[802SEC] Comments on 802.15.4y PAR
Please find below 802.1 comments on the proposed 802-15-4y PAR and CSD
Cheers,
Glenn.
----------------------------------------------------
These comments are on:
mentor.ieee.org/802.15/dcn/18/15-18-0037-03-secn-draft-par-for-4y.pdf
mentor.ieee.org/802.15/dcn/18/15-18-0040-04-secn-draft-csd-for-4y.docx
they mostly concern the "Scope of the project" and the "Need for the project" (PAR form
5.2.b and 5.5). There are also issues regarding related work by other
organizations which the simple answer to 7.1 (standards or projects with similar
scope) fails to illuminate. Use of (a) new cipher suite(s) will also require some
registration activity, so 6.1.b should be checked and explained.
1. This PAR is being brought forward in advance of calls for proposals, but at
the same time introduces a constraint on those proposals. For the reasons
described in the following comments it would be better to delay the PAR until
there is a better sense of what the final standard should achieve.
2. Referencing the use of a block cipher (AES-256 or any other) might meet a
marketing need but is not technically sufficient as a description of a project
constraint, unless all possible modes (allowing the use of a block cipher to
encipher data - such as frame contents - in excess of the block size) are to be
supported, which is not well expressed by "at a minimum".
If a specific cipher is to be identified as part of the Scope, the Cipher Suite
(mode as well as block cipher, if a block cipher such as AES is to be used)
needs to be specified.
3. Changes to protect against future attacks should not prejudge the nature of
or the solution to those attacks. This proposed amendment should ensure that
replacement of the specification of one Cipher Suite by another can be
accomplished in a modular fashion, without further extensive specification
revision. It should also ensure that the Cipher Suite (or Cipher Suites) that
might be use by a particular implementation are appropriately identifiable by
each of the key management protocols specified in IEEE Std 802.15.9. While it is
highly desirable to limit the proliferation of Cipher Suites, with a goal of
there being a single Cipher Suite in predominant use at any time, transition
periods and the need for stability for particular groups of implementations have
to be accommodated.
4. An appropriate project description might (a) introduce the appropriate
standard flexibility/agility for Cipher Suite use as noted in our comment 3
above, while (b) setting out criteria for inclusion of one or more Cipher Suites
for inclusion in this amendment (as opposed to future amendments, in response to
new attacks or a general need for more stringent criteria). These criteria
should encompass security strength, relative cost (licensing, computational
efficiency, memory), hardware and software suitability, and external
acceptability. For ease of general understanding these criteria might be stated
in terms of existing well-known Cipher Suites and implementation characteristics
(e.g. offering a security strength greater than that of AES-128-CCM).
5. Real world systems that make use of 802.15 can also participate in higher
layer protocols that also need to be secured. The effect of 802.15 decisions on
total system cost is affected by the degree to which resources (hardware assist,
code) can be shared across the system. This makes it important to be sensitive
to, and some extent dependent on, developments outside the scope of 802.15. What
are the other security standards that systems targeted by this PAR will depend
upon (e.g. EAP-TLS and its options, IEC 62591, IEC 62374)?
6. The point made about automated configuration made in CSD 1.2.5.c does not
appear to be supported by any activity identified by the PAR scope. Why will
automated configuration not apply equally to the use of AES-128 and to the use
of AES-256?
7. This PAR is being brought forward at a time when there is active high quality
work on future Cipher Suites. See CAESAR:
https://competitions.cr.yp.to/caesar.html It is reasonably likely that this
competition will complete prior to the completion of the proposed 802.15.4y
project, and will result in one or more widely acceptable Cipher Suites with at
least one of these offering significant cost advantages for computationally
constrained and memory constrained implementations. Insisting on the inclusion
of an AES-256 based Cipher Suite in the proposed amendment might then result in
confusion as to what should be included in an implementation with resulting
increased costs if a superior (in the general 802.15 application space) is
available.
8. As an editorial issue, the title of this PAR is inappropriate. It appears to be a
sentence, being nearly identical to the first sentence of the scope of the project.
It may more appropriate to generalize it as simply " Amendment: security extensions"
--
Glenn Parsons - Chair, IEEE 802.1
glenn.parsons@ericsson.com
+1-613-963-8141
----------
This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.