Re: [core] [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 14:34 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2294E3A0CA8 for <core@ietfa.amsl.com>; Thu, 13 May 2021 07:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTLqCevjRxCx for <core@ietfa.amsl.com>; Thu, 13 May 2021 07:34:33 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30067.outbound.protection.outlook.com [40.107.3.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBB9B3A0C87 for <core@ietf.org>; Thu, 13 May 2021 07:34:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JxQvM2Y58Ot221n3dAdUQcafqUy3aclhPEGz8qC6t++vrLkwvD00NyZWnKhczTUAzBWrgHUeR6aDhxRA+Srp4sd+/IE1TQSVkipOUmFbhZRwnHCu6fN3W2uZFVnAygDHQMvDN+HoXpz6ZVUxqeyOu8KoeqA3l3ed9sP8ZsgU7w2lC892ltvfeKn1AAn8VEEjZ9q2ElJFAgUyy9cOcic1o4BBe7vV+h3/e9GP1furOC8LuO+RI5eOOQ5LkkHZbU/eTXBZeGkOid6T2kfzlV/yriGLVSNk5OxzFuYGcGj1JIaOlHGDPA8a7nhWJtpexrORs9KpM5i2jg2LVwKZe0oocw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q79NmlOwAOs0mbrYScDSWSX0KkPHFITEYhLPRICGFWc=; b=PM/5Jg5m1+8b+VdPkLbd6Sk8MFU+J15uvYl/6Akn2XeQa8wLq0/KWJLhst56v4uQRzfmUOzQG1wG77+iHIIwDipV42p3f+19Zc/+1DH20IlbZVudmPHhvSF6ClFhXxdxOB7V1tHU3LhTG7OproyTNV8YZKfBsXy4X6tFmGmx7dD6HhG2JC2OpsuwvTnGdOkEyYkFrVR7bBewOHCTUY4xCmK4yvfJwMMDntMtn+kPQOF7PybLetOn4hHiRiBFPznxXuBzegSK4q3wQb9cDlLbPR0R8pxOCgFD6mktDVfV0fF0bA/RBZOAwazigcRJW5i03waMs85RoQBK8DMabldo+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q79NmlOwAOs0mbrYScDSWSX0KkPHFITEYhLPRICGFWc=; b=QZ03xqqnnrpiMr8HDdyb8OQ5LnuM2SQ197qrKJLN+P72Tyo3CpSn9d0Td8ZEGlEafC6wj6Y4bIJ8OrGohbTgHkEoSKPzG7qOe7TkqaAbDwEZ01u85vQdXLW5h1pvfUyKHM2eC+d/1tyEoS5vueLdZegrz3ii3ZpShpiBdBqkz9w=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2203.eurprd07.prod.outlook.com (2603:10a6:3:26::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Thu, 13 May 2021 14:34:26 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 14:34:26 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
Thread-Index: AQHXFxduXoz8+3g8k068F5hdSGPXPqqFSp2AgFyI4YCAACSAgIAABX6A
Date: Thu, 13 May 2021 14:34:26 +0000
Message-ID: <61CE5D32-24BF-4973-8034-AD5D9999B421@ericsson.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com> <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com> <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com> <2EF50329-22AD-4797-B8F5-89684E4CCC29@ericsson.com>
In-Reply-To: <2EF50329-22AD-4797-B8F5-89684E4CCC29@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6383ed1-7a47-43ea-b53e-08d9161c358f
x-ms-traffictypediagnostic: HE1PR0701MB2203:
x-microsoft-antispam-prvs: <HE1PR0701MB22039BBDE36F301D7DB7D18189519@HE1PR0701MB2203.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cjkRHHltbPOS7hJECvYr4uTdGHQenqoYBvwkEnqOOIZrvAydj/WX2VI0LCr/VgD/C1hrixo/2jJhtP606tfsh7O24Qx3nFKZS2MkjOGWL5A4znZ9pGiVbqF9doAiI9ubJMO2dX67QKJ8DKv3Q0D9ZrIZtC4jLF28qCyFYPsQrFDRg8K4ELJY9CBff1w+itvG2cwVuX7+toznuVf9/uAQYG4p1lPMn4dZa4svJfxqriv0QN4p3gfR/YWBrAqe1rK6v3jSaA91cWrG5G2jzcNi/WMccjN23YGj/yhept4VPrWCneFRERSBj7GXr6zSz2F0Da1KBoKoQ80+ubPQmBcfbQhB8r2lQXqpfvyZUMUgdyOBeny9oDeawqGEY7yLjP8Lsy7llQVE1ZAT5j/mmHxODLyATofVU4e8cgpotYVZzzQjHgkIFmRuo20xF/v3DlC/Q3bni4SM4NZA/UxuMBoB/jpeGi62WRbsV0jVXwMoByTrK2vpt2efSofVNCUrcWI4S68ltxpxZjIdoHyXohrzmeG97cmpm0f2CJAx7sMZRr6HJyyRMkyWeI8/2gDzHW2NmuNRLTLZT+5wnGn1QDge9ogREcrpEQJQjtnFbEUlbdr3kaIgmN+sZXCAkx3M8ebYqIVQis7AH49ADRhcSavx1Q2nmYjIH8fLEmucoGAzhoTxq8sQRY62IUn/ow/zUjyJGrhEao7EoCsAejRT6qU+v9c82kygmot0JaI7RakMzXg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(186003)(8676002)(2906002)(76116006)(6512007)(6506007)(71200400001)(86362001)(33656002)(66946007)(83380400001)(44832011)(498600001)(38100700002)(64756008)(66446008)(66556008)(966005)(66476007)(2616005)(8936002)(36756003)(122000001)(5660300002)(53546011)(26005)(6486002)(6916009)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mB9Xdf+1R6QKaIP4gyXWPCYoz1Lp98Ug7JVCPLaDbMQAGtQzcr4j0OOIOTWslAr5P014eSrLKzU/XMpOOUnCwlcf5xpBeBiWmepeb3T0aX7dkH8l+gYC0KP3FF39eBmZmvpYSvWFzWzh0dpSyKYmStlvJM+n0jEJtu0RKMAPbxmWS1dDgKHvt5pGRWTmy5dZgH3PoCWGxyNWive0PeH61ox+N0k8mzveSjKjl6f8APGOysbk6Of5lKwh2QD1XwZwLaSDRBrBj0eJ1C2yimuSCSTAhyMf8Qr6/5ZhKEAeiRZNMBBiXx7/9I1QY+1GsNjhmkXuWmESXryUeCZc5DKt8YxoimhOIg3ysolThNEEqN/jdTFBluRV3mRrYDd4bRr11QVZyilz3j1I5HKSjIWKCHkHOu8vvLZ07pH8StpFCkVKTNOWlYxbUPa9GkLKAow5qWxHzJmslOFJ6j2dFOMNfc4sL/dxadtfKclLbHwuTdYgzIakAProI0jlxrDRzkOMTzZjDtdDimq85TWTUqReLThROhiPMTXfxcD+S11wanCspmPFkrAcE8GmBtIVRGIi5w8Vl+lbGGsGY+esb+882mnKhliJ85FPbBLR6FgQu+79CV9IiUemAK1h5mlMAfiLVdNfMUdUoNwaz42s8syHrFCOpt+GeZ+rjFjQsKF/t4Nw3TA9/uJhCWpmSGiGMOlikcGvr8QnUzypFgq9KUpzSF0Z+8pJ14v+745jy37cuXJKR3O/msBwr9w0KUWLwOGaigO+cst1vja08NiVeCSByO3J+3t+dS+UNIA3pSAtZvB7UxI7KMiTzpdXTrydAlYqnIb3onj98oa9DxHHfYSuuCEhlyodpSPiF9c5Mz8JBxaKva2GKOf+IXu3SUFsBrxR53scjz4qgokgcGC4VaX6KDpGEr0XssmiJjA/t2jPRyW0iBQElimnHlhc72M69uZLlIVtMv03+JYtzCrwIKvo2VwjhFuj2O+5pO7HT4hG+Lzv2UyFSWrn7JEpCsqShgUUFRoCo0e/ywIW+FNKcTRG7o0vHSQaR1GOKyTg7m/5L2x/mcH0XH39hI5myXtcSFfBMy15kXPUhI3V66UbGLTJP8O3bJy+Uydg0MFr1ZmqASByVo3m1E3uDhjIAexi4HdPxDHhNJ9DCcq7hWZY4R5lqR9R9cYAgQIXQCNt1gEVuQpGNEoA3pqSJ8G4M8SFWngJdvTQ+c8mrtEsn5BBa/DixwT2dFiVgmE3NRZfGuwltzTf1iglP5eeUkjn9oFfmJRQfKOIZAIBnNibe9D9JGEaBXWSg8CPPg0lY8T8gAvyFifjEAvR4Jv+huWes55VTHoittOb/CvOAmeANE9W9uGDyQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <490890368DCEB648B9A32B27CB8FBC43@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d6383ed1-7a47-43ea-b53e-08d9161c358f
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 14:34:26.0632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h7iv+/qJYutINoDXJB+6K9WinzDvVqohq8PyrA5S2SS18P90NOw4Mu3UJyFINOw2zrrm88iEMNTo5ntEuBjcSFTJ04TRfENrVAdIv/Wq8Zk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2203
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/9drVAw72xK5YQQJ38TubsYymUr0>
Subject: Re: [core] [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 14:34:38 -0000

Hi,

Another big disadvantage with the current design is that the user to chose between more useless in the signature mode and less security in pair-wise.

In the signature mode, the tag provides no security and you want as small as possible. For pair-wise many application would definitly want to use 16 bytes tags, e.g. application aligning with the CSNA suite.

I think 8-18 additional bytes overhead for the signature mode makes a difference. One example would be warning broadcasts in cellular networks. In some networks the amount of data that can be broadcasten with acceptable latency is 75 bytes. Group OSCORE without the useless AEAD tag could be used, but Group OSCORE with the tag cannot.

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Thursday, 13 May 2021 at 16:14
To: "core@ietf.org" <core@ietf.org>
Subject: FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

Hi,

I just posted the following suggsted addition to the COSE countersign draft

"Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature."

https://mailarchive.ietf.org/arch/msg/cose/9vv0DC_7tL1_DfvHd4VNp-dXz38/

Earlier versions of Group OSCORE had these quite significant vulnerabilities. My
understanding is that this weakness is addressed in the current version of Group
OSCORE by adding more information to the signature external_aad. 

However, I see no reason to actually use countersignatures in Group OSCORE.
The definition of countersignature in the oxford dictionary is
"a signature added to a document already signed by another person." The use in
Group OSCORE where the same entity calculates the AEAD and the signature seems
very strange, and there seems to be no good reason for it. Wrapping the COSE_Encrypt
in a COSE_Sign seems like a much more natural solution. 

The COSE WG will soon register AEAD algorithms without integrity protection such
as AES-CTR. The is after a request from FIDO that wants to wrap a COSE_Encrypt
in a COSE_MAC.

https://mailarchive.ietf.org/arch/msg/cose/ELiOc-ED9IoaFhR5d9FS7KBC-vc/

The use of AEAD together with a signature waste 8-16 bytes in each packet
without any benefit whatsoever. This goes very much against the design
philosofies behind CoAP and OSCORE, where every byte has to be justified.

Now when COSE WG is specifying "AEAD" algorithms without integrity protection
I think CORE should take the time to modify the signature parts of
Group OSCORE from

AEAD() || Countersignature( AEAD() )

to 

ENC() || Signature ( MAC( ENC() ) )

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Thursday, 13 May 2021 at 14:04
To: Russ Housley <housley@vigilsec.com>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

Hi Russ,

I made a PR with a first draft of such text

https://github.com/cose-wg/countersign/pull/6

"Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature."

Cheers,
John

-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Date: Monday, 15 March 2021 at 17:58
To: John Mattsson <john.mattsson@ericsson.com>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John:

Are you asking for addition text in the security considerations to warn against short MACs?  If so, can you provide the first draft of such text?

Russ


> On Mar 12, 2021, at 3:12 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> When I analysed an earlier version of Group OSCORE some years ago it had severe security problems when used with CCM_8 + Countersignature. The attacks were pretty bad. 64-bit offline complexity against source authentication/availability from a different person in the group and something slightly over 32-bit online security (collecting 2^32 messages) against a source authentication/availability from a third party outside of the group. The problem was that the countersignature relied on the AEAD tag for integrity protection of the additional data. This was fixed in Group OSCORE be adding all the additional data to the signature as well.
> 
> The use case of Countersignatures is "Countersignatures provide a method of having a second party sign some data." In this case I don't think CCM_8 + Countersignature provides the expected security. Unless you can put all the additional data to the signature as well, I think CCM_8 + Countersignature needs to be forbidden.
> 
> I don't really see why Group OSCORE is using countersign in the first place, it seems like a relic from a time when it was assumed that OSCORE would be a single COSE structure on the wire as well.
> 
> Cheers,
> John