IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8

Russ Housley <housley@vigilsec.com> Mon, 15 March 2021 16:58 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0075B3A1759 for <cose@ietfa.amsl.com>; Mon, 15 Mar 2021 09:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXooKe9wDRXX for <cose@ietfa.amsl.com>; Mon, 15 Mar 2021 09:58:23 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 226693A1756 for <cose@ietf.org>; Mon, 15 Mar 2021 09:58:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D6029300AAB for <cose@ietf.org>; Mon, 15 Mar 2021 12:58:20 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vddJl8S24pcn for <cose@ietf.org>; Mon, 15 Mar 2021 12:58:19 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 48C1F30009B; Mon, 15 Mar 2021 12:58:19 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com>
Date: Mon, 15 Mar 2021 12:58:19 -0400
Cc: cose <cose@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <46B45227-684C-4CDB-A2B6-20BA70E89DF6@vigilsec.com>
References: <DE090650-4B4B-48C9-B4A5-3B809E1C1FF4@ericsson.com>
To: John Mattsson <john.mattsson@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/NRKDD16wFBky5PB2y3-s93KCb0M>
Subject: Re: [COSE] draft-ietf-cose-countersign-02 - Secruity problems with COSE_Encrypt and COSE_Encrypt0 with CCM_8
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 16:58:25 -0000

John:

Are you asking for addition text in the security considerations to warn against short MACs?  If so, can you provide the first draft of such text?

Russ


> On Mar 12, 2021, at 3:12 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> When I analysed an earlier version of Group OSCORE some years ago it had severe security problems when used with CCM_8 + Countersignature. The attacks were pretty bad. 64-bit offline complexity against source authentication/availability from a different person in the group and something slightly over 32-bit online security (collecting 2^32 messages) against a source authentication/availability from a third party outside of the group. The problem was that the countersignature relied on the AEAD tag for integrity protection of the additional data. This was fixed in Group OSCORE be adding all the additional data to the signature as well.
> 
> The use case of Countersignatures is "Countersignatures provide a method of having a second party sign some data." In this case I don't think CCM_8 + Countersignature provides the expected security. Unless you can put all the additional data to the signature as well, I think CCM_8 + Countersignature needs to be forbidden.
> 
> I don't really see why Group OSCORE is using countersign in the first place, it seems like a relic from a time when it was assumed that OSCORE would be a single COSE structure on the wire as well.
> 
> Cheers,
> John

v2.23.0 | Report a Bug | By Email