# Security Area Advisory Group (SAAG) Minutes from IETF 104
* 28 March 2019, 13:50
* Chairs: Benjamin Kaduk, Roman Danyliw

## WG/BoF reports
* slides: https://datatracker.ietf.org/meeting/104/materials/slides-104-saag-chair-slides-00

See slides for pointers to individual WG/BoF reports.

WG which didn't submit reports provided the following updates:

* I2NSF - question about YANG modules and IANA registries. Yang model for IPSEC copies registry. Concern about how registry changes are handled.
** Paul Hoffman suggests asking IANA staff how to do this.
** Eliot Lear suggests engaging  with YANG chairs.

* TRANS - is almost done; didn't meet.

* NTS is almost done, but more security-related work coming.

* IOT onboarding side meeting had important security aspects. Will be an interim discussion, probably week of 15 April.

* KSK rollover BOF met as well.

* CACAO will meet Friday morning. Collaborative courses of action.

## Misbinding in Pairing Protocols
* presenter: Tuomas Aura
* slides: https://datatracker.ietf.org/meeting/104/materials/slides-104-saag-misbinding-attacks-on-secure-device-pairing-00
* paper: https://arxiv.org/abs/1902.07550

Aura presented on a misbinding attack possible in many pairing protocols.

Problem: 
* In key exchange, binds to wrong (dishonest) node. Known since at least 1992.
* Can be misbinding of initiator or responder.
* Solution is to be explicit about identities (e.g., bind identifiers to the key)
* Bluetooth 6-digit codes: malware can spoof the pairing interface
* But Bluetooth devices have no verifiable identifiers; authentication is based only on physical access.
* ProVerif modeling yielded a new double-misbinding case

EAP-NOOB: user-assisted out-of-band (cloud services)
* Involves relay of out-of-band message from compromised device to attacker.
* "cuckoo attacks" in trusted computing

Mitigating: 
* Can't mitigate entirely, but can make attacker's life more difficult
* Bind non-modifiable device identifiers
* Device certificates to attest device
* Asset tracking


## The SNOW-V stream cipher
* presenter: John Mattsson
* slides: https://datatracker.ietf.org/meeting/104/materials/slides-104-saag-snow-v-stream-cipher-00

Mattson presented on the SNOW-V cipher.

* 4G LTE and 5G NR: 128-bit algorithms
* 256 bit algorithms for later releases
* minimum 20G bps downlink in 5G, want that performance for encryption
* 5G primarily defines as VPNs.
* AES-256-GCM promising from performance standpoint, but want backup algorithms.
* Want 256 bit algorithms for government use and future-proofing

* New option: SNOW V from Lund University, based on earlier SNOW 3G
* Software implementation reaches 50Gbps on a single-thread on laptop CPU
* More security and performance analysis planned
* Looking at faster options for integrity protection

## Open Mic

* Max Bala: use of multiple algorithms on certificates (e.g., for post-quantum).  Big certificate issues, e.g., with TLS, CRLs, etc?

* Yoav Nir: Working on guide to writing security considerations.  Will be posting stuff on GitHub.

## Thank you to Eric Rescorla 

Thank you to outgoing Security Area Director Eric Rescorla!