Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John Mattsson <john.mattsson@ericsson.com> Wed, 19 May 2021 03:38 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 325083A1BBB for <core@ietfa.amsl.com>; Tue, 18 May 2021 20:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSy-7Absuh9O for <core@ietfa.amsl.com>; Tue, 18 May 2021 20:38:19 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2061.outbound.protection.outlook.com [40.107.22.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 078D43A1B98 for <core@ietf.org>; Tue, 18 May 2021 20:38:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TFa6Xqlmzrrw+gjw1E7GvqFyphcd18+ZT14HCoOUFq4GJrwDy9cl/Bj9cWsiLiwQgLrOQ14jyKlh5ZEunUovXPjK6AxLuWG7NceP1KzCLQfZLPw1eeY12ZaStut85Ak7hJo6HgxsGNSh4pcdOJCQAZAn8j7k8TMMMreWcMidkhnO+zAU5Vbnm4Nb7gkOHTkusOdJxEcGlMavDIBU6kUWPe80UW371YG3CY4u6dafBRsITQeVzMs2bPAktmmbjcSzRCDUicLdQ2zRRASdHDhkhT385VaUbCwAtoMFGEF+mRGcCB50dZv/R8BRKlmWyN10hMJtY45RZ1YZOw+ZfxsyjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GqoC3DOVdpYnWQs8d7tp3Tv+wgDC7mhahTN2aoIFI9o=; b=GT5WU+h2iIiM/7vfSZ4EIJCBEe4zubDlRZB5ja0ov9ghgnUu4mKtTBWZATeFvNjQtAe+kRAU9ZAGV0u2E6yY7WTYxJ1NVxmQjW2XGnCuPHyYrQ+a2wyfpH/YiQjA631iohVKntThiMeDLt/264C/aRvNHXa1+aJNCCMiGbRqLC15NkVzLmyp75FGzbjqoYLxmHFQ6z0C5ZjZTyDiOfcTWCyEeXVM5div469GISPGrKmc02FR5itL9MH/rSKNeerCzDlQc2c0+P/lZuTfxJuGTYcbBPfhpVUqYoVTf0uLwIQijbBR5vLa8TIaoyDkEgzlUzNKQWdKbnZk2lAsyUFz9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GqoC3DOVdpYnWQs8d7tp3Tv+wgDC7mhahTN2aoIFI9o=; b=Sc3nh/eKcHLdxx2Y0OPwvA+WUtC0dqjfyxz3X+MJdIga74fwuQR8vtDqrc9aBPf8Nwm5F6yVou3vT2h5yLwFBbuzm6fZEMjGX4Hw9o2Ex31VBN1Rjgsy30WrN77kTUOh4RFey63e8rjd1hJcryZiIssjtehvcbqFcvUpKse3F4U=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2585.eurprd07.prod.outlook.com (2603:10a6:3:90::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.13; Wed, 19 May 2021 03:38:16 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4173.011; Wed, 19 May 2021 03:38:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
Thread-Index: AQHXFxduXoz8+3g8k068F5hdSGPXPqqFSp2AgFyI4YCAACSAgIAAHbCAgAWxbACAAu0LgA==
Date: Wed, 19 May 2021 03:38:16 +0000
Message-ID: <9178DAF2-277F-4841-8841-C873DB1D20E1@ericsson.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com> <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com> <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com> <2EF50329-22AD-4797-B8F5-89684E4CCC29@ericsson.com> <7253.1620928861@localhost> <13779C5D-7B1C-4D5B-B8B3-402FACAF2A25@ericsson.com>
In-Reply-To: <13779C5D-7B1C-4D5B-B8B3-402FACAF2A25@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 264c9f5c-2839-41b7-32ed-08d91a7789d5
x-ms-traffictypediagnostic: HE1PR0701MB2585:
x-microsoft-antispam-prvs: <HE1PR0701MB258517F2D67D90FA31902763892B9@HE1PR0701MB2585.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xx1g2KF9q6X9q0JePPGg2S5ejRpZYkt0ztey7QuEhqchoqFsJk/eLfP/3L+ibbB5QFNy688sgUikMSLhnECdU/S33tn16ucNfd4zXxyyBSnLlbDb4mKpCELyfXX/HaZ2wDD87k3eh8rbOcpIe9Wzq3U/b7/2+5VJhPPBXAPZJhjw+NdKYE+Ih/vsWxFEj63rHybZFg57awi0s0nhhs5do5/Q4hUVlIvziJUjYcLu8pcVCVvLUhLY6/isynWXGVhaByeu1LOcLOCqut18REHhmTPpNDa30JvlmQwgt/Slr8fZ6v7mhgQbtoR389SjlLhwBTE9HereV5QSLTXmBleKvRir1iF6JIZzE0dKi9pKQjoAzlcnipYZU/qPfYwZy3W0LcGvmOkNK9KgJaZ0eKIWfmFyRVPiPVUdC/K0ZCOo2aluhmprHBjs1st+kx4zIOf3HpkD9BGG36gcMhGwKvDkBQIy8LRJ5ovckNUl7g7YPQlW73UzqqV8j3TXN2nhxCIPH3UU62ehQqmV3Rn4YRU7TQE7qOCgNhL+7ef6V54e6XT4aky4DOMKIqS1NdBszDK3yNnh1/N/UMxSSD3e5NOfT6AbtFv+pNb1ChKIdQjUF4pN/jR+p9cQuBGahR6PI+r6d6lUS2XGUsyFIFsXM5MXPU/iUSjEwUnXuS7jX5wKDpI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(396003)(136003)(366004)(38100700002)(2616005)(122000001)(6916009)(6512007)(33656002)(6486002)(186003)(44832011)(8936002)(8676002)(6506007)(26005)(53546011)(64756008)(66476007)(86362001)(66946007)(66446008)(66556008)(76116006)(478600001)(5660300002)(71200400001)(83380400001)(316002)(2906002)(36756003)(66574015)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?UzY2NmhpMmk4WHEzUG5lV2tZSG8zM0Q2c1NrbklINDJWSENNa3FaYmxTWFZZ?= =?utf-8?B?cm9GTVpodkc3cVROaW5hRkFqZGFjQ2RpUFdoVHMvUWJwa2p0U2h3SEtER0Qw?= =?utf-8?B?bWhZMnlpa3BmS1l0d01xVlVOemtPKzlObWc1S01CRkdVcmVYZGRxV3BBOUcz?= =?utf-8?B?R2NyY3Qvd2RPL0llT2xaODVLRXljemFjS3p0L0wwRVVBb1ZscllSWisrb2Js?= =?utf-8?B?OVBGOExTa05rTGc2MUVDZmIxRGNwN1crTnYwV0xIa0xiTVdieDV3MVZVNHlY?= =?utf-8?B?V2N1TzNRZlJ5WHYyd0s2ZHRBcWZYMTVPL1JaTnBObTlvVDNKbmx0WDJVRUh6?= =?utf-8?B?QzlPWmtGNHZyT0g0OHFzT2JzR3BGZ1lhSnpOdy9FYlo5UElMQUJlOWxoQTN4?= =?utf-8?B?dUZtcGVOR1VvSXFaK2l5L0Exdm8rS0ZqVldVRmhyZDlDNFZ3K0pPY3d6TVRn?= =?utf-8?B?NGZza05pSzJSTUVYQjNzMVAwVkRlL1ROaHpZV2RnTTBkY1htd2lTT1BkVklX?= =?utf-8?B?TzR1WGx3enRpWFdKbUdBeWJhMXBrVDYzTG1FVkNmV1lQRStHR09QeUN0b0pV?= =?utf-8?B?Qk9xUVpOTVNmMnowdHVwM1FXK0pmVnV4STRnV2lvZHIwRnhNUzR5MWp2cjVP?= =?utf-8?B?NGh2cFp6M0JMUHc4WVd1dTl1UjdwYW9Id2hFeDJ3TTl3cVFTeVZKZ2F4VE5p?= =?utf-8?B?ZThyVkd1T1IzS3BqNHJkSVZab3lvNGYvZTZFbXk0UU1kUWp2cmlWWE1nQlN4?= =?utf-8?B?R2JzanBwa3luQWg0LzlXRitMVjQwT2R2bHVVbzUzZVlHOGthRjZOcjh2eVpY?= =?utf-8?B?NkZGMlhPeHd4a3JWUHMrMDdsWnZOcmZxdTBpeGdnb01heFRSUExHYURVbVRV?= =?utf-8?B?N3NsUFc1eGxuSkFDKzJQWWQ5VzBVODMvRTVIeTVUdTNTcVRhemNueHZYSHY0?= =?utf-8?B?TWVEQzJRUVhheU1QYnlnWktybm51dElvUEhzMk44aDZoOHBkei9tMG12bmVj?= =?utf-8?B?RFNsOGp3RGxvR2ZzdktneEwrTVZvYlpwMlZSSlBYWEFKcUdFckl2aFIramtj?= =?utf-8?B?Q2duYTYvZTFWV0pkSk1GRzBHdW5ZaTUrZ1VsSndrTVkxVVdmSnNicytaTmM0?= =?utf-8?B?Wmk3NFhPeXRDSDJiSnk1MzFUeERORzMrUkRLTzJMSWhxYmRKWUVZaEx3VE9p?= =?utf-8?B?SVQ2cEZkUmkwYS9mSzJ5UWZoYThUc1ZzbXVRZGY5K2FQcTY1WXpqcWtiZ0pS?= =?utf-8?B?WlNRcUIwZ0x0c1RLS090RnhUVng1Nmo3bGFRYnJUTlRLTlFTTmFzS0VHeGw4?= =?utf-8?B?dk11MmhEb3JvVFFyMzRKWk4vcTFxamRyYVFwY3A5ZzZNMmZOZFBpR3VPVzhs?= =?utf-8?B?QXlLSWw2RVY2bU1oSVJIRjVnUEdreHNCMlA1UnBwN1ZSTFM2YVdid0dXOVU1?= =?utf-8?B?NnVuaVh6MmNQSngxQjlScllNVzF3NVIzRDkvTGk0Q24wcGJMaTMwWXpPZWxl?= =?utf-8?B?U0dmSk1xc0Rndm4xSzhtaGk3R2VFVXQ3Y2twRUlYdG5tNFVkVkxKVVlsK1Nl?= =?utf-8?B?N01IVTZqR2I4L2JCRGhTRFd6WWkvUGljeGJtM0tIQmNVdFVFVlNPL2c2bldv?= =?utf-8?B?anZlazUycjNaakZhcDZ2YkE3d2VUWVNUbFRWTUVNZTdTclQyQU5vdVJnbVkr?= =?utf-8?B?UDBuTDVmUHlRb3RNVHJmdzNKT1oyb3RiRFpvSzNWcm10TzJGelRqK1h5cDln?= =?utf-8?B?UXBRRStGWWpMV1hBd2NZc1FRVHVycXl1RS9xb2Jpclh1U3BpTUp2M01HdzNJ?= =?utf-8?B?T0FHV3FpN1hCK1BtRlh6UT09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AFAA70507E6E7B4B8BF8E3532C51729C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 264c9f5c-2839-41b7-32ed-08d91a7789d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2021 03:38:16.3617 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EuVEV8+aMWErqdBYz7kekatCUEr/Q49c8ubLBomiMj7vl55N72F8Y9uFCv7fdI32qUZ6ViTOqoc/wtNVtLqacvRGgd/zchsTfSnTr0cVTng=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2585
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/GKZjMqGao5Jrq_QnJ5cf4uB7ZRc>
Subject: Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 03:38:35 -0000

Hi,

Other security problems found in the past related to an attacker removing the signature was purely related to the questionable choice to use a have the sender countersign it's own AEAD ciphertext. Due to this some important features were removed from an earlier version.

After discussion in COSE the currently suggested text in draft-ietf-cose-countersign will likely be:

"When either COSE_Encrypt and COSE_Mac is used and more than two parties share the key, data origin authentication is not provided. Any party that knows the message-authentication key can compute a valid authentication tag; therefore, the contents could originate from any one of the parties that share the key.

Countersignatures of COSE_Encrypt and COSE_Mac with short authentication tags do not provide the security properties associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 provides at most 64 bits of integrity protection. Similarly, a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 provides at most 32 bits bits of integrity protection."

I'll make a PR to align draft-ietf-core-oscore-groupcomm with the security consideration in draft-ietf-cose-countersign, significantly lower the overhead, and try to restore the important features that were removed.

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Monday, 17 May 2021 at 08:57
To: Michael Richardson <mcr+ietf@sandelman.ca>ca>, "core@ietf.org" <core@ietf.org>
Subject: Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

Hi,

I think the RFC 8613 'AEAD Algorithm' should be reserved for the cases were there is no signature, e.g. pair-wise, then the group request mode with signatures would have to have additional algorithms to be used with the signature algorithm. The signature construction needs to be changed so that it is secure with AES-CTR and ChaCha20 when standardized by COSE WG.

- It would be very strange to force people wanting to use AES-CCM, AES-GCM, or ChaCha20-Poly1305 or other 16-bit tag algorithms in pair-wise to use 80-byte source authentication, when it can trivially by done with 64 bytes. While the TLS conclusions regarding CCM_8 is misleading, I think there will be a trend toward 128 bit tags. Many deployments for government and financial institutions always use 128 bit tags.

- Some aspects of the "verifying the request" is not well specified today, maybe as a consequence of the symmetric tag + siggnature construction. The order of decrypt, signature verification, and update of the replay window is not defined. This need to be exactly specified or stated what can be done in parallel. The current text about replay window update is liked to decryption, this need to be changed as the replay window linked to the sender can absolutely not be updated unless the signature (source authentication) verifies.

Cheers,
John

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca>
Date: Thursday, 13 May 2021 at 20:01
To: John Mattsson <john.mattsson@ericsson.com>om>, "core@ietf.org" <core@ietf.org>
Subject: Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8


John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
    > Earlier versions of Group OSCORE had these quite significant
    > vulnerabilities. My understanding is that this weakness is addressed in
    > the current version of Group OSCORE by adding more information to the
    > signature external_aad.

    > However, I see no reason to actually use countersignatures in Group
    > OSCORE.

I don't understand the need.  I know that the countersignature use in Group
OSCORE was compatible with RFC8152, but beyond that, I never quite understand
how it was used.

I'd like to ask if there are some slides from ACE that might help illuminate
this?

    > Now when COSE WG is specifying "AEAD" algorithms without integrity
    > protection I think CORE should take the time to modify the signature
    > parts of Group OSCORE from

    > AEAD() || Countersignature( AEAD() )

    > to

    > ENC() || Signature ( MAC( ENC() ) )

Hmm. I see your point, I think.
I don't have the right pieces of OSCORE paged in to understand the impact to
existing protocols, or if they are even far enough along to deal.

But, sometimes, better is the enemy of good enough.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide