# Lightweight Authenticated Key Exchange (LAKE) - IETF 114 {#lightweight-authenticated-key-exchange-lake---ietf-114} ## Wednesday, 27 July 2022 -- 17:30-18:30 UTC {#wednesday-27-july-2022--1730-1830-utc} ### [Chairs](mailto:lake-chairs@ietf.org): {#chairs} * Mališa Vučinić * Stephen Farrell ### Useful Links: {#useful-links} * [Charter][1] * [Mailing list][2] * [Instant Messaging][3] * [Minutes][4] * [Remote participation][5] ### Agenda: {#agenda} * Administrivia -- chairs, 5 mins * Computational analysis of EDHOC Sig-Sig -- Marc Ilunga, 15 mins * Computational analysis of EDHOC Stat-Stat -- Baptiste Cottier, 15 mins * draft-ietf-lake-edhoc-15 & draft-ietf-lake-traces-01 -- John Preuß Mattsson & Göran Selander, 15 mins * Hackathon report -- Marco Tiloca, 5 mins * What else is needed before WGLC? -- chairs, 5 mins * AOB ### Notetaker {#notetaker} * Marco Tiloca ### Minutes {#minutes} #### Administrivia (chairs, 5 mins) {#administrivia-chairs-5-mins} * MV: Close to wrap-up of formal analysis. We'll have two presentations on computational analysis today. Completed hacspec implementation, more updates will come at IETF 115. * MV: Created a wiki about ongoing activities at lakewg.org . Feedback and contribution is welcome. * MV: Open point on renaming "EDHOC" to "LAKE". We'll bring it to the mailing list. #### Computational analysis of EDHOC Sig-Sig (Marc Ilunga, 15 mins) {#computational-analysis-of-edhoc-sig-sig-marc-ilunga-15-mins} * Presented slides: https://datatracker.ietf.org/meeting/114/materials/slides-114-lake-computational-analysis-of-edhoc-sig-sig-01.pdf * MI: Presenting analysis done within a MSc Thesis project. SIG-SIG is structurally sound and secure. Same analysis model as that used for the TLS 1.3 Handshake. * MI: As feedback from past recommendations, good to have introduced PRK\_OUT and the transcript hash computed over the plaintext; that simplified the analysis. * JPM: Good work. These recommendations were included in EDHOC. Open PR on computing TH\_3 and TH\_4, plus a few other minor things. Please look at them. #### Computational analysis of EDHOC Stat-Stat (Baptiste Cottier, 15 mins) {#computational-analysis-of-edhoc-stat-stat-baptiste-cottier-15-mins} * Presented slides: https://datatracker.ietf.org/meeting/114/materials/slides-114-lake-computational-analysis-of-edhoc-stat-stat-02.pdf * BC: Presenting the analysis. Results on p13, considering both ciphersuites 0 and 2. * BC: Suggested improvements on the structure of message\_3 (p15) and on the computation of TH\_2 (p17) * JPM: Thanks, issues also created about these points. One more PR and additional related issues also created. * MI: Is your work publicly available? * BC: It's still a draft, we'll publish it soon as there is a pre-print or submitted. #### draft-ietf-lake-edhoc-15 & draft-ietf-lake-traces-01 (John Preuß Mattsson, 15 mins) {#draft-ietf-lake-edhoc-15--draft-ietf-lake-traces-01-john-preuß-mattsson-15-mins} * Presented slides: https://datatracker.ietf.org/meeting/114/materials/slides-114-lake-edhoc-traces-01.pdf * JPM (p4-p7): list of EDHOC changes from -13 to -14. Mostly major changes to key derivation, as to actual key derivation schedule and labels are now integers. * JPM (p5): another big change was encoding of connection identifiers; they're intrinsically byte strings, but a specific subset of those are encoded as CBOR integers on the wire. * JPM (p6): the key schedule further changed in v -15, also introducing PRK\_OUT and PRK\_Exporter. * JPM (p9): list of EDHOC changes from -14 to -15. Mostly clarification on key derivation, unauthenticated operations and security considerations. * JPM(p10): updates on EAD items (e.g., critical and non-critical use) and their labels. * JPM (p11): surveying open points, also as open issues on Github. * JPM (p12): Do we want to accommodate very large message\_2? Surveying candidate solutions. * JPM (p16): traces -01 covered EDHOC -15; traces -02 fixes some found bugs. #### Hackathon report (Marco Tiloca, 5 mins) {#hackathon-report-marco-tiloca-5-mins} * Presented slides: https://datatracker.ietf.org/meeting/114/materials/slides-114-lake-hackathon-report-00.pdf * MT: presents hackathon results. * MT: Got the implementations up to date -15 with the same setup as in Vienna. Eventually converged to the same OSCORE Master Secret and Master Salt. * GS: Stefan has also his implementation up to date to EDHOC -15. #### What else is needed before WGLC? (chairs, 5 mins) {#what-else-is-needed-before-wglc-chairs-5-mins} * SF: What's left to do? * JPM: Nothing more than already tracked issues/PRs, unless anything pops up. After a next version and implementation confirmation, we should be ready for WGLC. * MV: Today's feedback from security analysis will affect the key schedule and the implementation and traces. Do we need an interim? * GS: Need to look at the latest input, we might need some kind of meeting. Then we can update the draft and close issues/PRs. Not sure we need an interim meeting. * SF: So we might have an interim in October or so, but we might start and complete a WGLC before the November IETF meeting. Ok? * GS: Yes. * SF: Heard no objections, we'll go for it. #### AOB {#aob} * PW: Maybe good to have an early SECDIR review. * SF: Good idea, we can do on the next version of the draft. * MV: Thanks again for the formal analysis. * GS: We're making changes to the protocol. It'd be good if the formal analysis teams can do another round to ensure we don't break anything. [1]: https://datatracker.ietf.org/group/lake/about [2]: https://www.ietf.org/mailman/listinfo/Lake [3]: https://zulip.ietf.org/#narrow/stream/11-lake [4]: https://notes.ietf.org/notes-ietf-114-lake [5]: https://meetings.conf.meetecho.com/ietf114/?group=lake&short=&item=1