IETF Logo Mail Archive

Re: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Neil Madden <neil.madden@forgerock.com> Wed, 23 October 2019 13:21 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527C01208DC for <cose@ietfa.amsl.com>; Wed, 23 Oct 2019 06:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DvtR-_rrNrPg for <cose@ietfa.amsl.com>; Wed, 23 Oct 2019 06:21:42 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 372391208E2 for <cose@ietf.org>; Wed, 23 Oct 2019 06:21:42 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id v6so2655882wmj.0 for <cose@ietf.org>; Wed, 23 Oct 2019 06:21:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Z9lGnkYjleT29c9TFLIwpUkXxm2oVQFuczo+pGXJCX0=; b=jMBE1fgTus9eOv6kSn2wq+nJQmyXSeymmns4sHS8INvWEzzZEt1rKgUK6gHT7Z/7BW abvT3qjXlYiWc2cnDP+B41fY94qudCWYevRJ+iSR9JOunsDNZWo7ASCztyfho7u3NBuo A4G8zdkudgD6P/C49rT0TS0vfjflLiHxJBVJc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Z9lGnkYjleT29c9TFLIwpUkXxm2oVQFuczo+pGXJCX0=; b=oJbPUXQEDYIeAIA1hlzAd7gdAsspSHSo3MV4xDsw7kRAWAa9AurxdSwQe8jsUXfdY0 KzSHfeU5aHEb0IYZOMq408Y4eq3x4osMln/iWmQekQNmuX3Yy0r49GlMFieRt/lIv7/y BBAaatmJJTmDr6VSspbxplXGALMniGCZGh7OEYUnE2oVTOLTsEfxHb+PQo/Jj1BPVwAq mfgHwD20nMFcsVcm68xHs+ro1Jmj212U95KF0i6ayZBAFrqRK5PUpKkmPINyxuyF4sGU CfxFG9oQ3aEIp6DEG3hDPftFy6rpx/fQfIg/+xYqjurA6a3mpsggax7qgkM4agiuCyfb Chdg==
X-Gm-Message-State: APjAAAUdZ8Zo00V89d1oP+aiA+HKDKjqhd5pfR/z85Z8tAKEYHJyjUSD PVE++rvVgXxhdsTX3cenkbR4Cg==
X-Google-Smtp-Source: APXvYqxAXTIYpIOY9u0pYivrYUMR0K0FcFQgoBeA13QBGZYClf1ZWuHs0JwUiWBfu2hS3QeuDEhQVg==
X-Received: by 2002:a7b:cb0b:: with SMTP id u11mr7806977wmj.125.1571836900475; Wed, 23 Oct 2019 06:21:40 -0700 (PDT)
Received: from [192.168.2.104] (77-44-110-214.xdsl.murphx.net. [77.44.110.214]) by smtp.gmail.com with ESMTPSA id o70sm28718847wme.29.2019.10.23.06.21.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Oct 2019 06:21:39 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <5B5DD1EA-33F6-4703-B757-66B324CD3706@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0916241F-F107-4C35-BE0B-0F1822E0E526"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 23 Oct 2019 14:21:36 +0100
In-Reply-To: <00ce01d588eb$6eee22d0$4cca6870$@augustcellars.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, cose <cose@ietf.org>, draft-ietf-cose-webauthn-algorithms@ietf.org
To: Jim Schaad <ietf@augustcellars.com>
References: <CAJFkdRzEF0wh9-H4dDNQeUHVd_VD8KKv1jOJ7BWs+bKN2e6gBQ@mail.gmail.com> <000001d56dc2$e14f20c0$a3ed6240$@augustcellars.com> <BN8PR00MB05639A215FF3352F58B31F0AF5690@BN8PR00MB0563.namprd00.prod.outlook.com> <00ce01d588eb$6eee22d0$4cca6870$@augustcellars.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/KRWVsjoESq6KSKX7WL2C02MSjoE>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 13:21:45 -0000

A couple of additional data points with regard to deterministic ECDSA (sorry Mike!):

 - While deterministic ECDSA is generally more secure, I gather that is not (yet?) a FIPS-approved nonce-generation method. So people with FIPS requirements won't be able to use it, sigh.

 - In the specific context of IoT where devices may be physically vulnerable, deterministic ECDSA and EdDSA have both been shown to be susceptible to fault attacks (see e.g. [1] and [2]). In particular, deterministic ECDSA may be *more* vulnerable to such attacks than randomized ECDSA. The linked papers offer some proposed countermeasures. For CWT usage, I believe including a fresh random "cti" claim in every signed token would reduce the effectiveness of these attacks dramatically as the signature generation will be effectively randomized while also being nonce reuse misuse-resistant.

If I was going to propose wording, perhaps something along these lines:

====
Implementations SHOULD use a deterministic algorithm to generate the ECDSA nonce, k, such as [RFC 6979]. In situations where devices are vulnerable to physical attacks, deterministic ECDSA has been shown to be susceptible to fault injection attacks [refs]. Where this is a possibility, implementations SHOULD implement appropriate countermeasures. Where there are specific certification requirements (such as FIPS approval), implementors should check whether deterministic ECDSA is an approved nonce generation method.
====

[1]: https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/ <https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/> 
[2]: https://eprint.iacr.org/2017/1014.pdf <https://eprint.iacr.org/2017/1014.pdf> 

--
 <http://www.forgerock.com/>	Neil Madden
Security Director  |  ForgeRock
e neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>
web https://www.forgerock.com <http://www.forgerock.com/>





> On 22 Oct 2019, at 16:14, Jim Schaad <ietf@augustcellars.com> wrote:
> 
> I forgot to respond to this one
>  
> From: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> 
> Sent: Monday, October 21, 2019 5:00 PM
> To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>; 'cose' <cose@ietf.org <mailto:cose@ietf.org>>
> Cc: draft-ietf-cose-webauthn-algorithms@ietf.org <mailto:draft-ietf-cose-webauthn-algorithms@ietf.org>
> Subject: RE: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
>  
> Thanks for your review, Jim.  Responses are inline, prefixed by “Mike>”.
>  
>                                                        -- Mike
>  
> From: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> 
> Sent: Tuesday, September 17, 2019 6:46 PM
> To: 'cose' <cose@ietf.org <mailto:cose@ietf.org>>
> Cc: draft-ietf-cose-webauthn-algorithms@ietf.org <mailto:draft-ietf-cose-webauthn-algorithms@ietf.org>
> Subject: RE: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
>  
> I start this review by copying forward all of my comments on draft-jones-cose-additional-algorithms-00
>  
>  
> Please include text related to deterministic ECDSA in this text.
>  
> Mike> What do you want this text to say?  I’m reluctant to use the text at https://tools.ietf.org/html/rfc8152#section-8.1 <https://tools.ietf.org/html/rfc8152#section-8.1>, which says that “implementations SHOLUD use a deterministic algorithm”, which is misleading, in that it implies that there are many such algorithms that could be used.  In fact, exactly one is being specified.
>  
> [JLS] I was unaware that there is only one possible deterministic algorithm, any keyed hash algorithm can be used to generate the deterministic ‘k’ to be used for the signature algorithm.  There is not a requirement that the secret value be the private key for the signature key pair, one could generate a private value just for that purpose.  Independent of that, the default ECDSA algorithm specifications all say use a random value of ‘k’ rather than a deterministic value and the use of the deterministic value is far more secure.
> _______________________________________________
> COSE mailing list
> COSE@ietf.org <mailto:COSE@ietf.org>
> https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose>

v2.23.0 | Report a Bug | By Email