IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Russ Housley <housley@vigilsec.com> Fri, 28 October 2022 14:21 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2B0C14CE30 for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 07:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sloEJqfyr0RH for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 07:21:33 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6008CC14CF0B for <cose@ietf.org>; Fri, 28 Oct 2022 07:21:33 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 2B9C4999F1; Fri, 28 Oct 2022 10:21:32 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 8CCC699C22; Fri, 28 Oct 2022 10:21:31 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <93270E49-2197-433A-A5A0-C8484ED26BE5@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_287D19CC-75E3-4FA9-95EA-E3BA0BE6FD0C"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Fri, 28 Oct 2022 10:21:30 -0400
In-Reply-To: <a14fb861-5575-1896-0636-478148062562@cs.tcd.ie>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, "Arciszewski, Scott" <scottarc=40amazon.com@dmarc.ietf.org>, "Zundel, Brent" <brent.zundel=40avast.com@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <CAGi82uNOmJJdO2HKcE8M491Vv_PLgk8J8vvfsEE88CMZkmALmw@mail.gmail.com> <a69db82e96374a36b1f7164da3c5556e@amazon.com> <CAEEbLAZXLmvQbXkdqJcO2erQLVBic3gfuGPv8XRTSxZRiAaAvQ@mail.gmail.com> <DBBPR08MB59154655A83674320C831E32FA329@DBBPR08MB5915.eurprd08.prod.outlook.com> <a14fb861-5575-1896-0636-478148062562@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/OQ8PF-ViQeyBQQcsIi92p5MQBrY>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 14:21:37 -0000


> On Oct 28, 2022, at 7:27 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Signed PGP part
> 
> Hiya,
> 
> I was curious as to how this requirement might arise so I
> took a look...
> 
> On 28/10/2022 10:44, Hannes Tschofenig wrote:
>> https://datatracker.ietf.org/doc/html/draft-ietf-suit-firmware-encryption-09
>> provides a more detailed description of the firmware update scenario,
>> see particularly Section 8.
> That says:
> 
>   The ability to restart an interrupted firmware update is often a
>   requirement for low-end IoT devices.  To fulfill this requirement it
>   is necessary to chunk a firmware image into sectors and to encrypt
>   each sector individually using a cipher that does not increase the
>   size of the resulting ciphertext (i.e., by not adding an
>   authentication tag after each encrypted block).
> 
> And then...
> 
> For this purpose ciphers without integrity protection are used to
>   encrypt the firmware image.  Integrity protection for the firmware
>   image must, however, be provided and the the suit-parameter-image-
>   digest, defined in Section 8.4.8.6 of [I-D.ietf-suit-manifest], MUST
>   be used.
> 
> I'm not convinced by that. Why couldn't you just store
> the tag for each chunk wherever the signature is stored?
> 
> Overall, I'd say defining non-AEAD modes doesn't seem
> like a good trade-off.
> 
> S.

Stephen:

AES-CCM and AES-GCM require the authentication check to be performed before any plaintext is returned.  So, one would have to have a separate tag for each storage block, which adds a lot of overhead and complexity, especially since there is already a digital signature over the whole thing.

Russ

v2.23.0 | Report a Bug | By Email