Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John Mattsson <john.mattsson@ericsson.com> Thu, 13 May 2021 12:04 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCF23A0D52 for <cose@ietfa.amsl.com>; Thu, 13 May 2021 05:04:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJwhfqqba7nu for <cose@ietfa.amsl.com>; Thu, 13 May 2021 05:04:13 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60051.outbound.protection.outlook.com [40.107.6.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCEBF3A0D66 for <cose@ietf.org>; Thu, 13 May 2021 05:04:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lofPUj1CysFEVraixo9hCRJ8ODvTdDBHH4eYCC/+kbaw3qoQr/Yz9AgrbTWIEx1ccpZT1H3U8sitrxZrerZYo4+kIS6pLqucOlTyXj7rqAHXvFGA8H/lvCO6Vdsm5fNAknRWf8P7IYhDPFnnomErj3mxn+QUyfz1WFaR6uN9Rwc9YIOxsvy3Oj37+2REQRn0tsnrii9HqnK/cmZDdWWVrWKOMnjKSdgqdTPa5u1L56Hgz11X1cvvBGz8M3lcyRKJ1dEu32Oo1SWuDj1K22MqMMgf2S1txEVDjf+RdD+VyVwMu3ok2tdM5EbZEswo7FcPLh9Js6pXCX41OwCrX2NkvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1aSbAWGjStN2jAcQtvMLTO/U7NyCfSvoC+l4gfcFCr8=; b=BhGIakbknN0kGwIy+ksvGKEpKfOxuoFB3hA9iKZ/kuKZ4JHr3YD1tfhU0wMpoXfBdlDmWWJa91sFV643kzvHgFuUnYO4VC8pKZ76DVX4LV3P6fipUGC2EKqYi0EbHX9vgivUFghC2zbwKiSybDh+Nuat/FjWkhFv4SeUw2xlzj8JPoog7hHadb76BYz3kD2TTsbKH1e2SP0BuGhAUErYeptDPmFZNewOIg24r3adI6H5QeZeGYTEiP2wzzh7pUrS4LuUshM76Yp7kevFjiO5ukF3GO2D/PcNecirwJXQ2PoxmPbRFsvLd+Y9gB63mzL7+/EeqObw4md+MOXKz45Zkg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1aSbAWGjStN2jAcQtvMLTO/U7NyCfSvoC+l4gfcFCr8=; b=SfUgsaipu20/Dr+UhLHSF+Mkez6TRD29S1y0HWHsoiOzbMI/DWK81iBjHg/gtM0Pvxl9TdaL6nhxm4qfkwwcfJORzkLufh6/45smpXG/qr8rjOU8Wl0pFLEaotDz5NkgvSZr7/nGPXXbA3yMRwJ8N/eBqMw+7jnJZK1oCYP2wlI=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (10.168.92.136) by HE1PR0701MB2090.eurprd07.prod.outlook.com (10.168.36.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.22; Thu, 13 May 2021 12:04:08 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.026; Thu, 13 May 2021 12:04:07 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
Thread-Index: AQHXFxduXoz8+3g8k068F5hdSGPXPqqFSp2AgFyI4YA=
Date: Thu, 13 May 2021 12:04:07 +0000
Message-ID: <D1BF84E8-5659-4AF8-8F27-BD5409BEFA83@ericsson.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com> <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com>
In-Reply-To: <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1bba3060-dee8-4c05-7490-08d916073638
x-ms-traffictypediagnostic: HE1PR0701MB2090:
x-microsoft-antispam-prvs: <HE1PR0701MB2090C64723295F178413AC2089519@HE1PR0701MB2090.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hkGbvA/UGCbzPUY2TgHSfN6UbZ+1ME1zJxkGhBVQW4SA9220WglfVDWhioxNTAbWqprj4hIc8YrvPrLxXdg0aUywO2Wnwe8iH9ccx45IiwwuKe+ThOMCcC4TzwbNI8MN0aBuTBTWhrBAW1w/YiCQ1V1Y5/q1a7Y/A5lBmyIJML0MhroEpEL1h35wcluUS0mRb1eYxIqOrPPAguv1rwRTrLpIX6WrQqUfoiMohihhYSfcsUB0aRDgyqDkMhgQbwGiELfIIurFnutYKWsjWKpAJyTkFqZxx2zXCb7Avp4FmmwQ0pJBwQYwlAvcbQdLUOOe10kUybyB4ORStGBXXc9/BoIi4JmpvxbvcZPALvcH8HQEHI93ILu9A1mqwHSyIZXZFgk4hINzsKHgzHzMduEuySLnU5ccZlAJayoSA8UnxLVrDLLhDXry6Bwz29STE2QXKMWz5/8rmTgZ+w4/kjIcx7CHBfIaEhVvZZIXZsfwFR/jSW6q9htmZueN6stabEB5KS6avUvKwd4ZufO9JicjZg08qI/Vu+VHx79yoAk8b5eo747Eg0KwBohqRJLS+4thivGZYQ42UsjrIH/HfhplUadEGCgMuJqEMObEr9oCojpd7/OoqepKVuTGtwZk/5lDen0C5FNqdE6CLsZ7hvIaGAPSZhruj2TbB9VrBGjFkQiFlH+x8wpxpwnhMU0ckTkyRtsVZi6myNAZBBbSl6thGhKu8e28VOsatFlRqiPirR9BOattmOrNcEEoFC1FAYvdqvOay3jqrhp9GWAiV72sfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(396003)(136003)(346002)(376002)(71200400001)(6512007)(122000001)(966005)(478600001)(33656002)(6916009)(4326008)(36756003)(83380400001)(38100700002)(316002)(2906002)(26005)(186003)(76116006)(66946007)(66446008)(64756008)(66556008)(66476007)(5660300002)(6486002)(44832011)(8936002)(2616005)(6506007)(53546011)(86362001)(8676002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?NkpMSHVuakxQQ3BCaHo0dklKMFY4bmZKM3dJenBCNW1lRUtCYUxtZ0o2cXdp?= =?utf-8?B?VDltOWMvQTRsUDhqeDJ1aUQxeCtjVGtHekkxQkd5U09uL2EwR3F0bkZGaWg0?= =?utf-8?B?U20wL1pJcjFCY2FORzJJTU94eWxuK0pKTEw1bTdoSUNDdDVTOStzNzBnT1VF?= =?utf-8?B?a3NHUXhpazZ1Njd5SVMvaWVmc3BLdkFqelFMY1dnSlBBZHU0Sk1uWTE2eVV0?= =?utf-8?B?eUh1d3RKaVErNGYxeWZsR3NjcURMcFdIRjFlUnNZblBVcGl5ODZhOGJYbWZY?= =?utf-8?B?UDd0QzR5UnhaNzloc2V3NzFreFFBQWpUbSsyTXlBdW4wK1lFNVhXV3JjNW0w?= =?utf-8?B?ay8zaXYxTk1OcTZtZyt4M1YwQm9zV0hqVUNKNlJKNWVZRDBIOTNOb2pTNitN?= =?utf-8?B?YTQzVzZKNkRQdUJrWEd2QU5tM3pOcituYkp6REliNWR2dHlaa1FUUnJsVlVZ?= =?utf-8?B?ZXRIZDk3Q1o0VkpNUFRyUWl0cjYrcFpMNUlIRXVzeWpqSzZhaWNXb2thR0V3?= =?utf-8?B?MVVhOWxFUERKa0diSDNiUUVSWDVZRlhWeDZPSGU4UGQ3VlF2UHFLRzVIaDlv?= =?utf-8?B?VDM4cEJ3VUhaRUhoemlBZEIzNVEyMlRZQllTRGdXeG5RYUpicG9wU2lPaGIr?= =?utf-8?B?YVQvejBvMW9PeDQxSmI4eGxvRmZxdTFQU2VwUExGeStRM2FtNVY2YkI4M3B3?= =?utf-8?B?RzQzOS9DdkdmYjNvN0dpKzJLTUNQRGJRWTJnOGN1VUhzWXUxcHNaQXhlY1pH?= =?utf-8?B?R0RSaVc2T2c1dUFPR2x0MVdreVhWdy96NHpUcEVqaEZnOEtETnZjZnc4WHFT?= =?utf-8?B?NElmd1Axd0lVaFYvR1g2REFwZ09ra3lENEZlVjhHbnd6OWlqYmxFUExBMEdh?= =?utf-8?B?YlRyblY2YkllbFlncU1rOTlUZm52WGg3enlWU1hyWnlGdFBqTzZxN1lKUzJO?= =?utf-8?B?MCtuQldFc0xRN3Ric05pWkt1VlRuSXJLVjBvaytIUjc5SGZDYVBBTmdnSzMy?= =?utf-8?B?ekg5YzYxVXl0eXdtZTU5NFRKRFpremw5eWxaLzNkNEtDbUppNElyclgxU2dq?= =?utf-8?B?WEVXTVpheWgvOVYyZG12dmxkOGVCN2dXYi95Szk1ajU2UjdFV3p0QUQvcEV6?= =?utf-8?B?b01NYVdjMUF1QlFBcjB5SitqMGZ2cVgybUJGY1NZQjEzUlJwUVRHQjk2YlpP?= =?utf-8?B?VkdzUW5Lc1U1dDE3cnIxK2E2b3UzWE9JM3FYRkNWNWFndzdySVlCZkNCQ01i?= =?utf-8?B?Z1NBaEFDaitCa1NRT3lHMmNYMjk2Zlpjc0RDd2s1eW4rUElOZEg3NkFNZHpv?= =?utf-8?B?K053c2w4RGpkYnZUSXJtdzFLNk5wdmtnOWpwUlVacGxmMStPWVpsTEJuWFor?= =?utf-8?B?b3RjQUJ5ZnZsM1d5YWE4SUVIYjBjZitsV1N1MUhoaWJrTTM4dnYwUHNxdFNQ?= =?utf-8?B?UU9xaitPcEZ5Tm0wVVFxSHNHVUpFMWVHVmovbmlLcmxhZ3U0czlaZFByeEN3?= =?utf-8?B?U1VpQURXMmZrVVBycisyRUR4YXlSZEk4aGtJLy81SGNISlNMbnVDNVhLUFdJ?= =?utf-8?B?ajNSUit1QktzL3Fna0w3RHlvZWhwSFpuY2h1K2dhZklWTlRyNVNPN2VNaThz?= =?utf-8?B?S3Y5Z3FrYi9hTG1ScmFZVHdDSzI4NWRSZnRFN3Jvb0thdkJtaTI0bElGTDNG?= =?utf-8?B?VVVhaklqZnErUFZBTEV2YjFZNmphbXBvYUFNNFZRS1MreS9sY2RYWDRzTDdR?= =?utf-8?B?eGhTeUJ1T3Nycmdldm9VcjlpQUZBV0VobktKK09VK2NwUmxXL1JUYmJGNm1y?= =?utf-8?B?UkVIcGhIWU10T3c3RHpYZz09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5C164D9DC677DF4C865E9290271406C2@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bba3060-dee8-4c05-7490-08d916073638
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 12:04:07.8098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9m63A5moToGd/9eixVr91NdyejR1Tjb3Ezxg/oVW80YSai4iQiGPYfg6emzqE/Z5G59Hzc9Usz1sCKceIyk/Ba5SpliZyEaGiOLN47vlhYo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2090
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/9vv0DC_7tL1_DfvHd4VNp-dXz38>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 12:04:18 -0000

Hi Russ,

I made a PR with a first draft of such text

https://github.com/cose-wg/countersign/pull/6

"Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature."

Cheers,
John

-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Date: Monday, 15 March 2021 at 17:58
To: John Mattsson <john.mattsson@ericsson.com>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

John:

Are you asking for addition text in the security considerations to warn against short MACs?  If so, can you provide the first draft of such text?

Russ


> On Mar 12, 2021, at 3:12 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> When I analysed an earlier version of Group OSCORE some years ago it had severe security problems when used with CCM_8 + Countersignature. The attacks were pretty bad. 64-bit offline complexity against source authentication/availability from a different person in the group and something slightly over 32-bit online security (collecting 2^32 messages) against a source authentication/availability from a third party outside of the group. The problem was that the countersignature relied on the AEAD tag for integrity protection of the additional data. This was fixed in Group OSCORE be adding all the additional data to the signature as well.
> 
> The use case of Countersignatures is "Countersignatures provide a method of having a second party sign some data." In this case I don't think CCM_8 + Countersignature provides the expected security. Unless you can put all the additional data to the signature as well, I think CCM_8 + Countersignature needs to be forbidden.
> 
> I don't really see why Group OSCORE is using countersign in the first place, it seems like a relic from a time when it was assumed that OSCORE would be a single COSE structure on the wire as well.
> 
> Cheers,
> John