IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

"Jim Schaad" <ietf@augustcellars.com> Fri, 10 July 2015 22:33 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C7761A0062 for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 15:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OQqXPYdGikQS for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 15:33:21 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C2F81A009B for <cose@ietf.org>; Fri, 10 Jul 2015 15:33:11 -0700 (PDT)
Received: from hebrews (174-21-18-91.tukw.qwest.net [174.21.18.91]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id F118138EF2; Fri, 10 Jul 2015 15:33:09 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Brian Campbell' <bcampbell@pingidentity.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com> <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com> <sjmlheo6t1j.fsf@securerf.ihtfp.org> <20150710171118.GA20991@LK-Perkele-VII> <00b601d0bb3d$37fe0d60$a7fa2820$@augustcellars.com> <CA+k3eCTeDPP_1oqZ4U3c5a7Z16EgOd3qBjpsGuFxaGYrKJNAiA@mail.gmail.com>
In-Reply-To: <CA+k3eCTeDPP_1oqZ4U3c5a7Z16EgOd3qBjpsGuFxaGYrKJNAiA@mail.gmail.com>
Date: Fri, 10 Jul 2015 15:33:27 -0700
Message-ID: <002201d0bb60$71d6a010$5583e030$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0023_01D0BB25.C57927A0"
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQGMo9E7lz5K1VbQVek9kTd0WZ5EKwIS9FwIAQ3LxPQB/WXDmAHiZZGnAshjO7UB4sdSXwJU7d8kAjX17XgCSHbyJZ3JgJVQ
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/2JhJHM9j53XRheuo0OYKtvL_Il4>
Cc: 'Ilari Liusvaara' <ilari.liusvaara@elisanet.fi>, cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 22:33:23 -0000

 

 

From: Brian Campbell [mailto:bcampbell@pingidentity.com] 
Sent: Friday, July 10, 2015 3:07 PM
To: Jim Schaad
Cc: Ilari Liusvaara; cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

 

And my question was about ephemeral-static DH and RSA-OAEP (both of which are used in the MAC example at https://cose-wg.github.io/cose-spec/#rfc.appendix.C.1.4) . Without the statement of origin, I don't see what value there is?



It would be static-static DH not ES DH.  Otherwise – yes it is the same as RSA

 

On Fri, Jul 10, 2015 at 12:21 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > wrote:



> -----Original Message-----
> From: Ilari Liusvaara [mailto:ilari.liusvaara@elisanet.fi <mailto:ilari.liusvaara@elisanet.fi> ]
> Sent: Friday, July 10, 2015 10:11 AM
> To: Derek Atkins
> Cc: Brian Campbell; Jim Schaad; Mike Jones; cose@ietf.org <mailto:cose@ietf.org> 
> Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> schaad-cose-msg-01)
>
> On Fri, Jul 10, 2015 at 09:28:24AM -0400, Derek Atkins wrote:
> >
> > Performing a MAC using the output of a DH (be it ECDH, AEDH, or raw
> > DH) can still tell you that the transmission has not been modified
> > between you and the party you're talking to.  You're right that it
> > tells you nothing about the party you're talking to (i.e., without
> > authentication of the DH keys you have no idea if you're talking to a
> > MITM or the real endpoint).  However, using DH + MAC does tell you
> > that you're not being spoofed by a "passive" eavesdropper.
> >
> > So IMHO it does have some benefit.
>
> It occurs to me that any sort of asymmetric key management with MACs is
> unsafe, since knowing just public key enables message forgery.

We are going to need to have a consistent definition of message forgery for this to be a true statement.  Can one have a forgery from an anonymous person?  If you don't make a statement about who is sending the message, which may not be done in this case, then I have a problem with saying something is a forgery.

To have origination, one needs to use static-static DH.  Without this one does not have statement of origin.

>
> This does not straightforwardly extend to symmetric schems (like key
> wrapping), but are those useful with MACs?

Depends to a large extent on what you are doing for key roll over of your shared secrets.   If you don't do it very often, then as I stated in my last message it can improve security as some attacks can be easier to detect.

jim

>
>
> -Ilari


_______________________________________________
Cose mailing list
Cose@ietf.org <mailto:Cose@ietf.org> 
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email