Network Working Group | J. Mattsson |
Internet-Draft | F. Palombini |
Intended status: Informational | Ericsson AB |
Expires: January 3, 2019 | July 2, 2018 |
Comparison of CoAP Security Protocols
draft-ietf-lwig-security-protocol-comparison-01
This document analyzes and compares per-packet message size overheads when using different security protocols to secure CoAP. The analyzed security protocols are DTLS 1.2, DTLS 1.3, TLS 1.2, TLS 1.3, and OSCORE. DTLS and TLS are analyzed with and without 6LoWPAN-GHC compression. DTLS is analyzed with and without Connection ID.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document analyzes and compares per-packet message size overheads when using different security protocols to secure CoAP over UPD [RFC7252] and TCP [RFC8323]. The analyzed security protocols are DTLS 1.2 [RFC6347], DTLS 1.3 [I-D.ietf-tls-dtls13], TLS 1.2 [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13], and OSCORE [I-D.ietf-core-object-security]. The DTLS and TLS record layers are analyzed with and without compression. DTLS is anlyzed with and without Connection ID [I-D.ietf-tls-dtls-connection-id] and DTLS 1.3 is analyzed with and without the use of the short header. Readers are expected to be familiar with some of the terms described in RFC 7925 [RFC7925], such as ICV.
To enable comparison, all the overhead calculations in this section use AES-CCM with a tag length of 8 bytes (e.g. AES_128_CCM_8 or AES-CCM-16-64), a plaintext of 6 bytes, and the sequence number ‘05’. This follows the example in [RFC7400], Figure 16.
Note that the compressed overhead calculations for DLTS 1.2, DTLS 1.3, TLS 1.2 and TLS 1.3 are dependent on the parameters epoch, sequence number, and length, and all the overhead calculations are dependent on the parameter Connection ID when used. Note that the OSCORE overhead calculations are dependent on the CoAP option numbers, as well as the length of the OSCORE parameters Sender ID and Sequence Number. The following are only examples.
This section analyzes the overhead of DTLS 1.2 [RFC6347]. The nonce follow the strict profiling given in [RFC7925]. This example is taken directly from [RFC7400], Figure 16.
DTLS 1.2 record layer (35 bytes, 29 bytes overhead): 17 fe fd 00 01 00 00 00 00 00 05 00 16 00 01 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Version: fe fd Epoch: 00 01 Sequence number: 00 00 00 00 00 05 Length: 00 16 Nonce: 00 01 00 00 00 00 00 05 Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 gives 29 bytes overhead.
This section analyzes the overhead of DTLS 1.2 [RFC6347] when compressed with 6LoWPAN-GHC [RFC7400]. The compression was done with [OlegHahm-ghc].
Note that the sequence number ‘01’ used in [RFC7400], Figure 15 gives an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.2 record layer (22 bytes, 16 bytes overhead): b0 c3 03 05 00 16 f2 0e ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Compressed DTLS 1.2 record layer header and nonce: b0 c3 03 05 00 16 f2 0e Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters (epoch, sequence number, length) gives 16 bytes overhead.
This section analyzes the overhead of DTLS 1.2 [RFC6347] with Connection ID [I-D.ietf-tls-dtls-connection-id]. The overhead calculations in this section uses Connection ID = '42'. DTLS recored layer with a Connection ID = '' (the empty string) is equal to DTLS without Connection ID.
DTLS 1.2 record layer (36 bytes, 30 bytes overhead): 17 fe fd 00 01 00 00 00 00 00 05 42 00 16 00 01 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Version: fe fd Epoch: 00 01 Sequence number: 00 00 00 00 00 05 Connection ID: 42 Length: 00 16 Nonce: 00 01 00 00 00 00 00 05 Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
DTLS 1.2 with Connection ID gives 30 bytes overhead.
This section analyzes the overhead of DTLS 1.2 [RFC6347] with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that the sequence number ‘01’ used in [RFC7400], Figure 15 gives an exceptionally small overhead that is not representative.
Note that this header compression is not available when DTLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.2 record layer (23 bytes, 17 bytes overhead): b0 c3 04 05 42 00 16 f2 0e ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Compressed DTLS 1.2 record layer header and nonce: b0 c3 04 05 42 00 16 f2 0e Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.2 with the above parameters (epoch, sequence number, Connection ID, length) gives 17 bytes overhead.
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13]. The changes compared to DTLS 1.2 are: omission of version number, merging of epoch and sequence number fields (of total 8 bytes) into one 4-bytes-field.
DTLS 1.3 record layer (22 bytes, 16 bytes overhead): 17 40 00 00 05 00 0f ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Epoch and sequence: 40 00 00 05 Length: 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 16 bytes overhead.
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when DTLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.3 record layer (23 bytes, 17 bytes overhead): 02 17 40 80 12 05 00 0f ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Compressed DTLS 1.3 record layer header and nonce: 02 17 40 80 12 05 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters (epoch, sequence number, length) gives 17 bytes overhead.
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] with Connection ID [I-D.ietf-tls-dtls-connection-id].
DTLS 1.3 record layer (23 bytes, 17 bytes overhead): 17 40 00 00 05 42 00 0f ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Epoch and sequence: 40 00 00 05 Connection ID: 42 Length: 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 gives 17 bytes overhead.
This section analyzes the overhead of DTLS 1.3 [I-D.ietf-tls-dtls13] with Connection ID [I-D.ietf-tls-dtls-connection-id] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when DTLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed DTLS 1.3 record layer (24 bytes, 18 bytes overhead): 02 17 40 80 13 05 42 00 0f ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Compressed DTLS 1.3 record layer header and nonce: 02 17 40 80 13 05 42 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, DTLS 1.3 with the above parameters (epoch, sequence number, Connection ID, length) gives 18 bytes overhead.
This section analyzes the overhead of DTLS 1.3 with short header format [I-D.ietf-tls-dtls13]. The short header format for DTLS 1.3 reduces the header of 5 bytes, by omitting the length value and sending 1 lower bit of epoch value instead of 2, and 12 lower bits of sequence number instead of 30.
DTLS 1.3 record layer (17 bytes, 11 bytes overhead): 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Short epoch and sequence: 30 05 Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
DTLS 1.3 with short header gives 11 bytes overhead.
This section analyzes the overhead of DTLS 1.3 with short header [I-D.ietf-tls-dtls13] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Compressed DTLS 1.3 record layer (18 bytes, 12 bytes overhead): 11 30 05 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Compressed DTLS 1.3 short header (including sequence number): 11 30 05 Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
Compressed DTLS 1.3 with short header gives 12 bytes overhead.
This section analyzes the overhead of TLS 1.2 [RFC5246]. The changes compared to DTLS 1.2 is that the TLS 1.2 record layer does not have epoch and sequence number, and that the version is different.
TLS 1.2 Record Layer (27 bytes, 21 bytes overhead): 17 03 03 00 16 00 00 00 00 00 00 00 05 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Version: 03 03 Length: 00 16 Nonce: 00 00 00 00 00 00 00 05 Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
TLS 1.2 gives 21 bytes overhead.
This section analyzes the overhead of TLS 1.2 [RFC5246] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed TLS 1.2 record layer (23 bytes, 17 bytes overhead): 05 17 03 03 00 16 85 0f 05 ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 Compressed TLS 1.2 record layer header and nonce: 05 17 03 03 00 16 85 0f 05 Ciphertext: ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.2 with the above parameters (epoch, sequence number, length) gives 17 bytes overhead.
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13]. The change compared to TLS 1.2 is that the TLS 1.3 record layer uses a different version.
TLS 1.3 Record Layer (20 bytes, 14 bytes overhead): 17 03 03 00 16 ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Content type: 17 Legacy version: 03 03 Length: 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
TLS 1.3 gives 14 bytes overhead.
This section analyzes the overhead of TLS 1.3 [I-D.ietf-tls-tls13] when compressed with 6LoWPAN-GHC [RFC7400] [OlegHahm-ghc].
Note that this header compression is not available when TLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
Compressed TLS 1.3 record layer (21 bytes, 15 bytes overhead): 14 17 03 03 00 0f ae a0 15 56 67 92 ec 4d ff 8a 24 e4 cb 35 b9 Compressed TLS 1.3 record layer header and nonce: 14 17 03 03 00 0f Ciphertext (including encrypted content type): ae a0 15 56 67 92 ec ICV: 4d ff 8a 24 e4 cb 35 b9
When compressed with 6LoWPAN-GHC, TLS 1.3 with the above parameters (epoch, sequence number, length) gives 15 bytes overhead.
This section analyzes the overhead of OSCORE [I-D.ietf-core-object-security].
The below calculation Option Delta = ‘9’, Sender ID = ‘’ (empty string), and Sequence Number = ‘05’, and is only an example. Note that Sender ID = ‘’ (empty string) can only be used by one client per server.
OSCORE request (19 bytes, 13 bytes overhead): 92 09 05 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 CoAP option delta and length: 92 Option value (flag byte and sequence number): 09 05 Payload marker: ff Ciphertext (including encrypted code): ec ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
The below calculation Option Delta = ‘9’, Sender ID = ‘42’, and Sequence Number = ‘05’, and is only an example.
OSCORE request (20 bytes, 14 bytes overhead): 93 09 05 42 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 CoAP option delta and length: 93 Option Value (flag byte, sequence number, and Sender ID): 09 05 42 Payload marker: ff Ciphertext (including encrypted code): ec ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
The below calculation uses Option Delta = ‘9’.
OSCORE response (17 bytes, 11 bytes overhead): 90 ff ec ae a0 15 56 67 92 4d ff 8a 24 e4 cb 35 b9 CoAP delta and option length: 90 Option value: - Payload marker: ff Ciphertext (including encrypted code): ec ae a0 15 56 67 92 ICV: 4d ff 8a 24 e4 cb 35 b9
OSCORE with the above parameters gives 13-14 bytes overhead for requests and 11 bytes overhead for responses.
Unlike DTLS and TLS, OSCORE has much smaller overhead for responses than requests.
The DTLS overhead is dependent on the parameter Connection ID. The following overheads apply for all Connection IDs with the same length.
The compression overhead (GHC) is dependent on the parameters epoch, sequence number, Connection ID, and length (where applicable). The following overheads should be representative for sequence numbers and Connection IDs with the same length.
The OSCORE overhead is dependent on the included CoAP Option numbers as well as the length of the OSCORE parameters Sender ID and sequence number. The following overheads apply for all sequence numbers and Sender IDs with the same length.
Sequence Number '05' '1005' '100005' ------------------------------------------------------------- DTLS 1.2 29 29 29 DTLS 1.3 16 16 16 DTLS 1.3 (short header) 11 11 11 ------------------------------------------------------------- DTLS 1.2 (GHC) 16 16 16 DTLS 1.3 (GHC) 17 17 17 DTLS 1.3 (short header) (GCH) 12 12 12 ------------------------------------------------------------- TLS 1.2 21 21 21 TLS 1.3 14 14 14 ------------------------------------------------------------- TLS 1.2 (GHC) 17 18 19 TLS 1.3 (GHC) 15 16 17 ------------------------------------------------------------- OSCORE request 13 14 15 OSCORE response 11 11 11
Figure 1: Overhead in bytes as a function of sequence number (Connection/Sender ID = '')
Connection/Sender ID '' '42' '4002' ------------------------------------------------------------- DTLS 1.2 29 30 31 DTLS 1.3 16 17 18 DTLS 1.3 (short header) 11 12 13 ------------------------------------------------------------- DTLS 1.2 (GHC) 16 17 18 DTLS 1.3 (GHC) 17 18 19 DTLS 1.3 (short header) (GCH) 12 13 14 ------------------------------------------------------------- OSCORE request 13 14 15 OSCORE response 11 11 11
Figure 2: Overhead in bytes as a function of Connection/Sender ID (Sequence Number = '05')
Protocol Overhead Overhead (GHC) ------------------------------------------------------------- DTLS 1.2 21 8 DTLS 1.3 8 9 DTLS 1.3 (short header) 3 4 ------------------------------------------------------------- TLS 1.2 13 9 TLS 1.3 6 7 ------------------------------------------------------------- OSCORE request 5 OSCORE response 3
Figure 3: Overhead (excluding ICV) in bytes (Connection/Sender ID = '', Sequence Number = '05')
DTLS 1.2 has quite a large overhead as it uses an explicit sequence number and an explicit nonce. TLS 1.2 has significantly less (but not small) overhead. TLS 1.3 and DTLS 1.3 have quite small overhead. OSCORE and DTLS 1.3 with short header format has very small overhead.
The Generic Header Compression (6LoWPAN-GHC) can in addition to DTLS 1.2 handle TLS 1.2, and DTLS 1.2 with Connection ID. The Generic Header Compression (6LoWPAN-GHC) works very well for Connection ID and the overhead seems to increase exactly with the length of the Connection ID (which is optimal). The compression of TLS 1.2 is not as good as the compression of DTLS 1.2 (as the static dictionary only contains the DTLS 1.2 version number). Similar compression levels as for DTLS could be achieved also for TLS 1.2, but this would require different static dictionaries. For TLS 1.3 and DTLS 1.3, GHC increases the overhead. The 6LoWPAN-GHC header compression is not available when (D)TLS is used over transports that do not use 6LoWPAN together with 6LoWPAN-GHC.
The short header format for DTLS 1.3 reduces the header of 5 bytes, by omitting the length value and sending 1 lower bit of epoch value instead of 2, and 12 lower bits of sequence number instead of 30. This may create problems reconstructing the full sequence number, if ~2000 datagrams in sequence are lost.
OSCORE has much lower overhead than DTLS 1.2 and TLS 1.2. The overhead of OSCORE is smaller than DTLS 1.2 and TLS 1.2 over 6LoWPAN with compression, and this small overhead is achieved even on deployments without 6LoWPAN or 6LoWPAN without DTLS compression. OSCORE is lightweight because it makes use of some excellent features in CoAP, CBOR, and COSE.
This document is purely informational.
This document has no actions for IANA.
The authors want to thank Ari Keränen, Carsten Bormann, Göran Selander, and Hannes Tschofenig for comments and suggestions on previous versions of the draft.
All 6LoWPAN-GHC compression was done with [OlegHahm-ghc].