[core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 14:15 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C305F3A012A for <core@ietfa.amsl.com>; Thu, 13 May 2021 07:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSc2rU0EBZA8 for <core@ietfa.amsl.com>; Thu, 13 May 2021 07:14:56 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0622.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::622]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4A4C3A0AFD for <core@ietf.org>; Thu, 13 May 2021 07:14:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IR6ArTeVs7JOXQJ7yBmWKtFdYqyU36N2dBpq+Ut8KVAe0Hn5aOhv7to/nJhyH+yl6jwn0Gftd5s9Ww9IaLsw3cByAAe9sMP9IU/K90LLgVwV1r9dJVpg0MSSFyV8iivz65vZ6RPkSAdRrINmlW9xt3awvtG/EqZmu/E+lhG0bEiZED6LNGxf65BiV3HnE6Dm2S+GLijKhsAavCUCQ2Cxrj95xeoTyAggYAbJ515ZmtdgOokZLexkQx/N8WdWkq7hka2S+N/HXpqHDRZgrRkJ/0BoWO7ZZpOMtlbSzBnSWMOu8g+fl9H9uu77VVSsnf4B2ZptWEAhe6AyMXBynzzhRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oZCU8Z+lN2yBC+qBn2U0VdYciTeZBseKX2cECQcf6WI=; b=QNiU3ksh0vZDo9EUdY2VFh85Hun9DYKTWsbc6eG9FkBFj1fuJ51jsGtLu2HkkAJtRSYDlc641GozQxkZRKVZcd9ryozxDvNv1nHMJB2v+Vd4J2UBeOBBOPSPRmr+0DxpaSBc87BP0SGk96Fu5FuwXJOCx/jmfWBl1s4w/nj+9C44jmLXVsH+6Eqdk+2lVQw4fbosXIe469AMvk9q3fR7wWKPlTF4SRC5sBXE41PtDW+/tEYdOa4Agxa7nHJOqwo7+VnYTMjUdq99TeYGR83IoRd+o1hzGRzD9b0iNBO8fjevxzNp+4lhu3PefiZZdKg76Tjr2l5fsw/JlanooL9p4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oZCU8Z+lN2yBC+qBn2U0VdYciTeZBseKX2cECQcf6WI=; b=h7KKLXXrDLCGv/9WfOv4OHaautShbLoqFpDTiiJZC9cKJapSBDGkkmECvyg6s/1O4zHKFvNfPsZkHb4QUAhe0fPlVoPwCmM955SuzFFk3ehWpLBsZUmno7OZUmrTkQC2Lk9amk3ocrX/pBCPJ8TE9pXz2cy4VPEXTf5eEmd8szM=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2826.eurprd07.prod.outlook.com (2603:10a6:3:4a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Thu, 13 May 2021 14:14:46 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 14:14:46 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
Thread-Index: AQHXFxduXoz8+3g8k068F5hdSGPXPqqFSp2AgFyI4YCAACSAgA==
Date: Thu, 13 May 2021 14:14:46 +0000
Message-ID: <2EF50329-22AD-4797-B8F5-89684E4CCC29@ericsson.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com> <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com> <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com>
In-Reply-To: <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff386860-5626-442f-30b7-08d916197633
x-ms-traffictypediagnostic: HE1PR0701MB2826:
x-microsoft-antispam-prvs: <HE1PR0701MB28267AD642C3A390EDC1C7F089519@HE1PR0701MB2826.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 62VaYu/hHKQeIVWBgzBos5C0W9mIamooU90lQIKOSOilWPnvWk7uJyjthndvKnW1KSkF/wI4uNcwc1cLFezKQWSBSzIG3HR2O2doPKkHukFhsS34/tkysuO9MiA05dnD3w+LHWoSx61VGPeEu3gHgyfVRkx/h8KXkmmpMOao/M78Xfmw8OBc+DyWEswKsCKO/r4yq81kGRRE64e+6q6g9HvspEQX3B2Me/RifYQGV2NbFFKFsHs+XmAsP5jQsaaKYSs6+Lp0FI1Xhb+53aBqsJlT2JvGf2vcfk8JqOx4KIhlIl+ejL6JsoYwpKU0+5jDfK254n+j76YA2xkvyNsYouI/C6i+zCwJSkYrZs/IXPfKTfcn8znB2XSgATmeKAKJ8ThJt8e/i19NqvjMzApVCk8QD8nCbX81YoJcazLLTn9U29cSBNen7NJJHeoPmzeQYcKEsZ7jhejH2lH1zGs7+tGqRGAkyPEFqiCKxfQbg5YUUZqORmhACXpQuY/axNYV8etODBUUNG+k/dGGqkU1+wF6x5gUuoLlfju8yyjH3esKwkuirrnIdeP1aPDr0p8yGAGfjuO6ryrrRB33Veg9lCM/BAcK1u3NdrxGuXvTvHUgBYYSSGYph8zvPMuQ1w7kHnslifGinz/B1EzOgxfdrUNbBxao9zZ7XjRzHi5Kw5OHvmrMt4a4opWqLJ1+kJNVActsB0T70gJnYqZwth8SGWQyTKQ/u0YNqgwUYPnMoZ8xN+j/iD/mt6Kz6xVBF4AaDmpnY4anl6p+5/ES5PXKPg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(2906002)(6486002)(66556008)(498600001)(6506007)(5660300002)(33656002)(966005)(53546011)(76116006)(122000001)(66946007)(36756003)(86362001)(8936002)(71200400001)(6512007)(2616005)(44832011)(8676002)(186003)(64756008)(66476007)(66446008)(83380400001)(26005)(38100700002)(6916009)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?d1FjWUZTd05OdTVQL0VtV3NCbGs0UDZOWlUydFRjY0pSTG9CM0xETFEwYkxn?= =?utf-8?B?cXJDMW1saHFTc011Y1NLM29YTFBwRVhSV0tLQzFZSGJjZ1djVXc2Qm5CMFVq?= =?utf-8?B?ZEdxWnVDS0pNMVZxTzQ1Y0hVNW91Mjk1QlFpTHNSQ3VBY0U4eHNpOFlsdFcv?= =?utf-8?B?SktZZHpTMjh4YmZ0ZTBIbjdoUDRNZ2dlRWorNDB6L0RKQzhNNk5oTG1IdStw?= =?utf-8?B?cGFYSWhkcll4WFNodCtMWGpBKy9Edjc3Y0ZaRko2ZzU1ZVQ1cGFDSk1oQVBs?= =?utf-8?B?KzE4NkQxOTUxa0RTcXYvQTMyZm9yZk85UVV5U0xKeUE5UDNtZWVra2tTbmFR?= =?utf-8?B?WnVTTWkrMDBJU2VXUHIxV3M2d1NzejdpQUplWUMxcnlWSFVhekIzQktER2d4?= =?utf-8?B?eXV2ZkVjU251dVYzcUwrdVhZSEtnZ2JVdVlGSTI5VjlYWENXYmlPVWNHNkFn?= =?utf-8?B?S2pmYmIvekZoNzFJNTN3dU8vdWI5alVQVzFKZmdBdmRDcnNDRU1nYkQyWkhq?= =?utf-8?B?SkVMMjMySHloaTJIdDU0eFUyclhjU0RRdVhzNnoxVGNZYkdXekhEQ3UxWUUz?= =?utf-8?B?dHd4bHZ1cEZQZ2llU2s3ZFlIc1pzOUllU0p5eklGejNPUXJLMmJMdkR6Q3c1?= =?utf-8?B?bWRLK2NaSFRUbEZzVFE0cGUwMXNNdnlYd3JyVkVUbU1Qd21hd05LbWxKWFNo?= =?utf-8?B?OUNYdjU1WUtORnJJazV2d3NzSWRwSjMwbGlVK29qQ2dFNUNEVUZlbU5tZm5i?= =?utf-8?B?SDdKMnBvOFZOZ0lOK1JaNEw4SEFYSlBHYm9acGQ2S3BEall4WFh6c2czUjY4?= =?utf-8?B?ZlVYVVZjYXZBLzJlZnVUemgvb1BMWWVoYTBqWnlESFNPallHL0k0ZlQvR09r?= =?utf-8?B?YmhFU3k1MWV3Y2lLMHlHd0tqRnNZZ1pZT2UxSWV4cmZ4WlFmMFdPYmJzVHRz?= =?utf-8?B?eEZpTmlJTzlYZnJnYzBhL21aN2NvSk93NUN5SUN3dlhvUzVaRGJtQ0EyN1V2?= =?utf-8?B?VWVTV1JKemRkR21QYkozRU5RT3VGZVhCeDZXaXJFMHNYZ1VqbDR6ckFROWZX?= =?utf-8?B?ZWhLSnBMQXFNejFYOHB3NlplTGwxQ1pZd2pQczhtRmhVd2Y5WVdLZXljZWt5?= =?utf-8?B?WnN4dXVJQm9sbDl1aEZCUVBBSnFXQ3ArcVF5U1l1R1ZvNVVYcCt0SGJkT3Ax?= =?utf-8?B?Rnp0UGJ5SWtjbXhUQ29uOVFQRGt3N0hERDdtdHIrQVZNODNiRURDdXEwbkpX?= =?utf-8?B?cEMrK0ZidXllSGdUQ1RNbEhKbG5UMmxidC9rVmI5czBvOVJGRkhVOCtpOTdl?= =?utf-8?B?K1RNb2lKK0NkY3JMUlhTODFaVk1McFR4RzZzMC92bkNsU3BpVW5EcXRwNWkr?= =?utf-8?B?bkkxbEl1WndyeVl0S3BVcVR2RjBQR28xbzd1akJ5VlU3VHRDV3RlTUNaZVl3?= =?utf-8?B?TzBGdHNiODJpVlczMVVCSFZ6RzlybUpUUGFncXJoQ2ZvS0M2WGpKUks5bHFh?= =?utf-8?B?dHQxTDhWbXBIalFGbGVEcUxoTXFYYXlWWS9weTVPNFpzc05Xa0ZyYk9hYk5i?= =?utf-8?B?VUI3L2lTczFyTnBBbE9KZWY5elIrUUZ2WUl4Y3JUYktqdE90b3VxZVc2ZGgz?= =?utf-8?B?bzFBTXdnQlBPTGczcVBVQUkydVBkYk14aHRlQWtQdnMzYnZJNVh0dDlxRndG?= =?utf-8?B?Z2k2T3NSanVBK0JmMVljajhSUnV1a1hFMFBqcG9jNzR4blgvTERHRkVTc2N1?= =?utf-8?B?TGI4Q1JrRjVYenVZdVViNUhOcHdpVDJhRVpMSm1VRENVSGJMUHNWdEx1RFJi?= =?utf-8?B?OFdMSlNaVWpqeFpWZEd5UT09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <ECF6A872A2E1CE4496A0C82FC5C6A960@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff386860-5626-442f-30b7-08d916197633
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 14:14:46.1136 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sxHnOlpeT8UtS+vA5bp1FWlm7cRqfZXe9qmcrzqxuw/aPDpF1zn04SctMR6kGLnHXgaJQIVCc4vNNUifLp0fc9TBktPV2rYvLrVhijjl1CM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2826
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/nzJzHvyHECJMyDiG2e_1glEXVD4>
Subject: [core] FW: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 14:15:02 -0000

Hi,

I just posted the following suggsted addition to the COSE countersign draft

"Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature."

https://mailarchive.ietf.org/arch/msg/cose/9vv0DC_7tL1_DfvHd4VNp-dXz38/

Earlier versions of Group OSCORE had these quite significant vulnerabilities. My
understanding is that this weakness is addressed in the current version of Group
OSCORE by adding more information to the signature external_aad. 

However, I see no reason to actually use countersignatures in Group OSCORE.
The definition of countersignature in the oxford dictionary is
"a signature added to a document already signed by another person." The use in
Group OSCORE where the same entity calculates the AEAD and the signature seems
very strange, and there seems to be no good reason for it. Wrapping the COSE_Encrypt
in a COSE_Sign seems like a much more natural solution. 

The COSE WG will soon register AEAD algorithms without integrity protection such
as AES-CTR. The is after a request from FIDO that wants to wrap a COSE_Encrypt
in a COSE_MAC.

https://mailarchive.ietf.org/arch/msg/cose/ELiOc-ED9IoaFhR5d9FS7KBC-vc/

The use of AEAD together with a signature waste 8-16 bytes in each packet
without any benefit whatsoever. This goes very much against the design
philosofies behind CoAP and OSCORE, where every byte has to be justified.

Now when COSE WG is specifying "AEAD" algorithms without integrity protection
I think CORE should take the time to modify the signature parts of
Group OSCORE from

AEAD() || Countersignature( AEAD() )

to 

ENC() || Signature ( MAC( ENC() ) )

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Thursday, 13 May 2021 at 14:04
To: Russ Housley <housley@vigilsec.com>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

Hi Russ,

I made a PR with a first draft of such text

https://github.com/cose-wg/countersign/pull/6

"Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature."

Cheers,
John

-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Date: Monday, 15 March 2021 at 17:58
To: John Mattsson <john.mattsson@ericsson.com>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John:

Are you asking for addition text in the security considerations to warn against short MACs?  If so, can you provide the first draft of such text?

Russ


> On Mar 12, 2021, at 3:12 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> When I analysed an earlier version of Group OSCORE some years ago it had severe security problems when used with CCM_8 + Countersignature. The attacks were pretty bad. 64-bit offline complexity against source authentication/availability from a different person in the group and something slightly over 32-bit online security (collecting 2^32 messages) against a source authentication/availability from a third party outside of the group. The problem was that the countersignature relied on the AEAD tag for integrity protection of the additional data. This was fixed in Group OSCORE be adding all the additional data to the signature as well.
> 
> The use case of Countersignatures is "Countersignatures provide a method of having a second party sign some data." In this case I don't think CCM_8 + Countersignature provides the expected security. Unless you can put all the additional data to the signature as well, I think CCM_8 + Countersignature needs to be forbidden.
> 
> I don't really see why Group OSCORE is using countersign in the first place, it seems like a relic from a time when it was assumed that OSCORE would be a single COSE structure on the wire as well.
> 
> Cheers,
> John