[COSE] Re: Strip signatures from COSE_Sign structures?
"Kampanakis, Panos" <kpanos@amazon.com> Mon, 30 December 2024 05:08 UTC
Return-Path: <prvs=0879ad7af=kpanos@amazon.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58117C14F69C for <cose@ietfa.amsl.com>; Sun, 29 Dec 2024 21:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.245
X-Spam-Level:
X-Spam-Status: No, score=-2.245 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmA6HX2BUi4u for <cose@ietfa.amsl.com>; Sun, 29 Dec 2024 21:08:32 -0800 (PST)
Received: from smtp-fw-80008.amazon.com (smtp-fw-80008.amazon.com [99.78.197.219]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C135DC14F682 for <cose@ietf.org>; Sun, 29 Dec 2024 21:08:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1735535313; x=1767071313; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=76ucwafsBdpSrsRvoT/pQQdnC4DNcq/6d+ml3f0Z7JI=; b=KNNV/Tgw5Zmqkfkpvcs+yw/aRcShzgIpc1bcu6v4v1tfd4YotN9qN5B+ LVgUfPrZ8DAvGAMu7y1uneS/luc9pGwQc/w6X43W6bxfwSHxV7p84H9UL j5Ywh68Cp60ltjiPLGq9hgErSzaGSGS+UCxPukyxhOkkdIE2uPckJBU7K w=;
X-IronPort-AV: E=Sophos;i="6.12,275,1728950400"; d="scan'208,217";a="157601746"
Thread-Topic: [COSE] Strip signatures from COSE_Sign structures?
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80008.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Dec 2024 05:08:31 +0000
Received: from EX19MTAUWC001.ant.amazon.com [10.0.38.20:47569] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.61.230:2525] with esmtp (Farcaster) id b057d4c3-4b0c-4f8e-9a5e-79e72bbae15d; Mon, 30 Dec 2024 05:08:30 +0000 (UTC)
X-Farcaster-Flow-ID: b057d4c3-4b0c-4f8e-9a5e-79e72bbae15d
Received: from EX19D002AND004.ant.amazon.com (10.37.240.230) by EX19MTAUWC001.ant.amazon.com (10.250.64.174) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Mon, 30 Dec 2024 05:08:30 +0000
Received: from EX19D002AND002.ant.amazon.com (10.37.240.241) by EX19D002AND004.ant.amazon.com (10.37.240.230) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Mon, 30 Dec 2024 05:08:29 +0000
Received: from EX19D002AND002.ant.amazon.com ([fe80::b4ce:3b74:ef43:1a1c]) by EX19D002AND002.ant.amazon.com ([fe80::b4ce:3b74:ef43:1a1c%8]) with mapi id 15.02.1258.039; Mon, 30 Dec 2024 05:08:29 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: "lgl island-resort.com" <lgl@island-resort.com>, Orie Steele <orie@transmute.industries>
Thread-Index: AdtTFXii/JXjWM39Q5aJk/RPFYktqACM/gaAAAfX7wABQ6tvMA==
Date: Mon, 30 Dec 2024 05:08:28 +0000
Message-ID: <4fbe45a0419b411cafd98a386b1cc236@amazon.com>
References: <bf839ee5060243a79f908ce2db299c25@amazon.com> <CAN8C-_JOFyE-gspxzhZdjfESR8PvPcnwkm9s0ou0kbRMquoQcQ@mail.gmail.com> <BA4D04FA-B232-4437-9C8D-9F641F633F29@island-resort.com>
In-Reply-To: <BA4D04FA-B232-4437-9C8D-9F641F633F29@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.200]
Content-Type: multipart/alternative; boundary="_000_4fbe45a0419b411cafd98a386b1cc236amazoncom_"
MIME-Version: 1.0
Message-ID-Hash: WOQDS2GS4IDCV4EASRCHM32IPJGBZ7EA
X-Message-ID-Hash: WOQDS2GS4IDCV4EASRCHM32IPJGBZ7EA
X-MailFrom: prvs=0879ad7af=kpanos@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cose@ietf.org" <cose@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: Strip signatures from COSE_Sign structures?
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/DDnNs3bbaEvcKfMLrItNScJCL50>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>
Thank you Orie and LL. That is unfortunate. The use-case is for a typical downgrade attack: When I am migrating to a new algorithm because an old one is no longer secure but I can’t upgrade all verifiers to understand the new algorithm at the same time, I would use two signatures with both algorithms. The verifier would verify the one it understands depending if it has been upgraded or not. Now, if I was a bad guy, I could strip the new algorithm signature and force even upgraded verifiers to verify only the insecure algorithm. If the COSE signature included some binding between the two like the CMS MultipleSignatures structure, the bad guy would not be able to strip the signature it did not like. From: lgl island-resort.com <lgl@island-resort.com> Sent: Monday, December 23, 2024 1:31 PM To: Orie Steele <orie@transmute.industries>; Kampanakis, Panos <kpanos@amazon.com> Cc: cose@ietf.org Subject: RE: [EXTERNAL] [COSE] Strip signatures from COSE_Sign structures? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Yes, I’m 90% sure you can strip COSE signatures. Just delete the CBOR for the signature and reduce the count of the array that holds the signatures by 1. I looked over my COSE implementation (“t_cose”) to try to confirm and I don’t see anything that binds signatures to each other. It might be easier to convince a verifier to ignore some signatures than to rewrite the COSE_Sign message, but I don’t know your use case. For example, t_cose has plug-ins for signature type handling. You could probably make a NULL plug-in for a particular algorithm LL On Dec 23, 2024, at 9:46 AM, Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>> wrote: Hi Panos, I've not used the "multiple signatures" feature of JOSE or COSE much, but I believe that signatures can be added, or removed incrementally. You could use crit in the top level header to try to force a verifier to be aware of some specific construction, or some application specific digest structure as noted here: https://datatracker.ietf.org/doc/html/rfc9052#section-1-8 Here are some other references I found while trying to craft a reply to your message: https://github.com/cose-wg/Examples/blob/master/sign-tests/ecdsa-01.json https://datatracker.ietf.org/doc/html/rfc8152#appendix-C.1.2 https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2 Here is some code showing how the multiple signature structure is used: https://github.com/erdtman/cose-js/blob/master/lib/sign.js#L108 Regards, OS On Fri, Dec 20, 2024 at 1:35 PM Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote: Hi COSE WG, Pardon my COSE illiteracy, but I could not find the answer. COSE can carry multiple signatures of the content which are validated independently. But could I take COSE legitimate content signed with SigAlgo1 and SigAlgo2, and remove the Algo2 signature structure, so that the verifier will only validate with Algo1? CMS prevents this by a new MultipleSignatures signed attribute defined in https://www.rfc-editor.org/rfc/rfc5752 which signifies that there are more signatures for the content and thus the other signatures cannot be stripped. I could not find if such functionality is available in COSE. Thank you, Panos _______________________________________________ COSE mailing list -- cose@ietf.org<mailto:cose@ietf.org> To unsubscribe send an email to cose-leave@ietf.org<mailto:cose-leave@ietf.org> -- ORIE STEELE Chief Technology Officer www.transmute.industries<http://www.transmute.industries> [https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/> _______________________________________________ COSE mailing list -- cose@ietf.org<mailto:cose@ietf.org> To unsubscribe send an email to cose-leave@ietf.org<mailto:cose-leave@ietf.org>
- [COSE] Strip signatures from COSE_Sign structures? Kampanakis, Panos
- [COSE] Re: Strip signatures from COSE_Sign struct… Orie Steele
- [COSE] Re: Strip signatures from COSE_Sign struct… lgl island-resort.com
- [COSE] Re: Strip signatures from COSE_Sign struct… Kampanakis, Panos
- [COSE] Re: Strip signatures from COSE_Sign struct… Anders Rundgren
- [COSE] Re: Strip signatures from COSE_Sign struct… lgl island-resort.com
- [COSE] Re: Strip signatures from COSE_Sign struct… Kampanakis, Panos
- [COSE] Re: Strip signatures from COSE_Sign struct… Michael Richardson
- [COSE] Re: Strip signatures from COSE_Sign struct… Orie Steele
- [COSE] Re: Strip signatures from COSE_Sign struct… Russ Housley