Re: [Cbor] Review: draft-bormann-cbor-packed-00 & SUIT
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 29 July 2020 17:53 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C1E3A0D7F for <cbor@ietfa.amsl.com>; Wed, 29 Jul 2020 10:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiVQqE5jXjt4 for <cbor@ietfa.amsl.com>; Wed, 29 Jul 2020 10:53:40 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DB73A0D23 for <cbor@ietf.org>; Wed, 29 Jul 2020 10:53:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 7E65938A16; Wed, 29 Jul 2020 13:33:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8WIu1Cc6ySk1; Wed, 29 Jul 2020 13:33:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 244A638A14; Wed, 29 Jul 2020 13:33:04 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id CEF7535C; Wed, 29 Jul 2020 13:53:36 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brendan Moran <Brendan.Moran@arm.com>, Jim Schaad <ietf@augustcellars.com>, "cbor@ietf.org" <cbor@ietf.org>, Carsten Bormann <cabo@tzi.org>
In-Reply-To: <406B6702-3045-4490-8CD0-8E352F924714@arm.com>
References: <5E28C6E2-DFEC-4AF5-96CE-75E8F0927818@arm.com> <01d901d66503$2bbd93c0$8338bb40$@augustcellars.com> <7216D806-3473-463E-B6F2-AD8724AC56C6@tzi.org> <021e01d66535$57827d90$068778b0$@augustcellars.com> <406B6702-3045-4490-8CD0-8E352F924714@arm.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 29 Jul 2020 13:53:36 -0400
Message-ID: <24543.1596045216@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/3z5Cni6r2FEekOG8Mh-MH5j6QRc>
Subject: Re: [Cbor] Review: draft-bormann-cbor-packed-00 & SUIT
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:53:44 -0000
{please note that this converation is incomprehensible unless you render the
HTML, so the archives are be useless. I feel that this thread should be in
the SUIT WG too, but I won't CC because catching up will be hard}
Brendan Moran <Brendan.Moran@arm.com> wrote:
> My intent was to verify first, then unpack. This is because the
> unpacked structure never exists, in its entirety, in memory. If you
> have to unpack straight into the digest algorithm in order to verify,
> you introduce a TOCTOU problem. If you verify first, you at least have
> a static, verified object.
I agree. I would write the encoder "sign the packed structure"
(so decoder we verify first, then unpack...)
I like this because it means:
a) a third party can verify the signature without having the dictionaries.
Clearly it can't audit the contents without the external dictionar(y/ies).
b) at this point in the specification I'm unclear if multiple passes of the
unpacked content is required. But, if we did want to permit such
self-referential things, the decoder could wind up decoding infinite
things. Such a thing ight be a desireable feature!
We could accomodate such a thing if with sign the packed structure,
because the decoder would know it's authentic before it tried to
expand.
> This could be an even harder question to ask with the use of an external
> dictionary. There is one potential benefit w/ COSE in that the hash of the
> dictionary could be included as external data.
i.e. it could go into the protected bucket.
> The problem with this approach is dictionary selection. We need some
> way to hint a dictionary identifier if it’s not obvious. This could be
> a tag, an element in the Tag 6 array, some kind of OOB signal, or
> something else.
I think it needs to be in the tag 6 array.
cabo> There are two aspects here:
cabo> — how do we make sure the external dictionary cannot be surreptitiously
cabo> exchanged by an attacker
> This requires some sort of security mechanism. Using a COSE feature
> that includes additional data is not ideal in SUIT because we support
> COSE_Sign, COSE_Sign1, COSE_MAC, or COSE_MAC0, or any combination
> thereof. This would mean that a COSE feature that includes extra data
> would be duplicated for as many COSE objects as are included. Of
> course, that’s not particularly relevant if the list of COSE objects is
> also using packed CBOR, so maybe it’s fine.
> Including a dictionary reference as AAD seems fine to me. In the SUIT
> case, I think I would make it more explicit because we need to identify
> which external dictionary to digest.
cabo> — how do we make sure there is an unambiguous
cabo> way to integrate the external dictionary/-ies into the prefix and sharing tables?
> We need to (logically) concatenate the dictionaries together. The question is: which order?
> From a pull parser perspective, I think I would suggest a stack-based model:
> - Each dictionary is an element in a singly linked list.
> - When you encounter a new dictionary, you push it onto the head of the list
> - When you finish a rump element, you pop the dictionary associated
> with it from the head of the list.
> - When you find a dictionary reference in the rump, you traverse the
> dictionary list, starting at the most recent.
> - When you find a dictionary reference in a dictionary element, you
> traverse the dictionary list, starting at the current dictionary.
Implying that dictionaries can be created that are self-referential, and can
blow up to infinite data streams :-)
Unless you mean that dictionaries should be sorted so that they always (can only)
reference forward, and you can start at the current location in the current
dictionary.
> This has several advantages:
> - It’s compatible with including a packed CBOR object inside a packed
> CBOR object without rewriting any references.
> - The data model for dictionary traversal is fairly simple
I agree.
> It has several disadvantages:
> - References have inconsistent meanings (Tag 6 (1) doesn’t mean the
> same dictionary entry everywhere. It points to different dictionaries
> in different places)
> - The stack model requires some kind of allocation strategy to keep
> track of the dictionaries.
It's a stack of pointers. It can point at the in-band dictionary which can
be processed by a pull-parser. Or at an out-of-band dictionary which is
probably in "ROM" in some convenient format (probably CBOR map)
> - The compressor has to be aware of the dictionaries of packed CBOR
> objects it traverses in order to pack anything that appears within an
> already packed CBOR object.
In the SUIT case, the compressor is "cloud" :-)
> However, this may be naive as well. It implies that there is only a
> list of dictionaries that applies at any point, rather than a
> tree. This is probably accurate when looking at nested packed
> objects. It might be more of a problem with external dictionaries.
> I think that external dictionaries *outside* an authentication object
> probably don’t require authentication, since the authentication object
> itself will naturally verify these data. However, any external
> dictionary represented *inside* an authentication object MUST also be
> authenticated.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [Cbor] Review: draft-bormann-cbor-packed-00 & SUIT Brendan Moran
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Jim Schaad
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Carsten Bormann
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Jim Schaad
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Brendan Moran
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Michael Richardson
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Brendan Moran
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Michael Richardson
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Brendan Moran
- Re: [Cbor] Review: draft-bormann-cbor-packed-00 &… Michael Richardson