Some changes needed to Key Derivation section #314
Conversation
|
Should be checked for conflicts with #310 |
draft-ietf-lake-edhoc.md
Outdated
| The pseudorandom key PRK_out, derived as shown in {{fig-edhoc-kdf}}, is the only secret key shared between Initiator and Responder that needs to be stored after a successful EDHOC exchange, see {{m3}}. Keys for applications are derived from PRK_out, see {{exporter}}. | ||
|
|
||
| The pseudorandom key PRK_out, derived as shown in {{fig-edhoc-kdf}} is the output of a successful EDHOC exchange. Keys for applications are derived from PRK_out, see {{exporter}}. An application using EDHOC-KeyUpdate needs to store PRK_out. If EDHOC-KeyUpdate is not used, an application only needs to store PRK_out or PRK_exporter as long as EDHOC-Exporter is used. | ||
There was a problem hiding this comment.
"An application using EDHOC-KeyUpdate needs to store PRK_out."
Perhaps misleading in the context of secure storage or execution, where we don't want the application to handle PRK_out.
"as long as EDHOC-Exporter is used."
Is EDHOC-Exporter mandatory to use?
Proposal:
OLD
An application using EDHOC-KeyUpdate needs to store PRK_out. If EDHOC-KeyUpdate is not used, an application only needs to store PRK_out or PRK_exporter as long as EDHOC-Exporter is used.
NEW
PRK_out needs to be stored in order to use EDHOC-KeyUpdate. If EDHOC-KeyUpdate is not used,
then PRK_out or PRK_exporter needs to be stored in order to use EDHOC-Exporter.
draft-ietf-lake-edhoc.md
Outdated
| where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. | ||
|
|
||
| PRK_exporter MUST be derived anew from PRK_out if EDHOC-KeyUpdate is used, see {{keyupdate}}. | ||
| where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. Note that PRK_exporter changes everytime EDHOC-KeyUpdate is used, see {{keyupdate}}. |
There was a problem hiding this comment.
"Note that PRK_exporter changes everytime EDHOC-KeyUpdate is used, see {{keyupdate}}."
{{keyupdate}} does not describe this change.
everytime -> every time
|
|
||
| ~~~~~~~~~~~ | ||
| EDHOC-KeyUpdate( context ): | ||
| PRK_out = EDHOC-KDF( PRK_out, 11, context, hash_length ) | ||
| new PRK_out = EDHOC-KDF( old PRK_out, 11, context, hash_length ) |
There was a problem hiding this comment.
Preferably add the (optional?) derivation of new PRK_exporter within the pseudo-code so it is changed every time EDHOC-KeyUpdate is used.
new PRK_exporter = EDHOC-KDF( new PRK_out, 10, h'', hash_length )
draft-ietf-lake-edhoc.md
Outdated
| ~~~~~~~~~~~ | ||
|
|
||
| where hash_length denotes the output size in bytes of the EDHOC hash algorithm of the selected cipher suite. | ||
|
|
||
| The EDHOC-KeyUpdate takes a context as input to enable binding of the updated PRK_out to some event that triggered the keyUpdate. The Initiator and the Responder need to agree on the context, which can, e.g., be a counter or a pseudorandom number such as a hash. The Initiator and the Responder also need to cache the old PRK_out until it has verfied that the other endpoint has the correct new PRK_out. {{I-D.ietf-core-oscore-key-update}} describes key update for OSCORE using EDHOC-KeyUpdate. | ||
| The EDHOC-KeyUpdate takes a context as input to enable binding of the updated PRK_out to some event that triggered the keyUpdate. The Initiator and the Responder need to agree on the context, which can, e.g., be a counter or a pseudorandom number such as a hash. To provide forward secrecy the old PRK_out needs to be deleted as soon as it is not needed. When to delete the old PRK_out and how to verify that it is not needed is up to the application. {{I-D.ietf-core-oscore-key-update}} describes key update for OSCORE using EDHOC-KeyUpdate. |
There was a problem hiding this comment.
"To provide forward secrecy the old PRK_out needs to be deleted as soon as it is not needed."
needs .... needed
NEW
"To provide forward secrecy the old PRK_out must to be deleted as soon as it is not needed."
No description provided.