[Cbor] Gordian Envelope and Crypto-Agility for its Hash
Christopher Allen <christophera@lifewithalacrity.com> Tue, 07 March 2023 08:25 UTC
Return-Path: <christophera@lifewithalacrity.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45F1C14CE46 for <cbor@ietfa.amsl.com>; Tue, 7 Mar 2023 00:25:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lifewithalacrity-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fa7_lE2IcZao for <cbor@ietfa.amsl.com>; Tue, 7 Mar 2023 00:25:35 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4687C14CE44 for <cbor@ietf.org>; Tue, 7 Mar 2023 00:25:35 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id j11so29538942edq.4 for <cbor@ietf.org>; Tue, 07 Mar 2023 00:25:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifewithalacrity-com.20210112.gappssmtp.com; s=20210112; t=1678177533; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=fqRGrzRYw9GNMfJGWJIAPWUpXHJNZuYPc4vGE3iRa00=; b=3Mq7GzktAc++gloPw/GBZ5lzTBKr66wNJBzIgnZAa10xh2DoZYF2AG6M3tV2Y2l+Ta vjZ5bnKoVTo/Gc0WM6o3srhP1C3qswMgqHsmwQ6w+pqaVtOxuVm+S3YDMeb2Wa8ZcFwN rIYut+3Z4IVNpHN915mi7hc81Nnm+78nfPUJqYsvuoL617xqdOU2JA2hDe8u9tnzKFd3 alkvq6UfHbz7oq9AGjUgwRPP1QiKBiz3omAVSQVLfIEMc4LXJBnn3qh/lALwIiYqlbwO y1jqv7FlMV7vjncmeKWouvfx/eIgsC4rA7riySupfuWeIq/l0Z01/CSxdvTIHk2fm6nN rhEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678177533; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fqRGrzRYw9GNMfJGWJIAPWUpXHJNZuYPc4vGE3iRa00=; b=kb0MGp0m0KFZGnLcq5pEN3ejDugO/e0usBqY0wLxwWvq7hoNX3DQMwJ1G4t/IsIYJk vrjRAPskhVN5n1NSaAwdrroqUAbemSqtcOG3Fz2UvIJjt7ZYSm+U7/iL1dgKvPeqYz8M gLALlw9sPR3Xm5o1k+Zi59/9Dq0sJkVesyxhNTcWK1C/Sc1tmZL9YLu0uM6dyFGZoqlq DJZ7Y9p/EUb7hqs7e8cZQ1uKHrpSrU8hOnr4ggRb5TAb64i/2vPBc+Urm2mlGbeor/XY +yzGMkCKfIXL+rClidmwWwyOmXPOaoC68g/zlsNAHCrlPdE/ktrNRATnSzRe79gcke6H UqdA==
X-Gm-Message-State: AO0yUKU4wjRr82H8t+t4hL8sWpKiOuQ2wO0nISjGeUnWyBM5PMGXXWiY uAO0upKX/hT+/IYNHatCEUvcMEJWO2snsZltuJpHr3K143t4y+gDLe79tw==
X-Google-Smtp-Source: AK7set9QZdD096VxyR2BjKnW/UWum7MK6CVApvAUU12ieLgAwrQigtiEyY6Q+7T4HWOcQpZO7k62bq+C7IJcLa8WGbo=
X-Received: by 2002:a50:f619:0:b0:4c0:616:5fc3 with SMTP id c25-20020a50f619000000b004c006165fc3mr7564496edn.0.1678177533166; Tue, 07 Mar 2023 00:25:33 -0800 (PST)
MIME-Version: 1.0
From: Christopher Allen <christophera@lifewithalacrity.com>
Date: Tue, 07 Mar 2023 00:25:22 -0800
Message-ID: <CAAse2dHXGbMDEh1vWbAReH5Ax7cCWOwv4QjfPZMh0Hv=cfaa5A@mail.gmail.com>
To: cbor@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bc163205f64b278b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/Eaa4ExaQhTQnkriQ2KWKmSv84j4>
Subject: [Cbor] Gordian Envelope and Crypto-Agility for its Hash
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 08:25:36 -0000
On Mon, Mar 6, 2023 at 1:55 PM Carsten Bormann <cabo@tzi.org> wrote: > On 2023-03-06, at 22:13, Christopher Allen < > ChristopherA@lifewithalacrity.com> wrote: > > We will have an updated draft -01 this week, based on feedback from > > many parties, including one of the co-authors of BLAKE, and have > > decided we can't fully take advantage of its capabilities, and thus > > will be using SHA-256. > > Makes this much more interesting to me (but don’t forget putting in some > crypto agility!). > (Generally, we try to get analysis from CFRG before we employ new crypto > components; I am not aware of any attention that has been paid there to > BLAKE3.) I thought we should move this part of the conversation to a separate thread. When looking at switching back to SHA-256 from BLAKE3, we decided to forebear crypto-agility with Gordian Envelope, especially as we have only 1 cryptographic algorithm (the hash), and desire to the conservative stance that having only one makes it easier to review, and if something major happens, we'll revise the standard to v2. This is the approach that more and more cryptographers and protocol designers like Wireguard are taking. I'm working now on an article about the various risks of crypto-agility, and alternatives like crypto-suites, methods, better layering, etc. There is some discussion about trying to reserve a 2nd top-level tag for a future version 2 without actually defining it as a form of future-proofing. I'm not sure IANA would allow us to do that. One fundamental issue specific to Gordian Envelope is that since we are using the hash algorithm to sort, changes to the hash algorithm not only change the digests of nodes, they can change the structure of the tree. This is what our https://datatracker.ietf.org/doc/draft-mcnally-envelope/ -01 draft will say (to be released this week) is: "For changes that are more sweeping, like supporting a different hash algorithm to produce the merkle tree digests, it would be necessary to use a different top-level CBOR tag to represent the envelope itself. Currently the envelope tag is #6.200, and the choice of digest algorithm in our reference implementation is SHA-256. If this version were officially released and a future version of Gordian Envelope was also released that supported BLAKE3, it will need to have a different tag. However, a problem for interoperability of these two distinct formats then arises in the choice of whether a particular envelope is encoded assuming SHA-256 or BLAKE3. Whenever there is a choice about two or more ways to encode particular data, this violates the determinism requirement that Gordian Envelopes are designed to uphold. In other words, an envelope encoding certain information using SHA-256 will not, in general, be structurally identical to the same information encoded in an envelope using BLAKE3. For instance, they will both have different root hashes, and simply knowing which algorithm produced each one will not help you know whether they have equivalent content. Only two envelope cases actually encode their digest in the binary stream: ELIDED and ENCRYPTED. If an envelope doesn't use either of these cases, then you could choose to decode the envelope with either algorithm, but if it does use either of these cases then the envelope will still decode, but attempting to decrypt or unelide its contents will result in mismatched digests. This is why the envelope itself needs to declare the hashing algorithm used using its top-level CBOR tag, and why the choice of which hash algorithm to commit to should be carefully considered." I'd really not like to go down the alley that Protocol Labs did with https://datatracker.ietf.org/doc/draft-multiformats-multihash/ — our experience has been that the lack of constraint in that list resulted in a large surface area for attacks. In addition, specifically for us, as the Envelope tag and Wrapped Envelope tag is used so often, adding even more bytes to specify a hash algorithm risks support in constrained environments (for instance, signing on JavaCard is quite limited). That being said, if the community demands a different approach, we'll support the outcome. -- Christopher Allen
- [Cbor] Gordian Envelope and Crypto-Agility for it… Christopher Allen
- Re: [Cbor] Gordian Envelope and Crypto-Agility fo… Christopher Allen
- Re: [Cbor] Gordian Envelope and Crypto-Agility fo… Vadim Goncharov
- Re: [Cbor] Gordian Envelope and Crypto-Agility fo… Christopher Allen