Hi David and Peter, I think Daniels presentation is a good summary and I tend to agree with the “No lightweight cryptography in software”. But how relevant is lightweight cryptography in IoT hardware? I been hearing some hardware people stating that the number of gates is more and more irrelevant and that the additional cost of 1000 GE is negligible with current manufacturing techniques (i.e. 1000 GE is small compared to the are needed to cut out the circuit and connecting it). We already know that the energy cost of symmetric crypto is negligible compared to wireless communication (this might however change with passive radio).
Would be interesting to hear more input on the relevance of AES- and SHA-replacements in IoT hardware. Depending on the outcome the CFRG way forward should be either: - Recommendation how to use block ciphers with 64 bit block size - Recommendation not to use block ciphers with 64 bit block size John On 29/08/16 14:44, "Cfrg on behalf of David McGrew (mcgrew)" <cfrg-boun...@irtf.org on behalf of mcg...@cisco.com> wrote: >Hi Peter, > >You make a bunch of good points. But it is also worth noting that some >people feel that current crypto standards, including IETF standards, are >suitable for IoT. See for instance slides 8 and 9 of Daniel Shumow's >talk at NIST’s LWC workshop last year: >http://csrc.nist.gov/groups/ST/lwc-workshop2015/presentations/session4-shu >mow.pdf Also, CoAP isn’t on his list, but it could be, and it uses >DTLS. So while I agree with you that overuse of a 64-bit block cipher >is far from the biggest security concern for IoT, the IETF should expect >its protocols to be used in some IoT scenarios. > >The malleability of the term IoT is causing trouble here. Slide 6 of >Daniel’s talk is quite revealing. To my thinking, by definition IoT >devices are connected to the Internet in some way. > >David > > > >On 8/28/16, 8:01 AM, "Peter Gutmann" <pgut...@cs.auckland.ac.nz> wrote: > >>David McGrew (mcgrew) <mcg...@cisco.com> writes: >> >>>I don’t think you understood my point. IoT is about small devices >>>connecting >>>to the Internet, and IETF standards should expect designed-for-IoT >>>crypto to >>>be increasingly in scope. It is important to not forget about these >>>devices, >>>amidst the current attention being paid to misuses of 64-bit block >>>ciphers, >>>which was the ultimate cause of this mail thread. >> >>But the IETF has a long history of creating standards that completely >>ignore >>IoT. I can't think of a single general-purpose IETF security standard >>(TLS, >>SSH, IPsec, etc) that has any hope of working with IoT devices (say a >>40Mhz >>ARM-core ASIC with 32kB RAM and 64kB flash). This is why the ITU/IEC >>and a >>million lesser-known standards bodies are all busy inventing their own >>exquisitely homebrew crypto protocols, most of which make WEP look like a >>model of good design. >> >>(I've always wanted to sit down and design a generic "encrypted pipe >>from A to >>B using minimal resources" spec, and I'm sure many other people have had >>the >>same thought at one time or another). >> >>So it seems like you've got: >> >>- The "TLS = the web" crowd (browser vendors and the like) who will >>implement >> whatever's trendy at the moment and assume everyone has a quad-core >>2GHz CPU >> with gigabytes of RAM and access to weekly live updates and hotfixes. >> >>- Embedded/SCADA folks who need to deal with 10-15 year product cycles >>(see my >> TLS-LTS draft for more on this) and are kind of stuck. >> >>- IoT people, who can't use any standard protocol and will get the least >> unqualified person on staff to invent something that seems OK to them. >> >>I'm not sure that a draft on theoretical weaknesses in 64-bit block >>ciphers is >>going to affect any of those... >> >>Peter. >_______________________________________________ >Cfrg mailing list >c...@irtf.org >https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
