[core] Allowing non-HMAC based KDF in OSCORE

John Mattsson <john.mattsson@ericsson.com> Fri, 03 April 2020 11:04 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7693A17BD for <core@ietfa.amsl.com>; Fri, 3 Apr 2020 04:04:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVNfLlv1V9JP for <core@ietfa.amsl.com>; Fri, 3 Apr 2020 04:04:10 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50088.outbound.protection.outlook.com [40.107.5.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE84E3A17BB for <core@ietf.org>; Fri, 3 Apr 2020 04:04:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WhddMS3NIfyKXYUjPCyNQybSRyviYaG2neAsWLJ+9npMS8kjJ1WHswagbuzAQvcuz/ZtVZro4WbhJeAh5u8Z7XWg1TualMvMuXz2j+YXZWtMMrmxLbC7L+DZIAiqq6gFwgYZM8Xvb0wJQAeyvwzK7kmlfr/IU67mSmeX+Lpub96hQjuMAKONwpvzwmX0xjaCI4FW54AAybHPy3YQTtIMs6MWtQmMdq2/Y7Lag5DT17zpVpLy9xR+0u5OU15CL3DEojPCVbEHKWRCL1c4viYjwz1jPxSX5B4BeJDZY9CRnckYodFVRICAyCZcpfRVE2x8TGVHuxCMcsqcLwRkqmKTkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CNvA+66Zs6wB9oq4o9EwaLhw7V1k64ST3jh5pAiR1wg=; b=XT3BS3YFQpHsKMIsmfD9CzPodJkKwUp4eT1BDTok3ADPo5msMAM9m7MR9zpPmnyFyQ7JKSBjDxYyHaKxGFRhoXiVmXwymL4U1ctSLDHgksRksm8IA/0bSAWO2fwmlvO9Z4eXMUn3Hxhe8X2aEp2t70JwXuotrorsw8cWOba1JuK2ugWzqP6MBH8Bj2NgCwwsVvppmlf/gacGYHhU4y3Xb0gHkhvqlxleuU+yuYUFwMYwCjXy1+hayiaB3m2yr3UYZLcYXSwaIgTpKkTCbZKDWyCaBFG1TlE0sUMlEGgxGmYDGQ08oQm98W6c996m8h/0PYvasyF6wrPRYCnJtURZFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CNvA+66Zs6wB9oq4o9EwaLhw7V1k64ST3jh5pAiR1wg=; b=Kojxy9FIC/VP0WrdMGLnyq8Q1vKf2kpEqv4oPE/JTqdRwDBeDvouRki8zUFUS+bka3kxGKnbRPdZon30e8DgcenB9NLDW3c4+8bnATbcR+1qJkFy2T8X7wO5STzCofLT7TV67/nyDcCZjRyi4id34EXvxJQuZCiUAhXQoA0ZMPo=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (20.177.37.216) by AM6PR07MB5576.eurprd07.prod.outlook.com (20.178.90.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.13; Fri, 3 Apr 2020 11:03:55 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::928:dc19:896b:4b91]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::928:dc19:896b:4b91%6]) with mapi id 15.20.2878.014; Fri, 3 Apr 2020 11:03:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: Allowing non-HMAC based KDF in OSCORE
Thread-Index: AQHWCaeQBKQ/R/PrJ0CpFz210vCuHQ==
Date: Fri, 3 Apr 2020 11:03:54 +0000
Message-ID: <5CD4BE47-4E21-4E00-8BE7-752917CBAF51@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 035948b9-8259-4041-d912-08d7d7beb365
x-ms-traffictypediagnostic: AM6PR07MB5576:
x-microsoft-antispam-prvs: <AM6PR07MB5576322E57BBB225C236237889C70@AM6PR07MB5576.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(366004)(136003)(346002)(396003)(39860400002)(376002)(478600001)(81156014)(2616005)(81166006)(8676002)(8936002)(6512007)(36756003)(6506007)(316002)(86362001)(44832011)(6486002)(66556008)(66476007)(2906002)(33656002)(186003)(6916009)(91956017)(66946007)(64756008)(26005)(71200400001)(5660300002)(76116006)(66446008); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: e7UaZXOCBi1vUVeQpGzvhVcf5/XnckGPDwA6vGCqfdM4G+neb4y0Nd/67zjYjHvqz1JZWkZCd5hGbDILvwtrTMLzPeRXFzq8yYl3rI1CBsU3D3ZPx/smkSg+XfJF2UFTyXJKlgYMTDJdgiwI2exQBnyiqW91UwewPpf7G8f6oBhTR2uklG3jCtzz+4Rwkva/PDkOorHCIaCmI6O5RjQwQdctaux4THRlM9Q5ZtXzI+1YK5D1/xBZNYJzjEFgfBVAKUG780+e94DvyzmVPvLCynnz5zlC+5G7x3OUWR5cNm48tJ+xXjOn3hFg0QF9uowYdDLWaGyfM3+T8g2gD8FHNnIaad9QsdVQH98emO6lopOsQpNb1F/BHLe8P3BzV5zO76+6jnTu3aHgEPppXyX99zzgothfwbz0mQv2NIxGKw7lpteww1/ZKsHZwv5OS4M1
x-ms-exchange-antispam-messagedata: XOqCrnXJB19xeF169tgpgHhNYIXAA4Bmhhi7pm7v00QbMThCKlOpVqm/rjvhnaxBrPeEgihzYUWdGmKk2XQWYA4T4UwnBvFVI58ySD7aLT0RcX0Uaa3o6U+VFJYulUWd2rWyuKdqv7ICrYca0JpO2g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C3D17453F00BA94390E37FBF58F0F5BC@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 035948b9-8259-4041-d912-08d7d7beb365
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 11:03:54.8819 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RNT89w8mapdL9k/n83OT2CdyR64FnKznG/8Lj1PXtAuxyVw+4CMEuVO199IZiKNU7mFTF7ajI+XPRwLzY3FlRxpf6fQ065YE7dFQ5sJ9PhY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5576
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/I1JnqPjlzh5ZVsw10VrG5uuk9N0>
Subject: [core] Allowing non-HMAC based KDF in OSCORE
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 11:04:18 -0000

 Hi,

As pointed out by Jim in the COSE virtual interim yesterday, OSCORE restricts the type of KDF to HMAC-based HKDF algorithms. I do not know (or remember) why the restriction is there.

- There are no security reasons for the limitation (at least not if Master Secret is uniformly random), and it currently hinders OSCORE to be used with the COSE AES based KDFs.
- The restriction is currently a practical problem. 6TiSCH people have stated that using AES and SHA-256 is not a problem at all.
- however, the restriction may be more limiting in the future. COSE is currently discussing adding KMAC. For a node implementign SHAKE128, HMAC is overkill, and KMAC is a simpler and more lightweight alternative. HMAC was specifically design to mitigate the length extension attacks of early hash functions and is not needed for SHA-3. NIST lightweight crypto competition have many primitives that can be used for both AEAD and hashing, they will likely have lightweight KDF modes different from HMAC mode.

I don't think there is any hurry to change this restriction but I think it should be changed at some point. It makes sense for OSCORE to allow any KDF specified in COSE. I would suggest that Group OSCORE (which updates OSCORE) lifts this limitation also for RFC 8613. Another possibility is to write a new draft, but it seems easier to just put it in Group OSCORE.

Cheers,
John