IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 02 July 2015 17:57 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 622051A1B5D for <cose@ietfa.amsl.com>; Thu, 2 Jul 2015 10:57:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KdJBLUIq6bu for <cose@ietfa.amsl.com>; Thu, 2 Jul 2015 10:57:18 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 969D41A1B88 for <cose@ietf.org>; Thu, 2 Jul 2015 10:57:08 -0700 (PDT)
Received: from [192.168.131.140] ([195.149.223.251]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LwaQZ-1YyuEm1u8t-018IIT; Thu, 02 Jul 2015 19:56:59 +0200
Message-ID: <5595794D.3000005@gmx.net>
Date: Thu, 02 Jul 2015 19:47:57 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>, Jim Schaad <ietf@augustcellars.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="JNaShuHrOXjhHnkX0hRQGSROgCLvIkU5k"
X-Provags-ID: V03:K0:+AHOCdeudVH3sNhJoeBJJ9KzT0E1LQp+mJw9d7d6bg30iv4NSyB DSqOvYx4mFW2v55UVysd6ekd4jSa+VpePO9tOcBocj4BdEkYpu/Gqk9RM8feevQ0DTCZ0v0 ulJwy2Twd2zQDZ9whCXffgtSGFwv5pgBaStBUipx080juh+z99I/0TARDrwEJ4r3Up8DeYV ZgfV2+fWKrYrOD7QN+Oow==
X-UI-Out-Filterresults: notjunk:1;V01:K0:9kIqPA+TWWk=:TYmm59dj0irASIzeUrKKPk yDILqwQXbuI3iCnsfsIZur7UQQWxJJaaez0hRTZycc/O2RK05ndJqj3AORVArE4OYK6zzUY05 ECR+P9ppgjwBaaUin/AcngNWcmTu9g1a5G7ruAXSxmbKq8xbgZSaWTqtEbOm7EpCmVVbWz+/J Kv/LbkEXLmNXIMOURuoNLlGDfCENmMwyVcWSEaN8UpozdKUXTy6nhTTxvHD4GFOD6mOIMcEDh JhjhFxHFxag2lCbd6uC82Xfi2GAdw0fL4acDY7IQAsdT3z2XmJim6wfK3L+7EyW6OuTpcVGsM t/x716uwxTuRhcmya2Urk/hGzo3b0n7y+BuWjyhteAqaVv5wXxUNTv04fYj38MQkfLcvjbDy9 qd0li2d2LNI99t2ujpdNTo5mXDQZQ5KGVa+nnUTFpDKNc6RwGCHokkC22UVlU7/boUbrRzOmP 6syONr57S9hjqSvoSE6hnvgtwzD0O+sl9OVBxjLSqAAZq9ww9up7CrVkwcmuSfB3J58DNDAc/ bmVpbHtd4n65CBhFKqdfYXjIP18q/95qe/8p0xgnjixz91A6WgNf5rvFCLThE6MYSG0P/VjnK bZjLu3tVzvy+NzUlg2rRIBrGjUQL+iMfJ40Onlwiec4uWeGVzbbGp5msaMMNT6a9LijaQLevC PxByhm8ieAHdy3hCfyMhsVPk6Yph8Aj4xaf4DsPndzO3+hQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/94UCraITzG09impxFvkyhF97YD8>
Cc: "cose@ietf.org" <cose@ietf.org>
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 17:57:20 -0000

I guess the challenge with the JOSE and the COSE work is that it is a
generic mechanism and you don't really know what applications are going
to use them. As such it is hard to say how the key management would
actually look like. Hence, it is a bit challenging to say what IoT can
and cannot do.

One consumer of the JOSE/JWS work was OAuth and there it is quite clear
how the story looks like.

In any case, whenever I read something about IoT devices I am always
wondering about what devices they are talking about.

Ciao
Hannes

On 07/02/2015 07:52 PM, Mike Jones wrote:
> If MACs without key management were insecure, I'm sure that JWS [RFC 7515] wouldn't have survived the SecDir review or the IESG review since it has no key management for MACs, but it did.
> 
> The question is what *additional* value key management adds in the MAC case.
> 
> (I completely understand the value of key management in the encryption case.  If you're using a deterministic content encryption algorithm and you're encrypting the same plaintext with the same key without key management, the ciphertext values will match, allowing attackers to correlate messages.  Using a randomly generated content encryption key means that encryptions of the same plaintext result in different ciphertext values - preventing this correlation.  But the payload in a MAC is not a secret, so there's no equivalent benefit in the MAC case.)
> 
> 				-- Mike
> 
> -----Original Message-----
> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
> Sent: Thursday, July 02, 2015 10:37 AM
> To: Brian Campbell; Jim Schaad
> Cc: Mike Jones; cose@ietf.org
> Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
> 
> 
> 
>> Particularly for constrained devices, it is unlikely that applications 
>> will want to pay the performance penalty of generating and encrypting 
>> a key management key to perform a MAC operation.  Heck, they may not 
>> have credible random number generation in the first place!  And they 
>> are likewise unlikely to want to pay the message size penalty of 
>> carrying the encrypted key.
> 
> It would be good to know what devices you have in mind in this discussion.
> 
> I personally don't think we should target devices that cannot even do key management for symmetric cryptography. I would even argue that we should aim for devices that support a random number generator and are also able to do public key crypto.
> 
> We are not doing ourselves a flavor if we place artificial constraints on our protocols that make them pretty insecure in practice. We already have enough insecure IoT devices in the market.
> 
> Here is the slide deck I presented in the LWIG group at the last IETF meeting; it explains the performance of state-of-the-art crypto on common Cortex M class MCUs.
> https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
> 
> Ciao
> Hannes
>

v2.23.0 | Report a Bug | By Email