Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John Mattsson <john.mattsson@ericsson.com> Mon, 17 May 2021 06:57 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B4023A2A5F for <core@ietfa.amsl.com>; Sun, 16 May 2021 23:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7K1ctu4GWsT for <core@ietfa.amsl.com>; Sun, 16 May 2021 23:57:24 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2076.outbound.protection.outlook.com [40.107.21.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D9F3A2A5C for <core@ietf.org>; Sun, 16 May 2021 23:57:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZxJ3QsLpqGeHdAc7cB30nuHdVUxYybUdK6fNCgzzNajCy3zlKJiW6iS1x6KVbgh+9nORuPQpCc8G3kkP3BlP2VB786AD402qC8YhQZ4ZLH59ZGIDhZ7JdU6M+jTv/7ddSHRseJXKxEpExmaU8Xlf5fZToQu12c/Iol4STp7Yp+3ny6vNtB29ccdwZexHA2IaDxSjWoCfy8UB14UpPmrzSkhCjGTzQgBISsjKwXibgaxFeqtCdAHkFldxtgQHafHivBD7XZdmDRGONEkzckSoz5gNlBTTKUi2IB4qemGZiNb5tHyJ06NQBM3t+4r85vzGWf8dj1c7JpgLbpjKmNBvPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZogdZm3JJWfbh8IudrSa4eYgjk1QG1Jc8YrQCsCD784=; b=m/XdglovcaF885AxRhFt+I9kIuK1aMIC5eU7oZ/m/LuYgecHkWF9Edu8kRYgrHY4c+xLAm351nkaFbZVPswyBAHTYxmFuujZlXfDJDUIjjpEc8VeOIZ8U1A9Shg5U/ZvdwxTGSJ4SFYSeE6zLQTvBYpgW6ROZFF1hxbWHE3odt7VjKv6eGzXndxlK2xL7OJhsLa9XvCRmI80g+O+uA3cweB0uLYEeDx+xKawMh+1ANTD1Uxvd4L00MvHbA1k5KZeoF4mWBL5Qc+0axRRt4TgQnP/5q1oCs8nd3FyXpeLR5RsFbjgs+uZkdzvhKm05iA+TJ/sxX1aiJNrYs8GP6OBsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZogdZm3JJWfbh8IudrSa4eYgjk1QG1Jc8YrQCsCD784=; b=DwPSo0fzyzsfalkXse4O4FsfxFOpWod0qIC9aeKUcRTbgFgDPaSBbPMWHwkwYCzFksQBFrme2zVnrBN74+/nWMU3+50bGbqKMd8cu9Ni+6qx+FmK9O/nfUsTUa35BlisueKFXu+i3ME7a7mmw93CQlQ6dbCe9ylpKnu6Wo2EMps=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR07MB3433.eurprd07.prod.outlook.com (2603:10a6:7:38::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.11; Mon, 17 May 2021 06:57:20 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4150.017; Mon, 17 May 2021 06:57:20 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
Thread-Index: AQHXFxduXoz8+3g8k068F5hdSGPXPqqFSp2AgFyI4YCAACSAgIAAHbCAgAWxbAA=
Date: Mon, 17 May 2021 06:57:20 +0000
Message-ID: <13779C5D-7B1C-4D5B-B8B3-402FACAF2A25@ericsson.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com> <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com> <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com> <2EF50329-22AD-4797-B8F5-89684E4CCC29@ericsson.com> <7253.1620928861@localhost>
In-Reply-To: <7253.1620928861@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 557762a9-ed9d-40ae-eec7-08d919010463
x-ms-traffictypediagnostic: HE1PR07MB3433:
x-microsoft-antispam-prvs: <HE1PR07MB343383D56EC01D674DF83DFF892D9@HE1PR07MB3433.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NBy28Kls1mSPabUENb+mzqZbYbsEEKXzBAPLHA8OsWjqdzOs/mAXftXx0HckplyAICaIZiwVkHxhwOT99sRB43pvKB9GB/xNM79YPGzTS+SX+LZlxSnKV7vzjjqo5JDwcQF0/CVSPiZ6X/TsrrSeXovhxrzuFokLtRfmaNlEaAjOqM5hxuL7dwd4EaDjALhxXRN46YaftZe635hycYPeWCMLOQWYNj57CLLHO7C4EVnY+fhPaDof4wHUKhIhwIz6meeet0ktB4F3NU3SnogPb6Bgx5ucXBuzwNBpphMD+fk3aX+9xPFUUGjpValNXIjfCVD/SZze+KDrKOx3DZTExf2Ok5EmMf1MPx9aolA7YsygUYtJCO3VmrzDdUa6Lh7aRWiUlV8cbSRUcnuOYXaTCIGEnFT7v0FyButYsmL7BndPyN8vfKb09+qWf/oJmRAupJNiM/U4F4L6Wev8dY2F761LJ6dDXgXEk7qjQqd+IpuL7Skda+L7807W30rh5+9lBO+HuIS0FL1LJNUBjoC2+IK+ZHDxh69H4YEmMtAwVih2JTfGq3n6xsI1iUaLYz0+8VkZvspDZh7SLPocjQh2RwTNEXRsWnWr1Hy2HKIlCPbPn7w4N4DCeO8SRnjFrgQZZVKdu3349WMHRyhT0mlHAkOh+4O625IUyyA3ACWtMG4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(83380400001)(66574015)(33656002)(71200400001)(6506007)(86362001)(2906002)(5660300002)(478600001)(53546011)(6486002)(110136005)(316002)(76116006)(122000001)(38100700002)(2616005)(186003)(66946007)(64756008)(8936002)(66446008)(66476007)(6512007)(66556008)(44832011)(8676002)(36756003)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?cTB1TkplYjdsTGl5dlBFaWM5T3djUlRZMlREOFRmM0dheS9xUEVmNzN6NTBo?= =?utf-8?B?QUVkUDlYWlorR3dqeEx0MFFGZWQ5Qzc5YWZlWWE3NFI3L1FoUjQrZ3diY1pj?= =?utf-8?B?dDhaSnF4VEYxOHZpa2NqRTRzYXRDR2NBc2IyelA3NENuZXBUbXpjRnYvNjM0?= =?utf-8?B?QWt3R2l1d21SZ3JuVlFheDVFdVJ4L2ZvdUJneXp2ODF6KzZGVEhRTTJvVDRk?= =?utf-8?B?M3c3YUhaSVByUWFwVFlLTEI3ZmVtdGRzT29qUGpWc05YTmR6ZlZjbUFPVmpr?= =?utf-8?B?aStwdDk4T0R5OVZsSzI4Y0xWbEdTRmQwT3djcW9jWks3TjRTNE10YlZ6SU44?= =?utf-8?B?d1VOWHdkK25pUFJZMGxhMVllUEZXbDZoL1IxZ1VqMnRDRklkei9hTVNDRFRo?= =?utf-8?B?UndXU1E4eGZVMGJ2VDl3UUtoQUxFMTFsa2hLVHFUSUFmREhpMVRxRGt3M2tJ?= =?utf-8?B?VnZFWTFlb3J2VHI2OUxiSGdVK0JDYk1PTi9pd2tvQ2xTc3lmWFZaQUFjZHZJ?= =?utf-8?B?N0RDRmdGNDloQUt1N0Jnc0U2eVJESi9vSzU3ZUlFd2FDT0JZY000TUhLZ3dT?= =?utf-8?B?QVRTSGFNeGkwODF3eHZPNGhvKzhMZ1I0MTdjZGJLRDNvcHZUVndvT0lKbUJY?= =?utf-8?B?Z2t6VVI2d1pQRk95MGRLS09OMGFQOHMxY2tPSXpZRHJUMnBlcE5yZFMvbnRa?= =?utf-8?B?dThFM0JuSGxET0h1OURDNzdiRkl6RU9yanZtTlFWRGJLQ3RCRytxNytTa3lR?= =?utf-8?B?N2oreU51YXpYNDJkMzY2ZGR6ZDR2aTJ1WWZFV0p5NnhFL0dldkN6VjRYSmdV?= =?utf-8?B?aUpoaEk4VnRFUDJ5UWNiK0NJdExJZTF4ei9EUlRnV00xWmlVeWJYSHhMelE0?= =?utf-8?B?dVUxR1VHVElhZkRrQnc5VFlWb3lBQ3dEV1c3SS9ma01vNlhFR2hrNnB6VVlr?= =?utf-8?B?SnU4Tk1FdFJQMjJTUDYzVHBJbGMrMmlxZEtPWjlLNFJudWlpU2Z1WExvUUht?= =?utf-8?B?OWJYY3RXaWNOZmR2ZXFWRVVzNHRwYmpvNy83a3ZFUFIzQzdKQjRCcC8rVUVj?= =?utf-8?B?dmc0Nms1bnhDNm9aTEx0N3E3T1hwOW9YbXF6anRldUJCeFVyQjRjMGZzM0ZX?= =?utf-8?B?dU1yMmhHVnFYb1Q3MFU1YUhYNkpsRHYzQU5CRHRBdEtONG5aUjRJYlpNaksr?= =?utf-8?B?ODMxSnpISW1tbkVTck5BSElUWmRaNlJTRDdqTXY0RXpZRE81SHR6RUQ3ME43?= =?utf-8?B?UTM3UnpGNHEyOTVNR2ZrZGYwZGlzTXZJVzFtL2Z4Z2RiS2o3WHZSNzZUQ1NS?= =?utf-8?B?Ry9uSk9iQnEwRHZiVVlWcU5PVHVsQ1lqb0RHOEx3a1p0TXdYSXhhUWIxdTF1?= =?utf-8?B?bHA2N3BGSXRPYWNDM0U2QlRJSmJsQnVyRGtVaGJReTR1UlhBcUJaY0JWb0VD?= =?utf-8?B?YVJlaTRablJ5TkxFOXUvVmQwdEtQM2JGWHZVM1NvNzlmd0JZemxJUUR3ZE9n?= =?utf-8?B?NFZiTXpvUTNlQjVkUmVZak9RSSthT0l3enlzb3RJRWFSU2ZsdVdWaThDN0dZ?= =?utf-8?B?L2RnOGQ0RUQrVjRZRGsyc3R5RDgyYUdLZzlnUlYwT2VmRmU5OGE5dzZIS0Vz?= =?utf-8?B?ZEVycGtaMk1DVlZQL28zOU4wd0toTXNLNHh1aE1aWFk3V3RxNjNZSm0yR08w?= =?utf-8?B?WTNINThSYUZWSDQ2U3UxYktqSTl0TVFaMEg0c29aMkVWalRUQnk2Ynpmd0lt?= =?utf-8?Q?ylxot1PAN7aGrzgfHCULr6GupUOF4QbU/NFcR6n?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <85F98CEF72E4A5478FE3E2253D09E194@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 557762a9-ed9d-40ae-eec7-08d919010463
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2021 06:57:20.7686 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oRv5mk+63Zs1U7re4qP1PX1fmPeZQtMjDFI3jkykFyTSzNRqniAjgUTkbbeRJJoP0fzxLBgc3WudOZt2Ia/hODXWhE8wWf4PAFK144TR0Qs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3433
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/O_wqdiFfORbpH1816862XBOKaZ0>
Subject: Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2021 06:57:29 -0000

Hi,

I think the RFC 8613 'AEAD Algorithm' should be reserved for the cases were there is no signature, e.g. pair-wise, then the group request mode with signatures would have to have additional algorithms to be used with the signature algorithm. The signature construction needs to be changed so that it is secure with AES-CTR and ChaCha20 when standardized by COSE WG.

- It would be very strange to force people wanting to use AES-CCM, AES-GCM, or ChaCha20-Poly1305 or other 16-bit tag algorithms in pair-wise to use 80-byte source authentication, when it can trivially by done with 64 bytes. While the TLS conclusions regarding CCM_8 is misleading, I think there will be a trend toward 128 bit tags. Many deployments for government and financial institutions always use 128 bit tags.

- Some aspects of the "verifying the request" is not well specified today, maybe as a consequence of the symmetric tag + siggnature construction. The order of decrypt, signature verification, and update of the replay window is not defined. This need to be exactly specified or stated what can be done in parallel. The current text about replay window update is liked to decryption, this need to be changed as the replay window linked to the sender can absolutely not be updated unless the signature (source authentication) verifies.

Cheers,
John

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca>
Date: Thursday, 13 May 2021 at 20:01
To: John Mattsson <john.mattsson@ericsson.com>om>, "core@ietf.org" <core@ietf.org>
Subject: Re: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8


John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
    > Earlier versions of Group OSCORE had these quite significant
    > vulnerabilities. My understanding is that this weakness is addressed in
    > the current version of Group OSCORE by adding more information to the
    > signature external_aad.

    > However, I see no reason to actually use countersignatures in Group
    > OSCORE.

I don't understand the need.  I know that the countersignature use in Group
OSCORE was compatible with RFC8152, but beyond that, I never quite understand
how it was used.

I'd like to ask if there are some slides from ACE that might help illuminate
this?

    > Now when COSE WG is specifying "AEAD" algorithms without integrity
    > protection I think CORE should take the time to modify the signature
    > parts of Group OSCORE from

    > AEAD() || Countersignature( AEAD() )

    > to

    > ENC() || Signature ( MAC( ENC() ) )

Hmm. I see your point, I think.
I don't have the right pieces of OSCORE paged in to understand the impact to
existing protocols, or if they are even far enough along to deal.

But, sometimes, better is the enemy of good enough.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide