 with Connection ID . . . . . . . . . . . . . 29 + 3.2.4. DTLS 1.2 with Connection ID and 6LoWPAN-GHC . . . . . 30 + 3.3. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . 30 + 3.3.1. DTLS 1.3 . . . . . . . . . . . . . . . . . . . . . . 30 + 3.3.2. DTLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 31 + 3.3.3. DTLS 1.3 with Connection ID . . . . . . . . . . . . . 31 + 3.3.4. DTLS 1.3 with Connection ID and 6LoWPAN-GHC . . . . . 32 + 3.4. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . 32 + 3.4.1. TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . 32 + 3.4.2. TLS 1.2 with 6LoWPAN-GHC . . . . . . . . . . . . . . 33 + 3.5. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . . . 33 + 3.5.1. TLS 1.3 . . . . . . . . . . . . . . . . . . . . . . . 33 + 3.5.2. TLS 1.3 with 6LoWPAN-GHC . . . . . . . . . . . . . . 34 + 3.6. OSCORE . . . . . . . . . . . . . . . . . . . . . . . . . 34 + 3.7. Group OSCORE . . . . . . . . . . . . . . . . . . . . . . 36 + 3.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 36 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 37 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 + 6. Informative References . . . . . . . . . . . . . . . . . . . 37 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 1. Introduction This document analyzes and compares the sizes of key exchange flights and the per-packet message size overheads when using different security protocols to secure CoAP over UPD [RFC7252] and TCP [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [RFC8446], - EDHOC [I-D.selander-lake-edhoc], OSCORE [RFC8613], and Group OSCORE + EDHOC [I-D.ietf-lake-edhoc], OSCORE [RFC8613], and Group OSCORE [I-D.ietf-core-oscore-groupcomm]. The DTLS and TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS is anlyzed with and without Connection ID [I-D.ietf-tls-dtls-connection-id]. Readers are expected to be familiar with some of the terms described in RFC 7925 [RFC7925], such as ICV. Section 2 compares the overhead of key exchange, while Section 3 covers the overhead for protection of application data. 2. Overhead of Key Exchange Protocols @@ -156,34 +151,34 @@ The DTLS overhead is dependent on the parameter Connection ID. The following overheads apply for all Connection IDs of the same length, when Connection ID is used. The EDHOC overhead is dependent on the key identifiers included. The following overheads apply for Sender IDs of the same length. All the overhead are dependent on the tag length. The following overheads apply for tags of the same length. - Figure 1 compares the message sizes of EDHOC - [I-D.selander-lake-edhoc] with the DTLS 1.3 [I-D.ietf-tls-dtls13] and - TLS 1.3 [RFC8446] handshakes with connection ID. + Figure 1 compares the message sizes of EDHOC [I-D.ietf-lake-edhoc] + with the DTLS 1.3 [I-D.ietf-tls-dtls13] and TLS 1.3 [RFC8446] + handshakes with connection ID. ===================================================================== Flight #1 #2 #3 Total --------------------------------------------------------------------- DTLS 1.3 RPK + ECDHE 150 373 213 736 DTLS 1.3 Cached X.509/RPK + ECDHE 182 347 213 742 DTLS 1.3 PSK + ECDHE 184 190 57 431 DTLS 1.3 PSK 134 150 57 341 --------------------------------------------------------------------- EDHOC RPK + ECDHE 37 46 20 103 - EDHOC PSK + ECDHE 38 44 10 92 + EDHOC X.509 + ECDHE 37 117 91 245 ===================================================================== Figure 1: Comparison of message sizes in bytes with Connection ID Figure 2 compares of message sizes of DTLS 1.3 [I-D.ietf-tls-dtls13] and TLS 1.3 [RFC8446] handshakes without connection ID. ===================================================================== Flight #1 #2 #3 Total --------------------------------------------------------------------- @@ -1020,22 +1015,23 @@ 2.3.3.3. flight_3 There are no differences in overhead compared to Section 2.3.2.3. TLS 1.3 PSK flight_3 gives 57 bytes of overhead. 2.4. EDHOC This section gives an estimate of the message sizes of EDHOC with - different authentication methods. All examples are given in CBOR - diagnostic notation and hexadecimal. + authenticated with static Diffie-Hellman keys. All examples are + given in CBOR diagnostic notation and hexadecimal, and are based on + the test vectors in Appendix B.2 of [I-D.ietf-lake-edhoc]. 2.4.1. Message Sizes RPK 2.4.1.1. message_1 message_1 = ( 13, 0, h'8D3EF56D1B750A4351D68AC250A0E883790EFC80A538A444EE9E2B57E244 1A7C', @@ -1063,93 +1059,54 @@ 2.4.1.3. message_3 message_3 = ( 8, h'53C3991999A5FFB86921E99B607C067770E0' ) message_3 (20 bytes): 08 52 53 c3 99 19 99 a5 ff b8 69 21 e9 9b 60 7c 06 77 70 e0 -2.4.2. Message Sizes PSK - -2.4.3. message_1 - - message_1 = ( - 17, - 0, - h'3662C4A71D624E8A4D9DFF879ABC6E2A0E745F82F497F7AFBEBFF3B01A8F - AB57', - 14, - -17 - ) - - message_1 (38 bytes): - 11 00 58 20 36 62 c4 a7 1d 62 4e 8a 4d 9d ff 87 9a bc 6e 2a - 0e 74 5f 82 f4 97 f7 af be bf f3 b0 1a 8f ab 57 0e 30 - -2.4.4. message_2 - message_2 = ( - h'A3967F6CF99B6DDC7E7C219D0D119A383F754001DF33515971EC6C842553 - B776', - -24, - h'4F355451E069226F' - ) - - message_2 (44 bytes): - 58 20 a3 96 7f 6c f9 9b 6d dc 7e 7c 21 9d 0d 11 9a 38 3f 75 - 40 01 df 33 51 59 71 ec 6c 84 25 53 b7 76 37 48 4f 35 54 51 - e0 69 22 6f - -2.4.5. message_3 - - message_3 = ( - -24, - h'763BD2F3C10F0D45' - ) - - message_3 (10 bytes): - 37 48 76 3b d2 f3 c1 0f 0d 45 - -2.4.6. Summary +2.4.2. Summary - The previous examples of typical message sizes are summarized in + The typical message sizes for the previous example and for an example + of EDHOC authenticated with signature keys and X.509 certificates + based on Appendix B.1 of [I-D.ietf-lake-edhoc] are summarized in Figure 5. - ===================================================================== - PSK RPK x5t x5chain - --------------------------------------------------------------------- - message_1 38 37 37 37 - message_2 44 46 117 110 + Certificate chain - message_3 10 20 91 84 + Certificate chain - --------------------------------------------------------------------- - Total 92 103 245 231 + Certificate chains - ===================================================================== + =============================== + RPK x5t + ------------------------------- + message_1 37 37 + message_2 46 117 + message_3 20 91 + ------------------------------- + Total 103 245 + =============================== Figure 5: Typical message sizes in bytes 2.5. Conclusion To do a fair comparison, one has to choose a specific deployment and look at the topology, the whole protocol stack, frame sizes (e.g. 51 or 128 bytes), how and where in the protocol stack fragmentation is - done, and the expected packet loss. Note that the number of byte in + done, and the expected packet loss. Note that the number of bytes in each frame that is available for the key exchange protocol may depend - on the underlying protocol layers as well as the number of hops in - multi-hop networks. The packet loss depends may depend on how many - other devices that are transmitting at the same time, and may - increase during network formation. The total overhead will be larger - due to mechanisms for fragmentation, retransmission, and packet - ordering. The overhead of fragmentation is roughly proportional to - the number of fragments, while the expected overhead due to - retransmission in noisy environments is a superlinear function of the - flight sizes. + on the underlying protocol layers as well as on the number of hops in + multi-hop networks. The packet loss may depend on how many other + devices are transmitting at the same time, and may increase during + network formation. The total overhead will be larger due to + mechanisms for fragmentation, retransmission, and packet ordering. + The overhead of fragmentation is roughly proportional to the number + of fragments, while the expected overhead due to retransmission in + noisy environments is a superlinear function of the flight sizes. 3. Overhead for Protection of Application Data To enable comparison, all the overhead calculations in this section use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES- CCM-16-64), a plaintext of 6 bytes, and the sequence number '05'. This follows the example in [RFC7400], Figure 16. Note that the compressed overhead calculations for DLTS 1.2, DTLS 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, @@ -1657,43 +1614,43 @@ 5. IANA Considerations This document has no actions for IANA. 6. Informative References [I-D.ietf-core-oscore-groupcomm] Tiloca, M., Selander, G., Palombini, F., and J. Park, "Group OSCORE - Secure Group Communication for CoAP", - draft-ietf-core-oscore-groupcomm-06 (work in progress), - November 2019. + draft-ietf-core-oscore-groupcomm-09 (work in progress), + June 2020. + + [I-D.ietf-lake-edhoc] + Selander, G., Mattsson, J., and F. Palombini, "Ephemeral + Diffie-Hellman Over COSE (EDHOC)", draft-ietf-lake- + edhoc-01 (work in progress), August 2020. [I-D.ietf-tls-dtls-connection-id] Rescorla, E., Tschofenig, H., and T. Fossati, "Connection Identifiers for DTLS 1.2", draft-ietf-tls-dtls-connection- id-07 (work in progress), October 2019. [I-D.ietf-tls-dtls13] Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version - 1.3", draft-ietf-tls-dtls13-34 (work in progress), - November 2019. + 1.3", draft-ietf-tls-dtls13-38 (work in progress), May + 2020. [I-D.rescorla-tls-ctls] Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS - 1.3", draft-rescorla-tls-ctls-03 (work in progress), - November 2019. - - [I-D.selander-lake-edhoc] - Selander, G., Mattsson, J., and F. Palombini, "Ephemeral - Diffie-Hellman Over COSE (EDHOC)", draft-selander-lake- - edhoc-00 (work in progress), November 2019. + 1.3", draft-rescorla-tls-ctls-04 (work in progress), March + 2020. [IoT-Cert] Forsby, F., "Digital Certificates for the Internet of Things", June 2017, . [OlegHahm-ghc] Hahm, O., "Generic Header Compression", July 2016, .