Internet DRAFT - draft-schaad-ace-tls-cbor-handshake
draft-schaad-ace-tls-cbor-handshake
Network Working Group J. Schaad
Internet-Draft March 5, 2019
Intended status: Experimental
Expires: September 6, 2019
TLS Handshake in CBOR
draft-schaad-ace-tls-cbor-handshake-00
Abstract
None
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Schaad Expires September 6, 2019 [Page 1]
�
Internet-Draft TLS Handshake in CBOR March 2019
Table of Contents
1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Handshake Protocol . . . . . . . . . . . . . . . . . . . . . 4
3. Client Hello . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Server Hello . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Supported Versions . . . . . . . . . . . . . . . . . . . 7
5.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.3. Signature Algorithms . . . . . . . . . . . . . . . . . . 7
5.4. Certificate Authorities . . . . . . . . . . . . . . . . . 9
5.5. OID Filters . . . . . . . . . . . . . . . . . . . . . . . 9
5.6. Post-Handshake Client Authentication . . . . . . . . . . 9
5.7. Supported Groups . . . . . . . . . . . . . . . . . . . . 9
5.8. Key Share . . . . . . . . . . . . . . . . . . . . . . . . 10
5.8.1. ECDHE Parameters . . . . . . . . . . . . . . . . . . 11
5.9. Pre-Shared Key Exchange Modes . . . . . . . . . . . . . . 11
5.10. Early Data Indication . . . . . . . . . . . . . . . . . . 12
5.11. Pre-Shared Key Extension . . . . . . . . . . . . . . . . 12
5.12. Other Extensions . . . . . . . . . . . . . . . . . . . . 13
6. Server Parameters . . . . . . . . . . . . . . . . . . . . . . 13
6.1. Encrypted Extensions . . . . . . . . . . . . . . . . . . 13
7. Certificate Request . . . . . . . . . . . . . . . . . . . . . 14
8. Authentication Messages . . . . . . . . . . . . . . . . . . . 14
8.1. Certificate . . . . . . . . . . . . . . . . . . . . . . . 14
8.2. Certificate Verify . . . . . . . . . . . . . . . . . . . 15
8.3. Finish . . . . . . . . . . . . . . . . . . . . . . . . . 15
9. Record Protocol . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Record Layer . . . . . . . . . . . . . . . . . . . . . . 15
9.2. Record Payload Protection . . . . . . . . . . . . . . . . 16
10. CBOR Slashed Version . . . . . . . . . . . . . . . . . . . . 17
11. Transport with CoAP . . . . . . . . . . . . . . . . . . . . . 17
12. Informational . . . . . . . . . . . . . . . . . . . . . . . . 18
Appendix A. Sample Messages . . . . . . . . . . . . . . . . . . 18
A.1. Standard TLS for X25519 and Ed25519 . . . . . . . . . . . 18
A.2. Pre-shared key for authentication w/ ephemeral DH . . . . 20
A.3. Stripped TLS w/ Ed25519 . . . . . . . . . . . . . . . . . 22
A.4. Stripped TLS w/ PSK . . . . . . . . . . . . . . . . . . . 24
Appendix B. Open ideas for ways to make things smaller . . . . . 25
Appendix C. EDHOC issues that worry me . . . . . . . . . . . . . 26
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Summary
There are two measures that can be looked at when measuring how good
the different options presented below are going to be.
Schaad Expires September 6, 2019 [Page 2]
�
Internet-Draft TLS Handshake in CBOR March 2019
o Total Number Of Bytes: The total number of bytes that are needed
to perform the key establishment protocol.
o Total Number of Messages: The total number of messages that are
needed to perform the key establishment protocol. This measure is
going to be dependent on which of the transports is being used.
For UDP the sizes are going to be from 576 to 1152 in the course
of normal events. This means that all of the protocols being
looked at can be run in three messages without any problems. For
6LoWPAN L2 however, the packet size is 127 bytes which leads to
many more messages needed to be used. One can send approximately
80 bytes of payload in a single message, but if one is using
blockwise transfer then the payloads are going to be limited to 64
bytes.
Summary of message sizes in bytes.
+------------+-----+-----+-------+-------+-------+-------+
| | TLS | TLS | TLS-C | TLS-C | TLS-S | TLS-S |
+------------+-----+-----+-------+-------+-------+-------+
| | RPK | PSK | RPK | PSK | RPK | PSK |
| | | | | | | |
| Message #1 | 122 | 164 | 97 | 134 | 47 | 64 |
| | | | | | | |
| Message #2 | 306 | 163 | 262 | 143 | 145 | 66 |
| | | | | | | |
| Message #3 | 205 | 72 | 175 | 54 | 101 | 21 |
| | | | | | | |
| Total | 633 | 399 | 534 | 331 | 293 | 151 |
+------------+-----+-----+-------+-------+-------+-------+
Summary of message sizes in estimated number of messages.
+------------+-----+-----+-------+-------+-------+-------+
| | TLS | TLS | TLS-C | TLS-C | TLS-S | TLS-S |
+------------+-----+-----+-------+-------+-------+-------+
| | RPK | PSK | RPK | PSK | RPK | PSK |
| | | | | | | |
| Message #1 | 2 | 3 | 2 | 3 | 1 | 1 |
| | | | | | | |
| Message #2 | 5 | 3 | 5 | 3 | 3 | 1 |
| | | | | | | |
| Message #3 | 4 | 1 | 3 | 1 | 2 | 1 |
| | | | | | | |
| Total | 11 | 7 | 10 | 7 | 6 | 3 |
+------------+-----+-----+-------+-------+-------+-------+
Schaad Expires September 6, 2019 [Page 3]
�
Internet-Draft TLS Handshake in CBOR March 2019
2. Handshake Protocol
The TLS Handshake message is:
struct {
HandshakeType msg_type; /* handshake type */
uint24 length; /* remaining bytes in message */
select (Handshake.msg_type) {
case client_hello: ClientHello;
case server_hello: ServerHello;
case end_of_early_data: EndOfEarlyData;
case encrypted_extensions: EncryptedExtensions;
case certificate_request: CertificateRequest;
case certificate: Certificate;
case certificate_verify: CertificateVerify;
case finished: Finished;
case new_session_ticket: NewSessionTicket;
case key_update: KeyUpdate;
};
} Handshake;
For the CBOR encoding make the following changes:
o Remove the length field: It is expected that this can be passed
down from the record layer.
o Make the message type and field be a map.
Handshake = handshakeMessage
handshakeMessage = {
1 : ClientHello,
2 : ServerHello,
3 : EndOfEarlyData,
4 : EncryptedExtensions,
5 : CertificateRequest,
6 : Certificate,
7 : CertificateVerify,
8 : Finished,
9 : NewSessionTicket,
10 : KeyUpdate
}
Expected space savings:
o 3 bytes for the length
Schaad Expires September 6, 2019 [Page 4]
�
Internet-Draft TLS Handshake in CBOR March 2019
3. Client Hello
The TLS Client Hello structure is:
uint16 ProtocolVersion;
opaque Random[32];
uint8 CipherSuite[2]; /* Cryptographic suite selector */
struct {
ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
Random random;
opaque legacy_session_id<0..32>;
CipherSuite cipher_suites<2..2^16-2>;
opaque legacy_compression_methods<1..2^8-1>;
Extension extensions<8..2^16-1>;
} ClientHello;
For the CBOR encoding make the following changes:
o Remove all of the legacy items - reduction of 5 bytes + lengths?.
ClientHello = [
random : bstr .len 32,
cipher_suites : [+ int . len 1], // max 2^8-1
extensions : [ + Extension ]
]
4. Server Hello
The TLS Server Hello structure is:
struct {
ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
Random random;
opaque legacy_session_id_echo<0..32>;
CipherSuite cipher_suite;
uint8 legacy_compression_method = 0;
Extension extensions<6..2^16-1>;
} ServerHello;
For the CBOR encoding make the following changes:
o Remove all of the legacy fields.
Schaad Expires September 6, 2019 [Page 5]
�
Internet-Draft TLS Handshake in CBOR March 2019
ServerHello = [
random : bstr .len 32
cipher_suite : int,
extensions : [ + Extension ]
]
5. Extensions
The TLS Extenions field is:
struct {
ExtensionType extension_type;
opaque extension_data<0..2^16-1>;
} Extension;
enum {
server_name(0), /* RFC 6066 */
max_fragment_length(1), /* RFC 6066 */
status_request(5), /* RFC 6066 */
supported_groups(10), /* RFC 8422, 7919 */
signature_algorithms(13), /* RFC 8446 */
use_srtp(14), /* RFC 5764 */
heartbeat(15), /* RFC 6520 */
application_layer_protocol_negotiation(16), /* RFC 7301 */
signed_certificate_timestamp(18), /* RFC 6962 */
client_certificate_type(19), /* RFC 7250 */
server_certificate_type(20), /* RFC 7250 */
padding(21), /* RFC 7685 */
pre_shared_key(41), /* RFC 8446 */
early_data(42), /* RFC 8446 */
supported_versions(43), /* RFC 8446 */
cookie(44), /* RFC 8446 */
psk_key_exchange_modes(45), /* RFC 8446 */
certificate_authorities(47), /* RFC 8446 */
oid_filters(48), /* RFC 8446 */
post_handshake_auth(49), /* RFC 8446 */
signature_algorithms_cert(50), /* RFC 8446 */
key_share(51), /* RFC 8446 */
(65535)
} ExtensionType;
For the CBOR encoding make the following changes:
o Remove items we don't care about
o Encode as a map.
Schaad Expires September 6, 2019 [Page 6]
�
Internet-Draft TLS Handshake in CBOR March 2019
ExtensionType = (
// 0 : ServerName,
// 1 : max_fragment_length,
// 5 : status_request,
10 : supported_groups,
13 : signature_algorithms,
// 14 : use_srtp,
// 15 : heartbeat,
// 16 : application_layer_protocol_negoiation,
// 18 : signed_certificate_timestamp,
// 19 : client_certificate_type,
// 20 : server_certificate_type,
// 21 : padding,
41 : pre_shared_key,
// 42 : early_data,
// 43 : supported_versions,
// 44 : cookie,
45 : psk_key_exchange_modes,
// 47 : certificate_authorities,
// 48 : oid_filters,
// 49 : post_handshake_auth,
// 50 : signature_algoirthms_cert,
51 : key_share
)
Extension = ( int, any )
5.1. Supported Versions
Not currently used as we only have one version. If absent it will be
assumed to be this version.
5.2. Cookie
There is no reason for this extension to be used in CoRE. For the
same functionality use [I-D.ietf-core-echo-request-tag].
5.3. Signature Algorithms
The TLS signature algorithm structures are:
Schaad Expires September 6, 2019 [Page 7]
�
Internet-Draft TLS Handshake in CBOR March 2019
enum {
/* RSASSA-PKCS1-v1_5 algorithms */
rsa_pkcs1_sha256(0x0401),
rsa_pkcs1_sha384(0x0501),
rsa_pkcs1_sha512(0x0601),
/* ECDSA algorithms */
ecdsa_secp256r1_sha256(0x0403),
ecdsa_secp384r1_sha384(0x0503),
ecdsa_secp521r1_sha512(0x0603),
/* RSASSA-PSS algorithms with public key OID rsaEncryption */
rsa_pss_rsae_sha256(0x0804),
rsa_pss_rsae_sha384(0x0805),
rsa_pss_rsae_sha512(0x0806),
/* EdDSA algorithms */
ed25519(0x0807),
ed448(0x0808),
/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
rsa_pss_pss_sha256(0x0809),
rsa_pss_pss_sha384(0x080a),
rsa_pss_pss_sha512(0x080b),
/* Legacy algorithms */
rsa_pkcs1_sha1(0x0201),
ecdsa_sha1(0x0203),
/* Reserved Code Points */
private_use(0xFE00..0xFFFF),
(0xFFFF)
} SignatureScheme;
struct {
SignatureScheme supported_signature_algorithms<2..2^16-2>;
} SignatureSchemeList;
One of the differences that may need to be dealt with at this point
is the question of keeping the same enumeration as TLS uses or if the
enumeration should be changed. For this document the same
enumeration is being kept. TLS uses the current two byte format
because it separates the hash algorithm from the public key
algorithms. For a single algorithm this ends up being 3 bytes for
CBOR and 4 bytes for TLS. Each additional algorithm adds 2 bytes
until you get to 12 algorithms. If one switched to using integer
values from the COSE tables, then one ends up with the same byte
count.
Schaad Expires September 6, 2019 [Page 8]
�
Internet-Draft TLS Handshake in CBOR March 2019
For the CBOR encoding make the following changes:
o None
signature_algorithms = bstr
5.4. Certificate Authorities
Not used.
5.5. OID Filters
Not used.
5.6. Post-Handshake Client Authentication
Not used.
5.7. Supported Groups
The TLS structure is:
enum {
/* Elliptic Curve Groups (ECDHE) */
secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
x25519(0x001D), x448(0x001E),
/* Finite Field Groups (DHE) */
ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
ffdhe6144(0x0103), ffdhe8192(0x0104),
/* Reserved Code Points */
ffdhe_private_use(0x01FC..0x01FF),
ecdhe_private_use(0xFE00..0xFEFF),
(0xFFFF)
} NamedGroup;
struct {
NamedGroup named_group_list<2..2^16-1>;
} NamedGroupList;
It makes more sense to change the enumeration from that used by TLS
to the COSE EC curve registry as those values are only single byte
values and are small. One implication is that all of the Finite
Field Groups are dropped, but this should not be a problem. This
means a 2 byte value for a single curve in the CBOR version rather
Schaad Expires September 6, 2019 [Page 9]
�
Internet-Draft TLS Handshake in CBOR March 2019
than a 4 byte encoding for TLS. Adding a second curve adds one byte
for CBOR and 2 bytes for TLS.
For the CBOR encoding make the following changes:
o Change from a two byte enumeration to the the integer values from
the COSE EC curve registry.
NamedGroup = {
secp256r1: 1, secp384r1: 2, secp521r1: 3,
x25519: 4, x448:5
}
supported_groups = [ + NamedGroup ]
5.8. Key Share
The TLS structure for key share is:
struct {
NamedGroup group;
opaque key_exchange<1..2^16-1>;
} KeyShareEntry;
struct {
KeyShareEntry client_shares<0..2^16-1>;
} KeyShareClientHello;
struct {
NamedGroup selected_group;
} KeyShareHelloRetryRequest;
struct {
KeyShareEntry server_share;
} KeyShareServerHello;
For the CBOR encoding make the following changes:
Schaad Expires September 6, 2019 [Page 10]
�
Internet-Draft TLS Handshake in CBOR March 2019
keyShareEntry = {
secp256r1 : CompressedPointRepresentation,
secp384r1 : CompressedPointRepresentation,
secp521r1 : CompressedPointRepresentation,
x25519 : bstr,
x448 : bstr,
* NamedGroup : any
}
key_share = KeyShare_ClientHello | KeyShare_HelloRetryRequest |
KeyShare_ServerHello
KeyShare_ClientHello = [ *keyShareEntry]
KeyShare_HelloRetryRequest = NamedGroup
KeyShare_ServerHello = keyShareEntry
5.8.1. ECDHE Parameters
The TLS structure is:
struct {
uint8 legacy_form = 4;
opaque X[coordinate_length];
opaque Y[coordinate_length];
} UncompressedPointRepresentation;
For the CBOR encoding make the following changes:
o Switched to compressed points for space savings.
CompressedPointReprentation = [
x : bstr,
y : bool
]
5.9. Pre-Shared Key Exchange Modes
The TLS structure is:
enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
struct {
PskKeyExchangeMode ke_modes<1..255>;
} PskKeyExchangeModes;
Changes for CBOR:
Schaad Expires September 6, 2019 [Page 11]
�
Internet-Draft TLS Handshake in CBOR March 2019
pskKeyExchangeMode = ( psk_key: 0, psk_dhe_ke:1 }
psk_key_exchange_modes = [ + pskKeyExchangeMode]
5.10. Early Data Indication
Not used.
5.11. Pre-Shared Key Extension
The TLS structure is:
struct {
opaque identity<1..2^16-1>;
uint32 obfuscated_ticket_age;
} PskIdentity;
opaque PskBinderEntry<32..255>;
struct {
PskIdentity identities<7..2^16-1>;
PskBinderEntry binders<33..2^16-1>;
} OfferedPsks;
struct {
select (Handshake.msg_type) {
case client_hello: OfferedPsks;
case server_hello: uint16 selected_identity;
};
} PreSharedKeyExtension;
The changes for CBOR are:
pre_shared_key = clientHello_PSK | serverHello_PSK
clientHello_PSK = OfferedPsks
serverHello_PSK = int
OfferedPsks = [
identities : [ +PskIdentity ],
binders : bstr
]
PskIdentity = (
identity : bstr,
? obfuscated_ticket_age : int
)
Schaad Expires September 6, 2019 [Page 12]
�
Internet-Draft TLS Handshake in CBOR March 2019
5.12. Other Extensions
TLS
struct {
select(ClientOrServerExtension) {
case client:
CertificateType client_certificate_types<1..2^8-1>;
case server:
CertificateType client_certificate_type;
}
} ClientCertTypeExtension;
struct {
select(ClientOrServerExtension) {
case client:
CertificateType server_certificate_types<1..2^8-1>;
case server:
CertificateType server_certificate_type;
}
} ServerCertTypeExtension;
CBOR
clientCertType = certTypeRequest | certTypeResponse
serverCertType = certTypeRequest | certTypeResponse
certTypeRequest = [+ cerType]
certTypeResponse = certType
certType = (x509:0, rawPublicKey:1 }
6. Server Parameters
6.1. Encrypted Extensions
The TLS structure is:
struct {
Extension extensions<0..2^16-1>;
} EncryptedExtensions;
For CBOR:
EncryptedExtensions = [ * Extension ]
Schaad Expires September 6, 2019 [Page 13]
�
Internet-Draft TLS Handshake in CBOR March 2019
7. Certificate Request
Not Used
8. Authentication Messages
8.1. Certificate
TLS
enum {
X509(0),
RawPublicKey(2),
(255)
} CertificateType;
struct {
select (certificate_type) {
case RawPublicKey:
/* From RFC 7250 ASN.1_subjectPublicKeyInfo */
opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
case X509:
opaque cert_data<1..2^24-1>;
};
Extension extensions<0..2^16-1>;
} CertificateEntry;
struct {
opaque certificate_request_context<0..2^8-1>;
CertificateEntry certificate_list<0..2^24-1>;
} Certificate;
certificate = [
? certificate_request_context : bstr,
certificate_list : [* CertificateEntry]
]
CertificateEntry = [
certificate : {
0 : bstr, // cert_data,
1 : bstr // ASN1_subjectPublicKeyInfo
},
extensions : [* Extension]
]
Schaad Expires September 6, 2019 [Page 14]
�
Internet-Draft TLS Handshake in CBOR March 2019
8.2. Certificate Verify
TLS
struct {
SignatureScheme algorithm;
opaque signature<0..2^16-1>;
} CertificateVerify;
CBOR
CertificateVerify = [
algorithm : SignatureScheme,
signature : bstr
]
8.3. Finish
TLS
struct {
opaque verify_data[Hash.length];
} Finished;
CBOR
Finished = bstr
9. Record Protocol
9.1. Record Layer
TLS
Schaad Expires September 6, 2019 [Page 15]
�
Internet-Draft TLS Handshake in CBOR March 2019
enum {
invalid(0),
change_cipher_spec(20),
alert(21),
handshake(22),
application_data(23),
(255)
} ContentType;
struct {
ContentType type;
ProtocolVersion legacy_record_version;
uint16 length;
opaque fragment[TLSPlaintext.length];
} TLSPlaintext;
CBOR
contentType = (
invalid: 0, change_cipher_spec: 20, alert:21, handshake:22,
application_data:23
)
TLSPlaintext = (
type : contentType,
fragment : bstr
)
9.2. Record Payload Protection
TLS
struct {
opaque content[TLSPlaintext.length];
ContentType type;
uint8 zeros[length_of_padding];
} TLSInnerPlaintext;
struct {
ContentType opaque_type = application_data; /* 23 */
ProtocolVersion legacy_record_version = 0x0303; /* TLS v1.2 */
uint16 length;
opaque encrypted_record[TLSCiphertext.length];
} TLSCiphertext;
CBOR
Schaad Expires September 6, 2019 [Page 16]
�
Internet-Draft TLS Handshake in CBOR March 2019
TLSCiphertext = (
type : application_data,
encrypted_record : bstr
)
10. CBOR Slashed Version
There are many things that the EDHOC system did that slashed down
size that has not been done for the previous version of TLS. If
these changes are made then a non-trivial amount of savings can be
done that might or might not be considered acceptable in this
situation.
For the puspose of making things even small we are making the
following assumptions:
o Remove the random number strings from the system. Since we are
always going to do new ephemeral keys on both sides when the
protocol is done, then the random numbers are not needed. If new
ephemeral keys are not done on both sides, then the perfect
forward secrecy requirement is not met.
o Trucate all HMAC values to 64-bits.
o If the encrypted extensions handshake message is empty, then omit
it.
o In cases where a single value can be in an array, change the
syntax to be either the single value or an array of values.
o Change the behavior of some of the extensions by adding additional
operations and changing defaults.
* Change the default value for client and server certificate type
from "certificate" to "RPK" and "reference".
* Change the behavior of the curves extension so that if it is
omitted, then the cruve offered in the key share is assumed to
be the only one supported by the client.
11. Transport with CoAP
Transporting the messages w/ CoAP is fairly simple:
1. Message #1 is a POST to a fixed location.
2. Message #2 is the response to the POST. The message returns
either Created (2.01) or a TLS Alert message with Bad Request
Schaad Expires September 6, 2019 [Page 17]
�
Internet-Draft TLS Handshake in CBOR March 2019
(4.00). If the message is successful, then a Location-Path will
be returned as part of the message.
3. Message #3 is a PUT to the returned location path from the above
response.
4. Message #4 is either a TLS Alert message with Bad Request (4.00)
or an empty Changed (2.04) message. At this point the location
path is deleted on the server.
12. Informational
[I-D.ietf-core-echo-request-tag]
Amsuess, C., Mattsson, J., and G. Selander, "Echo and
Request-Tag", draft-ietf-core-echo-request-tag-03 (work in
progress), October 2018.
Appendix A. Sample Messages
A.1. Standard TLS for X25519 and Ed25519
The size of messge #1 is 97 bytes
22,
<< 1,
[
h'0011223344556677889900112233445566778899001122334455
667788990011', / random /
[ h'1304' / TLS_AES_128_CCM_SHA256 ], / cipher suites /
[ 51, [ 4 / x25519 /, h'00112233445566778899001122334455
66778899001122334455667788990011' ],
13, [ h'0807' / Ed2215 / ], / signature algorithms /
10, [ 4 / secp256r1 / ],
19, [ 1 ] / client_cert_type /,
20, [ 1 ] / server_cert_type /,
]
]
>>
Message #1
The size of message #2 is 262 bytes. If you directly encode what is
below it will be 16 bytes short as there is no provision in the CDDL
for the 16 bytes of the MAC appended to the end of the encrypted
data.
Schaad Expires September 6, 2019 [Page 18]
�
Internet-Draft TLS Handshake in CBOR March 2019
22,
<<
2,
[
h'00112233445566778899001122334455667788990011223344
55667788990011', / random /
h'1304', / cipher suite /
[
51, [ 4 / x25519 /, h'001122334455667788990011223344
5566778899001122334455667788990011' ] / key share /
]
]
>>,
23,
<<
4,
[ 19, 1, / client_cert_type /
20, 1 / server_cert_type /
],
11,
[
[ 1 / rpk /,
h'1122334455667788990011223344556677889900112233445566
778899001122334455667788990011223344'
]
],
12,
[
h'0807',
h'1122334455667788990011223344556677889900112233445566
778899001122334455667788990011223344556677889900112233
4455667788990011223344'
],
13,
h'1122334455667788990011223344556677889900112233445566
778899001122'
>>
Message #2
Size of message #3 is 175 bytes
Schaad Expires September 6, 2019 [Page 19]
�
Internet-Draft TLS Handshake in CBOR March 2019
23,
<<
11,
[
[ 1 / rpk /,
h'11223344556677889900112233445566778899001122334455
66778899001122334455667788990011223344'
]
],
12,
[
h'0807',
h'112233445566778899001122334455667788990011223344
55667788990011223344556677889900112233445566778899
001122334455667788990011223344'
],
13,
h'1122334455667788990011223344556677889900112233445566
778899001122'
>>
Message #3
A.2. Pre-shared key for authentication w/ ephemeral DH
The size of messge #1 is 97 bytes
22,
<< 1,
[
h'001122334455667788990011223344556677889
9001122334455667788990011', / random /
[ h'1304' / TLS_AES_128_CCM_SHA256 ], / cipher suites /
[ 51, [ 4 / x25519 /, h'0011223344556677889900112233445
566778899001122334455667788990011' ],
13, [ h'0807' / Ed2215 / ], / signature algorithms /
10, [ 4 / secp256r1 / ],
19, [ 1 ] / client_cert_type /,
20, [ 1 ] / server_cert_type /,
]
]
>>
Message #1
The size of message #2 is 262 bytes. If you directly encode what is
below it will be 16 bytes short as there is no provision in the CDDL
Schaad Expires September 6, 2019 [Page 20]
�
Internet-Draft TLS Handshake in CBOR March 2019
for the 16 bytes of the MAC appended to the end of the encrypted
data.
22,
<<
2,
[
h'001122334455667788990011223344556677889900112233445
5667788990011', / random /
h'1304', / cipher suite /
[
51, [ 4 / x25519 /, h'00112233445566778899001122
33445566778899001122334455667788990011' ] / key share /
]
]
>>,
23,
<<
4,
[ 19, 1, / client_cert_type /
20, 1 / server_cert_type /
],
11,
[
[ 1 / rpk /,
h'1122334455667788990011223344556677889900112233445566
778899001122334455667788990011223344'
]
],
12,
[
h'0807',
h'1122334455667788990011223344556677889900112233445566
7788990011223344556677889900112233445566778899001122
334455667788990011223344'
],
13,
h'112233445566778899001122334455667788990011223344556677
8899001122'
>>
Message #2
Size of message #3 is 175 bytes
Schaad Expires September 6, 2019 [Page 21]
�
Internet-Draft TLS Handshake in CBOR March 2019
23,
<<
11,
[
[ 1 / rpk /,
h'11223344556677889900112233445566778899001122334455
66778899001122334455667788990011223344'
]
],
12,
[
h'0807',
h'1122334455667788990011223344556677889900112233445566
77889900112233445566778899001122334455667788990011223
34455667788990011223344'
],
13,
h'1122334455667788990011223344556677889900112233445566778
899001122'
>>
Message #3
A.3. Stripped TLS w/ Ed25519
The size of messge #1 is 47 bytes
22,
<< 1,
[
1 / TLS_AES_128_CCM_SHA256_64 /, / cipher suites /
[ 1, [ 4 / x25519 /, h'00112233445566778899001122334455
66778899001122334455667788990011' ],
2, 99 / Ed2215 / / signature algorithms /
]
]
>>
Message #1
The size of message #2 is 146 bytes. The encryption authentication
code is added as a separate at the end of the encrypted handshake
block.
Schaad Expires September 6, 2019 [Page 22]
�
Internet-Draft TLS Handshake in CBOR March 2019
22,
<<
2,
[
1 / TLS_AES_128_CCM_SHA256_64 /, / cipher suite /
[
1, [ 4 / x25519 /, h'001122334455667788990011223344
5566778899001122334455667788990011' ] / key share /
]
]
>>,
23,
<<
11,
[
[ 9 / reference /,
h'1122334455'
] / certificate /
],
12,
[
99,
h'11223344556677889900112233445566778899001122
3344556677889900112233445566778899001122334455
66778899001122334455667788990011223344'
/ signature /
], / certificate verify /
13,
h'1122334455667788', / finish /
h'11223344556677' / encryption authentication code /
>>
Message #2
Size of message #3 is 102 bytes
Schaad Expires September 6, 2019 [Page 23]
�
Internet-Draft TLS Handshake in CBOR March 2019
23,
<<
11,
[
[ 9 / reference /,
h'1122334455'
]
], / certificate /
12,
[
99,
h'11223344556677889900112233445566778899001122
33445566778899001122334455667788990011223344
5566778899001122334455667788990011223344'
], / certificate verify /
13,
h'1122334455667788', / finish /
h'1122334455667788' / encryption authentication code /
>>
Message #3
A.4. Stripped TLS w/ PSK
The size of messge #1 is 65 bytes
22,
<< 1,
[
1, / cipher suites /
[ 1, [ 4 / x25519 /, h'001122334455667788990011
2233445566778899001122334455667788990011' ],
2, 99, / signature algorithms /
6, [ h'0102030405', h'0102030405060708' ]
]
]
>>
Message #1
The size of message #2 is 59 bytes. If you directly encode what is
below it will be 16 bytes short as there is no provision in the CDDL
for the 16 bytes of the MAC appended to the end of the encrypted
data.
Schaad Expires September 6, 2019 [Page 24]
�
Internet-Draft TLS Handshake in CBOR March 2019
22,
<<
2,
[
1, / cipher suite /
[
1, [ 4 / x25519 /, h'0011223344556677889900112233445
566778899001122334455667788990011' ], / key share /
6, 1
]
]
>>,
23,
<<
13,
h'1122334455667788'
>>
Message #2
Size of message #3 is 12 bytes
23,
<<
13,
h'1122334455667788'
>>
Message #3
Appendix B. Open ideas for ways to make things smaller
The following things can still be considered for shrinking things:
o Make the random values optional. This would kill 66 bytes from
the first and second messages.
o Think of a way to shorten the SKI encoding of the raw public key.
o Decode to re-encode the signature and cipher suite numbers
o Change some of the default values. For example we could change to
RPK being the default certificate type.
o Create a HMAC cipher suite which truncates the output for doing
finish messages. This is not unusual for the world of IoT and
Schaad Expires September 6, 2019 [Page 25]
�
Internet-Draft TLS Handshake in CBOR March 2019
thus should be considered. Halving the length of this saves 17
bytes in message 2 and 3.
Appendix C. EDHOC issues that worry me
I still need to actually read the current document. From a quick
glance through I have the following issues:
o It is limited to four cipher suites of which only two are globally
defined.
o Need to validate that P-256 can do key agreement correctly with
only an X coordinate.
Author's Address
Jim Schaad
Email: ietf@augustcellars.com
Schaad Expires September 6, 2019 [Page 26]
