New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some changes needed to Key Derivation section #314
Some changes needed to Key Derivation section #314
Conversation
Should be checked for conflicts with #310 |
draft-ietf-lake-edhoc.md
Outdated
The pseudorandom key PRK_out, derived as shown in {{fig-edhoc-kdf}}, is the only secret key shared between Initiator and Responder that needs to be stored after a successful EDHOC exchange, see {{m3}}. Keys for applications are derived from PRK_out, see {{exporter}}. | ||
|
||
The pseudorandom key PRK_out, derived as shown in {{fig-edhoc-kdf}} is the output of a successful EDHOC exchange. Keys for applications are derived from PRK_out, see {{exporter}}. An application using EDHOC-KeyUpdate needs to store PRK_out. If EDHOC-KeyUpdate is not used, an application only needs to store PRK_out or PRK_exporter as long as EDHOC-Exporter is used. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"An application using EDHOC-KeyUpdate needs to store PRK_out."
Perhaps misleading in the context of secure storage or execution, where we don't want the application to handle PRK_out.
"as long as EDHOC-Exporter is used."
Is EDHOC-Exporter mandatory to use?
Proposal:
OLD
An application using EDHOC-KeyUpdate needs to store PRK_out. If EDHOC-KeyUpdate is not used, an application only needs to store PRK_out or PRK_exporter as long as EDHOC-Exporter is used.
NEW
PRK_out needs to be stored in order to use EDHOC-KeyUpdate. If EDHOC-KeyUpdate is not used,
then PRK_out or PRK_exporter needs to be stored in order to use EDHOC-Exporter.
draft-ietf-lake-edhoc.md
Outdated
where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. | ||
|
||
PRK_exporter MUST be derived anew from PRK_out if EDHOC-KeyUpdate is used, see {{keyupdate}}. | ||
where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. Note that PRK_exporter changes everytime EDHOC-KeyUpdate is used, see {{keyupdate}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Note that PRK_exporter changes everytime EDHOC-KeyUpdate is used, see {{keyupdate}}."
{{keyupdate}} does not describe this change.
everytime -> every time
|
||
~~~~~~~~~~~ | ||
EDHOC-KeyUpdate( context ): | ||
PRK_out = EDHOC-KDF( PRK_out, 11, context, hash_length ) | ||
new PRK_out = EDHOC-KDF( old PRK_out, 11, context, hash_length ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preferably add the (optional?) derivation of new PRK_exporter within the pseudo-code so it is changed every time EDHOC-KeyUpdate is used.
new PRK_exporter = EDHOC-KDF( new PRK_out, 10, h'', hash_length )
draft-ietf-lake-edhoc.md
Outdated
~~~~~~~~~~~ | ||
|
||
where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. | ||
|
||
The EDHOC-KeyUpdate takes a context as input to enable binding of the updated PRK_out to some event that triggered the keyUpdate. The Initiator and the Responder need to agree on the context, which can, e.g., be a counter or a pseudorandom number such as a hash. The Initiator and the Responder also need to cache the old PRK_out until it has verfied that the other endpoint has the correct new PRK_out. {{I-D.ietf-core-oscore-key-update}} describes key update for OSCORE using EDHOC-KeyUpdate. | ||
The EDHOC-KeyUpdate takes a context as input to enable binding of the updated PRK_out to some event that triggered the keyUpdate. The Initiator and the Responder need to agree on the context, which can, e.g., be a counter or a pseudorandom number such as a hash. To provide forward secrecy the old PRK_out needs to be deleted as soon as it is not needed. When to delete the old PRK_out and how to verify that it is not needed is up to the application. {{I-D.ietf-core-oscore-key-update}} describes key update for OSCORE using EDHOC-KeyUpdate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"To provide forward secrecy the old PRK_out needs to be deleted as soon as it is not needed."
needs .... needed
NEW
"To provide forward secrecy the old PRK_out must to be deleted as soon as it is not needed."
No description provided.