IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

"Jim Schaad" <ietf@augustcellars.com> Wed, 08 July 2015 17:44 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A941A1BFE for <cose@ietfa.amsl.com>; Wed, 8 Jul 2015 10:44:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSY-2CtIGoII for <cose@ietfa.amsl.com>; Wed, 8 Jul 2015 10:44:40 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 446191A1E0E for <cose@ietf.org>; Wed, 8 Jul 2015 10:44:31 -0700 (PDT)
Received: from hebrews (174-21-18-91.tukw.qwest.net [174.21.18.91]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id AF43E38EEB; Wed, 8 Jul 2015 10:44:30 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com>
In-Reply-To: <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com>
Date: Wed, 08 Jul 2015 10:44:47 -0700
Message-ID: <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQGMo9E7lz5K1VbQVek9kTd0WZ5EKwIS9FwIAQ3LxPQB/WXDmJ4xEk7w
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/8Ymy0PXyeHFyTWy905DD4bA40R4>
Cc: cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 17:44:42 -0000

Another case where key management for MACs can be very useful is the case of
DH direct.  This allows for creating of a new unique key for the MAC every
time, while not needing to keep per connection secrets for everything.

Just what security service do you exect to get from a MAC?  That is going to
control how you feel about doing key management.

> -----Original Message-----
> From: Cose [mailto:cose-bounces@ietf.org] On Behalf Of Jim Schaad
> Sent: Tuesday, July 07, 2015 4:26 PM
> To: 'Mike Jones'
> Cc: cose@ietf.org
> Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> schaad-cose-msg-01)
> 
> 
> 
> > -----Original Message-----
> > From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> > Sent: Thursday, July 02, 2015 10:53 AM
> > To: Hannes Tschofenig; Brian Campbell; Jim Schaad
> > Cc: cose@ietf.org
> > Subject: RE: [Cose] Key management for MACs (was Re: Review of draft-
> > schaad-cose-msg-01)
> >
> > If MACs without key management were insecure, I'm sure that JWS [RFC
> > 7515] wouldn't have survived the SecDir review or the IESG review
> > since it has no key management for MACs, but it did.
> 
> [JLS] There was no assumption that there was no key lifetime management
> for the case of JWS or JWE.  The assumption was that the key management
> was being down outside of these documents.  I am sure (or at least
strongly
> hope) that nobody is suggesting that a single key was going to be
> negotiated between the sender and the receiver of a message and it would
> never be modified in the future.
> 
> >
> > The question is what *additional* value key management adds in the
> MAC
> > case.
> 
> http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-
> GCM/multi-
> forge-01.pdf
> 
> provides a method to looking at how to attack a key.  This would be done
> by looking at the recipient of the message as an oracle to see how it
> responds to messages.  The more one uses the same key the more data
> there is to work with to attack keys.  From this point of view, encryption
> can be better because traffic analysis might be all you get from re-using
a
> key.
> 
> Even doing something as simple as running the shared secret through a KDF
> (with perhaps a sequence number or time marker in the context) will make
> the system more secure as the same key is no longer being used to MAC
> every message.
> 
> >
> > (I completely understand the value of key management in the encryption
> > case.  If you're using a deterministic content encryption algorithm
> > and you're encrypting the same plaintext with the same key without key
> > management, the ciphertext values will match, allowing attackers to
> > correlate messages.  Using a randomly generated content encryption key
> > means that encryptions of the same plaintext result in different
> ciphertext
> > values - preventing this correlation.  But the payload in a MAC is not
> > a secret, so there's no equivalent benefit in the MAC case.)
> >
> > 				-- Mike
> >
> > -----Original Message-----
> > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> > Sent: Thursday, July 02, 2015 10:37 AM
> > To: Brian Campbell; Jim Schaad
> > Cc: Mike Jones; cose@ietf.org
> > Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> > schaad-cose-msg-01)
> >
> >
> >
> > > Particularly for constrained devices, it is unlikely that
> > > applications will want to pay the performance penalty of generating
> > > and encrypting a key management key to perform a MAC operation.
> > > Heck, they may not have credible random number generation in the
> > > first place!  And they are likewise unlikely to want to pay the
> > > message size penalty of carrying the encrypted key.
> >
> > It would be good to know what devices you have in mind in this
> discussion.
> >
> > I personally don't think we should target devices that cannot even do
> > key management for symmetric cryptography. I would even argue that we
> > should aim for devices that support a random number generator and are
> > also able to do public key crypto.
> >
> > We are not doing ourselves a flavor if we place artificial constraints
> > on
> our
> > protocols that make them pretty insecure in practice. We already have
> > enough insecure IoT devices in the market.
> >
> > Here is the slide deck I presented in the LWIG group at the last IETF
> > meeting; it explains the performance of state-of-the-art crypto on
> > common Cortex M class MCUs.
> > https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
> >
> > Ciao
> > Hannes
> 
> _______________________________________________
> Cose mailing list
> Cose@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email