IETF Logo Mail Archive

Re: [COSE] Comments on draft-ietf-cose-hash-sig-01

John Mattsson <john.mattsson@ericsson.com> Fri, 22 March 2019 10:26 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C17130EEE for <cose@ietfa.amsl.com>; Fri, 22 Mar 2019 03:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=SpZwnmjR; dkim=pass (1024-bit key) header.d=ericsson.com header.b=VJkLuoO1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgoCwf5xL5sp for <cose@ietfa.amsl.com>; Fri, 22 Mar 2019 03:26:06 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DCDB130EAB for <cose@ietf.org>; Fri, 22 Mar 2019 03:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553250363; x=1555842363; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Jukp5l1JCqQIpcWNe2VrBl+NG53yyqc5tLztvkntPm8=; b=SpZwnmjRvhENbxFklgWE0poiapO/s2ndXneRKmc7Py4iZgiwNEiWXSaQQxTN0YHo YerKxPfGT+KcqwN0f/seg5OrIiEMrbDADS8pwDvD6WOGw9ZU55xKAFMLP8PyoI0B 9jnNQe1MQHM0XzbQ0+E4bBlLZJ970mMsGTDz6DWIoYM=;
X-AuditID: c1b4fb3a-491169e000001645-b6-5c94b83be79a
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id E9.B8.05701.B38B49C5; Fri, 22 Mar 2019 11:26:03 +0100 (CET)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Fri, 22 Mar 2019 11:26:01 +0100
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5 via Frontend Transport; Fri, 22 Mar 2019 11:26:01 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jukp5l1JCqQIpcWNe2VrBl+NG53yyqc5tLztvkntPm8=; b=VJkLuoO1m5CpSqTWurbp/NFO+ayVaYI3F84+VLhBMO56ZeP4L3bqeNvqcD3L7xz3QRa9HEv+SR4AxepoCPDLg3pfuIBjNW/1iRgvPcihsq2URY/prl0qFDpGY/cqHSXROh4iNPEUEb4W3cmDzCr9ZxRybWkJaUDIJ0+Pb8XQ+Pc=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4378.eurprd07.prod.outlook.com (20.176.167.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.9; Fri, 22 Mar 2019 10:25:59 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8%3]) with mapi id 15.20.1730.013; Fri, 22 Mar 2019 10:25:59 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Comments on draft-ietf-cose-hash-sig-01
Thread-Index: AQHU4B32R9GV+Fyim0mAnuvESWE626YW42oAgACgZAA=
Date: Fri, 22 Mar 2019 10:25:59 +0000
Message-ID: <8EFF0E2A-FAB4-4FD2-BE0A-30783F69EE8F@ericsson.com>
References: <ED269B27-5C8D-4FC5-B763-08ED099314F7@ericsson.com> <C6A2F659-AA0E-449C-9043-9FD8BE10CB39@vigilsec.com>
In-Reply-To: <C6A2F659-AA0E-449C-9043-9FD8BE10CB39@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 72870206-95f5-43a0-6482-08d6aeb0c6ef
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4378;
x-ms-traffictypediagnostic: HE1PR07MB4378:
x-microsoft-antispam-prvs: <HE1PR07MB4378E9BA0DEA844EBB53B9B689430@HE1PR07MB4378.eurprd07.prod.outlook.com>
x-forefront-prvs: 09840A4839
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(39860400002)(366004)(346002)(376002)(199004)(189003)(13464003)(478600001)(82746002)(58126008)(3846002)(316002)(6246003)(4326008)(486006)(99286004)(25786009)(33656002)(6486002)(5660300002)(14454004)(6436002)(83716004)(53546011)(2906002)(6506007)(6116002)(44832011)(229853002)(81166006)(81156014)(8936002)(71200400001)(71190400001)(76176011)(6512007)(6916009)(86362001)(68736007)(53936002)(102836004)(8676002)(256004)(186003)(446003)(11346002)(36756003)(476003)(26005)(97736004)(2616005)(66066001)(305945005)(66574012)(106356001)(105586002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4378; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4vTGjaZxCv0LQhM3UqsXq1T8Rw0w4NHVsoSAytPyoMSNG9u4uclqEtMcQAVeHCY2boOeOvj38OUwxpB7mqHLOPpi0uIer3Tq+rU7rqH8JFRCgtmuHXe0qsBz0qtVCX6cJMC+oX6yLUWvrdWcLGnuqi4m8ZaGw9R07Heuk1VnYSbFwUuzXp7dG7B7VP1/BxI3ZDyfLavVb4HNS1x2ULyq4ECBuX2v4dHHjg1cLAcaAt1FPJWhTJuFbTkTsDol9d2/Hq6nPUXM9prUkZqLJ0KqMge/jFUfN1UzD1QbskhDvo2JIHE7zxveCsRrPCa1FuxujE4zpM9lK+fUXdcR/gykw63j07gubQ/8sOE3EV/2Idnw/xacwMwiBa6AmCbf/R7b/kVHFpvNDZSPkKTysMGjGGvfvaNXKBGQVPUQjXtwQfM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <CDCE0EAF6452C244BE09A61D9FA64C05@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 72870206-95f5-43a0-6482-08d6aeb0c6ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2019 10:25:59.2617 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4378
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTYRTHed7L9moNH980D14iJyIZeUPCyyj7UA2hMIiQMmrpi4rzwl41 jSIzFt4bU/NWTHRZiOUlbzkrHPZBrbxEyNTIcDFdIZmpaBm5vQv69jvn/M/5P+fwMCR7l/Zk UjOyOVWGQikVOVN18X38oej+qoQQg3lfxL2eajrCumgSxxByvX6TkLfO/aTjiPPOsiROmZrL qYKPXHZOafsxSGfNxOY1LOhEBcgsL0FODOBw6Ozoo0uQM8PiYQT9qy2kEKwjUK++FQmBnoDR bq09oLCGhO31h46KloDppadICOYRrFRuiWyTRTgEHgwW2NkNB8C2bkJsYxL7wa2OKcrGe3A0 WHUTtKCRQWFxGRI4CgY+VezkmR07f5gf8LKlJfgoPG9eJG1pFufA0OQVGzrhGDC+sSsQ3gsb o22EYOQBM2YdIayJQT84TgrsDksLf+ym7jgYuivmKaH3IqjVNbSg8YWxl48deh+Y0pUigU/B SoXBfiHAJgR3yrUOg0Bo6P3g4DS4/eUbJbA3FA7V0kLDMg3Fm632qSzm4NETNdKgoPr/Hlu/ sw+JD0D7QLCQlsOgzkgL7AtVpZ/F9fZLuMJInZlqRHQrcuc5nk9PDgsL4lSpiTyfmRGUwWV3 oZ1vMtT9K6ofDVmOGRFmkHS3JFRflcDSilw+P92IgCGlbpKBC5UJrCRJkX+NU2VeUuUoOd6I vBhK6iH5zbomsDhZkc2lcVwWp/pXJRgnzwJU/d490l8t/ni/d/+W69qcN99wMrKp2NPUdT0u yzrb/ky2Nn36zHhiY3zTbO3iq0mnc+01r9MOxlSE9ytd3lnONlsNN9tkh8O9viYG7NL63Jgt uOqnG/M7UaaE3oaeepPFiCjjd8vx8tj5opFObR520VS+2DAEdxaxw6XLshaNlOJTFKGBpIpX /AUdIJTRIgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/E6ApKPKlESQQSZwySJAVF1l27OE>
Subject: Re: [COSE] Comments on draft-ietf-cose-hash-sig-01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 10:26:19 -0000

Thanks Russ,

Your suggested updates seems great.

>> - "The CBOR Object Signing and Encryption (COSE) [RFC8152] supports two
>>   signature algorithm schemes."
>> 
>>    With RSA it is already three. Maybe remove this sentence?

>I am not talking about algorithms here.  I am talking about full signature and COSE_Sign0.

Ok, I see that the terminology is taken from Section 8 of RFC 8152:

   There are two signature algorithm schemes.  The first is signature
   with appendix.  In this scheme, the message content is processed and
   a signature is produced; the signature is called the appendix.  This
   is the scheme used by algorithms such as ECDSA and the RSA
   Probabilistic Signature Scheme (RSASSA-PSS).  (In fact, the SSA in
   RSASSA-PSS stands for Signature Scheme with Appendix.)

I do however find the terminology quite confusing as the term "scheme" is used on different levels. But that is more a comment for draft-ietf-cose-rfc8152bis-struct than draft-ietf-cose-hash-sig.

>> -  The other COSE Key types define how the the private and public key is stored in the COSE_Key structure. The HSS-LMS key type does not seem to do that, instead it only works as an identifier of the public/private key. I think the document should either
>> 
>>       - Define how to store the public key in the COSE_Key structure, or
>> 
>>       - Describe that the HSS-LMS key type is only an identifier and does not store the key pair. In that case I think the
>>         description "Description:  Public key for HSS/LMS hash-based digital signature" should be changed as well to
>>          include the word "identifier".
>    
>   Okay.  The public key is an octet string.  The internal structure of that octet string is summarized in Section 2.2, and it is fully specified in [HASHSIG].  Also, the IANA Considerations include a new entry in the "COSE Key Types" registry for the HSS/LMS public key.
>    
>> - As the algorithm and COSE_Key only contains the information "HSS-LMS@ and no information regarding the tree size and LM-OTS variant I assume the signer and verifier gets this information elsewhere (or does not need it). I think it would good if the draft shortly clarified this.
>    
>The signature value encodes that information as summarized in Section 2, and it is fully specified in [HASHSIG].

I have no doubt that the specification is correct, and that everything is fully specified in [HASHSIG]. BTW, Sections 2.1 - 2.3 give an excellent summary of HASHSIG. My feeling was just that some more short high level description would be helpful for developers implementing the draft. Such a developer would likely not have any understanding of [HASHSIG] and would likely take a [HASHSIG] implementation from the Internet and try to integrate it in their COSE implementation. Even for a developer that has previously implemented ECDSA or RSA signatures, [HASHSIG] works quite different as there are many public/private keys pairs and the public/private key pairs are not stored in the COSE_Key structure as with RSA and ECDSA.

I think it would be good if the draft gave some more guidance to a developer trying to integrate an existing HASHSIG library in their COSE implementation. But that is just a suggestion. I do not have strong feelings about this. I have not tried to actually implement it, and I do not yet have the detailed knowledge of HASHSIG to suggest what such guidance would actually say.

Cheers,
John

-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Date: Friday, 22 March 2019 at 07:40
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] Comments on draft-ietf-cose-hash-sig-01

    John:
    
    > Some high level comments below. I need to read draft-mcgrew-hash-sigs in more detail before giving more comments. 
    > 
    > - Section 1.1: I think some short info on the threat from Shor's algorithm would be good. I don't think [BH2013] talked about quantum computers.
    
    Right.  [BH2013] is about advances in cryptanalysis. [PQC] is about the consequences of a large-scale quantum computer.  I suggest:
    
       If large-scale quantum computers are ever built, these computers will
       be able to break many of the public-key cryptosystems currently in
       use.  A post-quantum cryptosystem [PQC] is a system that is secure
       against quantum computers that have more than a trivial number of
       quantum bits (qu-bits).  It is open to conjecture when it will be
       feasible to build such computers; however, RSA, DSA, ECDSA, and EdDSA
       are all vulnerable if large-scale quantum computers come to pass.
    
    > - Section 1.1: "RSA, DSA, and ECDSA are not post-quantum secure"
    > Add EdDSA to the list.
    
    As above.
    
    > - Section 1.1 " depend on discrete logarithm or factoring"
    > I suggestion "depend on the hardness of ... " or something similar.
    
    Yes, indeed.  I suggest:
    
       The HSS/LMS signature algorithm does not depend on the difficulty of
       discrete logarithm or factoring, as a result these algorithms are
       considered to be post-quantum secure.
    
    > - "The CBOR Object Signing and Encryption (COSE) [RFC8152] supports two
    >   signature algorithm schemes."
    > 
    >    With RSA it is already three. Maybe remove this sentence?
    
    I am not talking about algorithms here.  I am talking about full signature and COSE_Sign0.
    
    > -  The other COSE Key types define how the the private and public key is stored in the COSE_Key structure. The HSS-LMS key type does not seem to do that, instead it only works as an identifier of the public/private key. I think the document should either
    > 
    >       - Define how to store the public key in the COSE_Key structure, or
    > 
    >       - Describe that the HSS-LMS key type is only an identifier and does not store the key pair. In that case I think the
    >         description "Description:  Public key for HSS/LMS hash-based digital signature" should be changed as well to
    >          include the word "identifier".
    
    Okay.  The public key is an octet string.  The internal structure of that octet string is summarized in Section 2.2, and it is fully specified in [HASHSIG].  Also, the IANA Considerations include a new entry in the "COSE Key Types" registry for the HSS/LMS public key.
    
    > - As the algorithm and COSE_Key only contains the information "HSS-LMS@ and no information regarding the tree size and LM-OTS variant I assume the signer and verifier gets this information elsewhere (or does not need it). I think it would good if the draft shortly clarified this.
    
    The signature value encodes that information as summarized in Section 2, and it is fully specified in [HASHSIG].
    
    > Nits:
    > 
    > "{{SHS}}"
    
    Fixed.
    
    Russ

v2.23.0 | Report a Bug | By Email