IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

David Brown <david.brown@linaro.org> Fri, 28 October 2022 14:45 UTC

Return-Path: <david.brown@linaro.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D86C14CE42 for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 07:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0FtHLENnGp9 for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 07:45:16 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25653C14CE37 for <cose@ietf.org>; Fri, 28 Oct 2022 07:45:16 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id bb5so3549578qtb.11 for <cose@ietf.org>; Fri, 28 Oct 2022 07:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=yUOpWhSFYPGUmuQNJ9is8/DUC+tCKY+xFSA8fQj/yqo=; b=qG0zXu2AU1TKnq1lzn0PbYWNjqWUNC6+2J4Sk7ujHwdmRXmNYf4Js+Yft1fF2S15GU 6/4TS584/rTHVwvnHZ95Bmrs6KFmx0ZrQL47SL17q3HtQMjGZDTvD819KgRzlZrLTlUx gphdCNehRwPafCfUHpO4rw4kfDrcEjJgZBrXM3CzpfYOWCPDasgv1T0oM4MMR0ck/sxJ lE1rK/6whldJFI5EKaXoTv65+W6jr6T/hjW/BRvoWNZfkMMf4MV0xggo4QLZ0u0INgRJ IfBpPlnlZXXblpo5wGB+YJDGa5acv6L7dRHshNpNTmDydQMfExUWWOH3aK5wAcdAWZxZ iX0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yUOpWhSFYPGUmuQNJ9is8/DUC+tCKY+xFSA8fQj/yqo=; b=CCqPIBtJTwWz8Zy2lwcS54uoJU1O/vmh023RYkjAQqlZWZtY/DjzB4fpbg86SFVKEP Yr/cxNGkm/G61GrAOF7ef5iXXiAC1EYwUmd0AqIaaDUHVF7Z3LPZfjWYHtcQtD4hMb4/ aI7ni+G0qzESyE+8g3zLvAW5Diq+a4pjq2MJc/aru2Wjv2f9tfFVff6r2Z0vRSom9b4+ boA/I7KaQEQcOGnkI00ypKFp+gW/3SlEQwaDU+5zhMH7Y9bVRMHL34FD4GSWmhuP072E PVctLkxgDNo8MTm+3bEConpyB4mjNn2jXmOe2lCuMQ2BGjuhSClRrtX+28Xnv8MGX4zk Nh+Q==
X-Gm-Message-State: ACrzQf0GznjtlpXr1+rdtC4Y4L2OYlCQ4G3EGUWQLlba8SU3bz+giM+p Ojwz3pvOOitT2cAoE8CVVJUMddD1jAi86A==
X-Google-Smtp-Source: AMsMyM4bctILb12mbUtaomJQZjmQXdnPs6RL4J1vRESoEpyRizjBMRKunPkQRwb8RfwMatHZX+GDlw==
X-Received: by 2002:a05:6638:3181:b0:363:703a:388 with SMTP id z1-20020a056638318100b00363703a0388mr36979182jak.105.1666968304617; Fri, 28 Oct 2022 07:45:04 -0700 (PDT)
Received: from davidb.org ([2601:282:4000:1f61:d9c0:36a:9668:4953]) by smtp.gmail.com with ESMTPSA id k15-20020a02334f000000b003738c0a80b4sm1754294jak.144.2022.10.28.07.45.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Oct 2022 07:45:03 -0700 (PDT)
Date: Fri, 28 Oct 2022 08:45:01 -0600
From: David Brown <david.brown@linaro.org>
To: Russ Housley <housley@vigilsec.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, "Arciszewski, Scott" <scottarc=40amazon.com@dmarc.ietf.org>, "Zundel, Brent" <brent.zundel=40avast.com@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
Message-ID: <Y1vq7ezTZ+/TeELE@davidb.org>
References: <CAGi82uNOmJJdO2HKcE8M491Vv_PLgk8J8vvfsEE88CMZkmALmw@mail.gmail.com> <a69db82e96374a36b1f7164da3c5556e@amazon.com> <CAEEbLAZXLmvQbXkdqJcO2erQLVBic3gfuGPv8XRTSxZRiAaAvQ@mail.gmail.com> <DBBPR08MB59154655A83674320C831E32FA329@DBBPR08MB5915.eurprd08.prod.outlook.com> <a14fb861-5575-1896-0636-478148062562@cs.tcd.ie> <93270E49-2197-433A-A5A0-C8484ED26BE5@vigilsec.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="B88fkjCKWxfJnbYq"
Content-Disposition: inline
In-Reply-To: <93270E49-2197-433A-A5A0-C8484ED26BE5@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/P2ywJr14pqmFaYM4ygod1rTImH8>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 14:45:20 -0000

On Fri, Oct 28, 2022 at 10:21:30AM -0400, Russ Housley wrote:

> > For this purpose ciphers without integrity protection are used to
> >   encrypt the firmware image.  Integrity protection for the firmware
> >   image must, however, be provided and the the suit-parameter-image-
> >   digest, defined in Section 8.4.8.6 of [I-D.ietf-suit-manifest], MUST
> >   be used.
> > 
> > I'm not convinced by that. Why couldn't you just store
> > the tag for each chunk wherever the signature is stored?
> > 
> > Overall, I'd say defining non-AEAD modes doesn't seem
> > like a good trade-off.

> AES-CCM and AES-GCM require the authentication check to be performed
> before any plaintext is returned.  So, one would have to have a
> separate tag for each storage block, which adds a lot of overhead
> and complexity, especially since there is already a digital
> signature over the whole thing.

In the case described, there simply isn't storage space for a tag per
block.  This use case performs a full signature check on the image
before making use of it, as Russ mentions.

In the firmware update case, the system needs to be able to verify the
signature of the image, even after the image has been decrypted, there
has to be a signature that covers the entire plaintext.  Additional
space for tags would reduce the space available for the firmware
itself.  The decryption happens during an image upgrade state.  Any
attack that results in modified plaintext would prevent the firmware
from running, as the signature check would fail.

The goal here is to make these algorithms available for a use-case
where they are already being used, and significant resource
constraints make other solutions unavailable.  We would like to be
able to register these algorithms in such a way that it is clear that
they should not be adopted for any new use, while at the same time
capturing this existing use case.

David

v2.23.0 | Report a Bug | By Email