IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Derek Atkins <derek@ihtfp.com> Fri, 10 July 2015 13:28 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5F721A8F43 for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 06:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbrWLiM_SN7p for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 06:28:28 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1ED71A9026 for <cose@ietf.org>; Fri, 10 Jul 2015 06:28:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 2F0C5E2035; Fri, 10 Jul 2015 09:28:27 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 02237-01; Fri, 10 Jul 2015 09:28:25 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id F3FA4E2034; Fri, 10 Jul 2015 09:28:24 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1436534905; bh=oTQtV7wCS5ugUILMh6rA5mOWyoREjJbbr6xpbsQIvC8=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=iuicb6eA6lphhZSfX822avbH8/mRTZj36h104WmYKOw8ocR1ghBfDDWGsZxSXSZWx +/eEYHIsjqc4KWjXH/Q73i0mcuP8O/u8hXvXi4Uw6D1R+TR9BN3vGH0go0TRDAVXBk JxPXuzDh7bHbZLL0CIsha4mFRhW+KYp26x6GT99U=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t6ADSO0w001195; Fri, 10 Jul 2015 09:28:24 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com> <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com>
Date: Fri, 10 Jul 2015 09:28:24 -0400
In-Reply-To: <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com> (Brian Campbell's message of "Thu, 9 Jul 2015 16:37:29 -0600")
Message-ID: <sjmlheo6t1j.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/D4xk6GUbUMxBhJ7iRm88BXrDDDU>
Cc: Jim Schaad <ietf@augustcellars.com>, Mike Jones <Michael.Jones@microsoft.com>, cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 13:28:33 -0000

Brian Campbell <bcampbell@pingidentity.com> writes:

> If I were able to do DH, I'd have a public/private key and I guess I never
> would have thought about doing a key agreement and MAC. I'd probably just sign
> with my key. Maybe I'm just not very creative. But while having options is
> good, having too many options can be problematic.

Being able to do DH does not imply being able to sign.  They are
different protocols and not every public-key method can be used for both
operations.

> Doing a MAC with RSA OAEP key encryption or ECDH-ES key agreement, to me
> anyway, seems to provide little value and a big opportunity for confusion and
> security problems. I don't believe it's an option that should be provided.

Performing a MAC using the output of a DH (be it ECDH, AEDH, or raw DH)
can still tell you that the transmission has not been modified between
you and the party you're talking to.  You're right that it tells you
nothing about the party you're talking to (i.e., without authentication
of the DH keys you have no idea if you're talking to a MITM or the real
endpoint).  However, using DH + MAC does tell you that you're not being
spoofed by a "passive" eavesdropper.

So IMHO it does have some benefit.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email