IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Russ Housley <housley@vigilsec.com> Wed, 09 November 2022 09:52 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E44C14CF13 for <cose@ietfa.amsl.com>; Wed, 9 Nov 2022 01:52:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8p2qjmtQGPBV for <cose@ietfa.amsl.com>; Wed, 9 Nov 2022 01:52:14 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C74ECC14CEFC for <cose@ietf.org>; Wed, 9 Nov 2022 01:52:14 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id A030193FED; Wed, 9 Nov 2022 04:52:13 -0500 (EST)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id C766794283; Wed, 9 Nov 2022 04:52:12 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <179614CA-DA1A-4BFB-BC83-0D1EBDFC6B6A@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_648185B8-38E4-4959-A8A6-BE3BAFCEB2BF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 09 Nov 2022 04:52:10 -0500
In-Reply-To: <A8BA2A76-B402-444F-A616-E642CEB99CBB@vigilsec.com>
Cc: Carsten Bormann <cabo@tzi.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "Arciszewski, Scott" <scottarc@amazon.com>, "Zundel, Brent" <brent.zundel@avast.com>, "cose@ietf.org" <cose@ietf.org>
To: Sophie Schmieg <sschmieg@google.com>
References: <CAGi82uNOmJJdO2HKcE8M491Vv_PLgk8J8vvfsEE88CMZkmALmw@mail.gmail.com> <a69db82e96374a36b1f7164da3c5556e@amazon.com> <CAEEbLAZXLmvQbXkdqJcO2erQLVBic3gfuGPv8XRTSxZRiAaAvQ@mail.gmail.com> <6791A073-9A6D-4B9F-BE35-6C577C3D5CCC@tzi.org> <CAEEbLAab3jckpU1+9_tOZFsnPKt7G=cCpbLGK=QKHejem2VzGQ@mail.gmail.com> <DBBPR08MB591506256FED669E6FC23ED5FA369@DBBPR08MB5915.eurprd08.prod.outlook.com> <93D7CFD8-8526-4D99-896E-5FECF2ECF1B9@tzi.org> <62258369-1D53-4996-8868-FA77723E5CE1@vigilsec.com> <308A3B89-2B00-47AE-885D-41C3D530651E@tzi.org> <F92F8239-F16F-454A-BD6C-92DBDCFD6FFF@vigilsec.com> <CAEEbLAZ=_4d5zyMrUYhNEx-+_A6rDAyFTPEVu6tQavBtB6FqbA@mail.gmail.com> <A8BA2A76-B402-444F-A616-E642CEB99CBB@vigilsec.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.10 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/IMqwPqi_-WkZAGhRE5hz7lkWTaY>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 09:52:18 -0000


> On Nov 8, 2022, at 1:03 PM, Russ Housley <housley@vigilsec.com> wrote:
> 
> Sophie:
> 
>> On Sat, Nov 5, 2022 at 9:29 AM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> The Security Considerations is already longer than the rest of the document.  And, the specification already says that AES-CTR MUST be used with some other integrity mechanism.  In the SUIT environment, the integrity mechanism a digital signature.
>> But using AES-CTR with another integrity mechanism alone does not help, since signature stripping would still work. For an example of a signature stripping attack with AES-CTR, see [1].
>> 
>> All of these issues are in the end avoidable by a good implementation (i.e. one that annotates keys with their algorithm, and does not use the alg field in order to make algorithm decisions), but experience shows that implementers are not always careful reading advisory sections of a spec. A clear distinction on the standard level, making sure that these two things are different and should use different methods does help a lot with this issue, as it acts as a somewhat self-enforcing advisory, and seems to get you exactly what you want in terms of functionality.
>> 
>> I'm slightly confused why you would use COSE at all if you are worried about overhead, instead of using the output format of the cryptographic standard directly, that seems to be a preferable choice for this use case?
>> 
>> [1] https://blog.cryptographyengineering.com/2016/03/21/attack-of-week-apple-imessage/ <https://blog.cryptographyengineering.com/2016/03/21/attack-of-week-apple-imessage/>
> 
> I do not believe that a signature stripping attack will work in the SUIT firmware case, as you say with good implementations,  In the SUIT case, if there is no signature, the firmware will be be accepted.


HUGE TYPO:  ... will not be accepted.

Russ

v2.23.0 | Report a Bug | By Email