IETF Logo Mail Archive

Re: [Cbor] To be signed with packed CBOR

Brendan Moran <Brendan.Moran@arm.com> Mon, 03 August 2020 08:58 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 737683A0CBA for <cbor@ietfa.amsl.com>; Mon, 3 Aug 2020 01:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MtiQnOEV; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MtiQnOEV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1Es_kIGmCDF for <cbor@ietfa.amsl.com>; Mon, 3 Aug 2020 01:58:07 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10066.outbound.protection.outlook.com [40.107.1.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 168F33A0CB7 for <cbor@ietf.org>; Mon, 3 Aug 2020 01:58:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hj/cqDpAhw8yGtu2vR0csqRSqluvjhHXqnpQU8Si5Gs=; b=MtiQnOEVYF5Smb+UIwq80I2n8I9RQJUwa3/fWf/+YwSyFiyoBcodRxzPFJiri72qCR4x64t9gI1b3b6u49/Rjy5lEbs4BXekfnQEnzGbwrdmWFWwZiX2xcAkMuZHzYs/L6P2zWx9qrBfn27DHRsm8qEY4jL5TfIwnYlxVIlPi5k=
Received: from AM5P194CA0006.EURP194.PROD.OUTLOOK.COM (2603:10a6:203:8f::16) by VI1PR0802MB2334.eurprd08.prod.outlook.com (2603:10a6:800:9d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16; Mon, 3 Aug 2020 08:57:59 +0000
Received: from AM5EUR03FT025.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:8f:cafe::b5) by AM5P194CA0006.outlook.office365.com (2603:10a6:203:8f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16 via Frontend Transport; Mon, 3 Aug 2020 08:57:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT025.mail.protection.outlook.com (10.152.16.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20 via Frontend Transport; Mon, 3 Aug 2020 08:57:58 +0000
Received: ("Tessian outbound 1c27ecaec3d6:v62"); Mon, 03 Aug 2020 08:57:58 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: cbd44d147d2fb159
X-CR-MTA-TID: 64aa7808
Received: from 9b70d5c6e891.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id DD1DE17C-9B1F-4CC4-B8CC-FD600926A972.1; Mon, 03 Aug 2020 08:57:53 +0000
Received: from EUR02-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 9b70d5c6e891.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 03 Aug 2020 08:57:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dp0xIL43m2xjx1kTgR0+9Z4qdwwOgCtajBx6M5o79sXqlG1EYq3uDLgvS9DTrzEZ/TtAP7BAuLP1csd2IHaZedVsUyZEuXEdjM87m/jSvKKnP2JbwVR42Os6TpukU4GdsdAoMmZOp3SN17YFVmyVWjiVSEzmH+Ie3C3aTAuPJ3PMkAW8snAaOU1yuqk5k6tEsSL3sO/3BwESC52v7laGzQazDOBHDGfyAxtEqGp8InbSGUp19SufcjP1l0nJKzHCnI7rSSXpSzllc4mqqDaCTltALFteOTHWW2CtcIXmgaXVDdyLJKgAjRm6zzPafSDq9ZPPy2R7Wh8DLvCjoySp5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hj/cqDpAhw8yGtu2vR0csqRSqluvjhHXqnpQU8Si5Gs=; b=aSZduVQYZ14xrd4x2Q9OIvkBN8n9r4pjjuYJ6CySRqNnqHI54Y94hjP7g8sOXrnoUkPku40Le0zDqDfGjJeKPXQdbxR0fsOiCZFDytHvlDyU41ZhYTazGKrh6C32wk+u5sRMIEHnpakN+NBxbjRu5WPRuyWK35ULnQzfX5utruF+cvCJSu1jjzhXBYk5zc6RnSpvJlc9o+jv2g4SdjmmEB3mKEX7XACAxFgbVqj9/lwrKRhgPzTciKEI8ZqCMke3nzA8u64q0Sao3KjHQ4YifmGc43LRSo9TOwvF+i5af/18q6E2FSooS97vwha6x5neQXbbfnQlE/iELbf4uGXe8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hj/cqDpAhw8yGtu2vR0csqRSqluvjhHXqnpQU8Si5Gs=; b=MtiQnOEVYF5Smb+UIwq80I2n8I9RQJUwa3/fWf/+YwSyFiyoBcodRxzPFJiri72qCR4x64t9gI1b3b6u49/Rjy5lEbs4BXekfnQEnzGbwrdmWFWwZiX2xcAkMuZHzYs/L6P2zWx9qrBfn27DHRsm8qEY4jL5TfIwnYlxVIlPi5k=
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com (2603:10a6:20b:cf::10) by AM6PR08MB4804.eurprd08.prod.outlook.com (2603:10a6:20b:c9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20; Mon, 3 Aug 2020 08:57:51 +0000
Received: from AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::a98d:5ebe:dc1d:ea56]) by AM6PR08MB4738.eurprd08.prod.outlook.com ([fe80::a98d:5ebe:dc1d:ea56%3]) with mapi id 15.20.3239.021; Mon, 3 Aug 2020 08:57:51 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: Jim Schaad <ietf@augustcellars.com>
CC: "cbor@ietf.org" <cbor@ietf.org>
Thread-Topic: To be signed with packed CBOR
Thread-Index: AdZoVSw+vsBVJFTHSuO8kQ2a2dqqlwBHv4AA
Date: Mon, 03 Aug 2020 08:57:51 +0000
Message-ID: <AFAB1044-1AAF-444B-8563-27386CAA1560@arm.com>
References: <04b501d6685b$932fbbe0$b98f33a0$@augustcellars.com>
In-Reply-To: <04b501d6685b$932fbbe0$b98f33a0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
Authentication-Results-Original: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.20.19.206]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 3cb0f286-cf80-4401-23b7-08d8378b51f4
x-ms-traffictypediagnostic: AM6PR08MB4804:|VI1PR0802MB2334:
X-Microsoft-Antispam-PRVS: <VI1PR0802MB23347E9B7FD5730AF89F9B44EA4D0@VI1PR0802MB2334.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: G+EolOmY8U1FulnS3GU2bWkAa+9w2Q2sKD/5g8uJ1wdRtFRjUqR/ohvAWcJXqNnLrw/tLqNR9f7tqPNXyqhPe4vXf6jdGF+bZhqRlcdwEkCRFM8Rk0xx8a0tu8E8hmH/mAkFCgsCNfiHIfCVM7HTtBtxfohIumvy4qubFxLB3vzc++Hw7hCcLVmLC9RlWywVnhi4Vmbp8dn7ljWMfcWdr8RTgceipr6Aib6n3bQJLoARGDAlASlnb0Y+MqfL95e042bmS8SJRGEEnD20l/7fqz6XyaatDXsOmcPN2VJrWGV6QKdHXf6tMLALQIYibTGqewNiOX9U2i74nUhspFlacw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB4738.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(136003)(396003)(346002)(366004)(8676002)(36756003)(83380400001)(2616005)(6916009)(316002)(33656002)(4326008)(2906002)(64756008)(66446008)(26005)(91956017)(66946007)(66476007)(5660300002)(66556008)(6486002)(186003)(6512007)(71200400001)(86362001)(53546011)(6506007)(478600001)(76116006)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: CYvnU3qxGXk37ow3H8GxFj1Fpe4SOacCwtUG2VQTGjiticdRiwd3STPsAWfttjpN2GHfPAaA/T+hln5fC95hp9MVdV4CrvLztqOeE/psUIX+gvb/NuzvHmcHCRKeMqyFVOXiE10iM9CbfMc7Ck26+1KpT01OgfSJRGaPkdxKkSRDXWgjO9p1DPRKkPjMyv8eR+CNeJ7nUlgViViU274GU7Ig/DEEmSr7lyoF9XZdEwxLBokPMJCTQB89UuZ288E2wekDSJ74giIhSJ+BjOmJUpLyVMvfgdAV1SxdhkGpGnnbRiBJ9ph7C9Ja7vXoeeyIDhAGIWVhUMdOwsshb6P0Zfm+9Zr1Wr3lWAIo8OVs9gfMG/EN57b6y330I7vqKsJTLzEFibMsf7UJnSHviQZJkIb2RqB6Mu1fbM7SNmmVxMZXEN9KkbtjbBH+1QvktWy26y127poBRK0dmVYmoDu/cze1CAYhbHHroHrVpNYx53b7mHNWCyWqRNzFKNgm4nk3+A8d+YSZZ5htxf3Js5iNNh9a8K+XXvvUlm7k4XVFTlCN4e3ugtanXQloeb7B6d/hcRMVUQubtSZUxKaRQjmT76AFz3Ga+XI4PYK8u9nR5yaCfvPuOjBvwNn8pGFOzioahKdRR8458L9/p/ExfJNBTQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <29E33F1C46A3654083A3FE43CC28E0AD@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4804
Original-Authentication-Results: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT025.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 179ab597-ee7f-4510-8d76-08d8378b4dac
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 594MrQNcxI0yNbLWShdqFmr2uEEuyGowz+Xoa5LsLVZljRpGTkiCNmy29pLfqDDDPdwxLz7OwoSx0ZpcWbT9h3bw55Utp7fCihP75HGlkSRjXC7a7IryZy5dq8F7L5mS5IzgM9RVjJ8v/mvLVtmYBmEwrSrk1GiN6YpuChxe6slnmOBEiPR9gb1wk1uqMot/m3BrHecvUzcNwzws5sDbhiMXWGBIupgdjCqGJl1IrSVmXMhG1+4aRn/EOmuCOhf7TP/W6TqwuHe4MRLcfpLAg0EqJZThd8EKoh2sIleogYKEle4mEFU0VIfxT3tfHclR1xxrGtKqXM9wnc5LBfIvqgY2NtGAK48HxO2H1rQYUguSqr0B86/lGdntSR2P68upfA/DMyaJc8EIVGiWn1+Svw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(39860400002)(376002)(346002)(46966005)(5660300002)(82740400003)(26005)(70586007)(47076004)(36906005)(186003)(83380400001)(53546011)(33656002)(6506007)(81166007)(70206006)(356005)(316002)(82310400002)(336012)(2616005)(6862004)(6512007)(8936002)(86362001)(2906002)(6486002)(36756003)(8676002)(4326008)(478600001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Aug 2020 08:57:58.7212 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cb0f286-cf80-4401-23b7-08d8378b51f4
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT025.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2334
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/q8Sqj1EeBdvN52JpQEWP7QO4Td8>
Subject: Re: [Cbor] To be signed with packed CBOR
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 08:58:09 -0000

Hi Jim,

> On 2 Aug 2020, at 00:29, Jim Schaad <ietf@augustcellars.com> wrote:
>
> Brendan,
>
> I know that this is currently an academic question, but something you said
> in the SUIT meeting has me slightly worried.  The problem with being the
> note taker is that you never have anytime to mentally go down the channels
> of ideas that pop up.
>
> One of the things that you said is that the use of packed CBOR would make
> things better when there are multiple authentication structures on what is
> basically the same data.  The problem is that if you do the packing prior to
> doing the signature, then you end up in the situation where you need somehow
> to also include the packing dictionary in the data that is being signed.  I
> don't have enough knowledge of how the manifest works but if after a
> signing, one can add more information to the manifest and then apply packing
> to that section which could add more items to the packed lookup tables thus
> breaking the signatures.

I think we probably got our wires crossed here. There’s a few points to this:

1. SUIT is organised in such a way that one would probably pack the COSE objects and the non-COSE objects in separate, non-overlapping packed CBOR structures. This should mean that you do not require a signature over the dictionary for COSE packing.

2. With nested packed CBOR, we might need a way to specify whether the packer recursed into an already-packed object or not. That would bring us back to the situation in 1.

As a rule, I suspect we should assume that any dictionary should apply to either unauthenticated objects OR authenticated objects, but NEVER both. This will require us to distinguish between recursively packed (nested object contains references to enclosing object dictionary) and simply packed (nested object contains no references to enclosing object dictionary) objects. This may require a tag.

Brendan

>
> All,
>
> This is one of the reasons that I was asking questions about doing the
> signature on a packed or unpacked version of the data.  The idea of adding
> things which might alter the lookup tables at the root means that you have
> problems knowing that what was signed is what is validated without doing
> things like walking the content to extract a new pair of lookup tables to
> include as part of the signed content.
>
> Jim
>
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email