Explicitly stress statistical properties a PSK should have and common pitfalls when generating PSKs

Tag: WGLC

Göran Selander wrote (https://mailarchive.ietf.org/arch/msg/6tisch/fWK4i3bs3r4VmFCkSoGzgtlWSuo):

Section 4

"It is RECOMMENDED to generate the PSK with a cryptographically secure pseudorandom number generator."

There are a number things to consider when generating random numbers. Consider replace this specific recommendation about one such component with a reference to some existing specification containing recommendations, for example NIST SP800-90A Rev 1 (2015): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

I think that this recommendation should indeed be rephrased. I would like to avoid referencing any particular method of generating the PSK, I think that it would be enough to stress that the PSK that ends up being provisioned to the pledge should meet certain statistical properties (e.g. unpredictability, entropy).

Tero Kivinen wrote (https://mailarchive.ietf.org/arch/msg/6tisch/jTAFrLJfp6qfJ3t5UuKBJW3P2RI):

In section 4 there is text saying:

Pre-Shared Key (PSK). The JRC additionally needs to store the pledge identifier bound to the given PSK. The PSK SHOULD be at least 128 bits in length, generated uniformly at random. It is RECOMMENDED to generate the PSK with a cryptographically secure pseudorandom number generator. Each (6LBR) pledge SHOULD be provisioned with a unique PSK.

This text is fine, but knowing that most of the vendors in this space have been known to use unsafe methods like scrambling, encrypting, hashing, or macing serial number or EUI-64 address to generate "random unique PSKs" (or simply using fixed PSK for all devices), it might be good idea to provide bit more emphasis on the unique properly generated PSK, even when it is outside the actual scope of this document. Or add something like that to the security considerations section.

I would like at least some text in the security considerations section warning about the common wrong ways of generating PSK. The IoT vendors are quite often care more about the time to market than the security, thus do use unsafe practices as they do not know better.