Re: [COSE] Updated message recovery algorithm text
Benjamin Kaduk <kaduk@mit.edu> Tue, 15 September 2020 17:55 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90E73A15B4 for <cose@ietfa.amsl.com>; Tue, 15 Sep 2020 10:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fbH2Agipg31M for <cose@ietfa.amsl.com>; Tue, 15 Sep 2020 10:55:23 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 751CA3A15B5 for <cose@ietf.org>; Tue, 15 Sep 2020 10:55:23 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08FHtHju031664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 15 Sep 2020 13:55:20 -0400
Date: Tue, 15 Sep 2020 10:55:17 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jim Schaad <ietf@augustcellars.com>
Cc: cose@ietf.org
Message-ID: <20200915175517.GO89563@kduck.mit.edu>
References: <008c01d687e9$074a7c20$15df7460$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <008c01d687e9$074a7c20$15df7460$@augustcellars.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Pb3BHLbVtlzghiD0s_iQrhUkZug>
Subject: Re: [COSE] Updated message recovery algorithm text
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 17:55:25 -0000
Hi Jim, Overall this seems a fine tack to take, but see comments inline. On Thu, Sep 10, 2020 at 08:09:54PM -0700, Jim Schaad wrote: > Below is the text that I am proposing for COSE Struct. The changes are all > in the last 5 paragraphs. > > Jim > > > > The second scheme is signature with message recovery (an example of I wonder if we could toss in a word or two about these being "general classes of signature scheme" where we first bring it up (i.e., for signature with appendix). > such an algorithm is [PVSig]). In this scheme, the message content > is processed, but part of it is included in the signature. Moving > bytes of the message content into the signature allows for smaller > signatures; the signature size is still potentially large, but the > message content has shrunk. This has implications for systems > implementing these algorithms and for applications that use them. > The first is that the message content is not fully available until > after a signature has been validated. Until that point, the part of > the message contained inside of the signature is unrecoverable. The > second is that the security analysis of the strength of the signature > is very much based on the structure of the message content. Messages > that are highly predictable require additional randomness to be > supplied as part of the signature process. In the worst case, it > becomes the same as doing a signature with appendix. Finally, in the > event that multiple signatures are applied to a message, all of the > signature algorithms are going to be required to consume the same > number of bytes of message content. This means that the mixing of Not just the same number; the same actual bytes, too. (Right?) > the different schemes in a single message is not supported, and if a > recovery signature scheme is used, then the same amount of content > needs to be consumed by all of the signatures. > > The signature functions for this scheme are: > > signature, message sent = Sign(message content, key) > > valid, message content = Verification(message sent, key, signature) > > Since there have not yet been any message recovery signature > algorithms formally defined for COSE, it is very likely that there > are going to be issues that arise that have not been anticipated yet. I think this should get wordsmithed a bit. The RFC Editor can probably help, but here's my take: % No message recovery signature algorithms have been formally defined for % COSE yet, and given the new constraints that such schemes impose on % usage, it is likely that there will be additional issues that arise when % integrating message-recovery signature algorithms with COSE. (And to be clear, this chunk is the main part that goes to resolving my Discuss point.) > There are some issues that have been identified that the first such (This could have a better transition from the rewritten previous paragraph, maybe "Some such issues have already been identified, and the first such [...]") > algorithm is going to need to make decisions about. These issues > include: > > * The message content being signed is not the same as the message > content that is transported. This is because we build a larger > message for the signature process. The number of bytes contained > in the message may exceed the number of bytes of payload, but not "contained in the message" means "recovered during signature validation", right? We may want to use a more precise term than "payload" since there are several different variants floating around during this process. > the number of bytes signed. This may lead to privacy > considerations if, for example, the application external data > contains confidential information. (The "application external data" is the stuff that's covered under the signature but not transmitted?) > * There may be difficulties in determining where the recovered > message matches up with the to be signed value because bytes other > than the payload are included in the recovered message. One > possible option would be to create a padding scheme to prevent > that. > > * Not all of these signature algorithms take the recovered bytes > from the end of the message. If the recovered bytes are taken I would suggest rephrasing to not privilege the end of the message (or, alternatively, to be more explicit about that being the COSE expectation); perhaps "take the recovered bytes from the same position of their input". > from the start of the message then, by default, none of the > signature payload may be included in the message recovery data. (which would, of course, entail some changes to this sentence as well...) > One possible option to deal with this is to reverse the to-be- > signed data in the event that bytes are taken from the start > rather than end of the message. > > Signature algorithms are used with the COSE_Signature and COSE_Sign1 > structures. At this time, only signatures with appendixes are ("at the time of this writing" seems to be preferred in terms of aging well.) > defined for use with COSE; however, considerable interest has been > expressed in using a signature with message recovery algorithm due to > the effective size reduction that is possible. Thanks, Ben
- [COSE] Updated message recovery algorithm text Jim Schaad
- Re: [COSE] Updated message recovery algorithm text Matthew Miller
- Re: [COSE] Updated message recovery algorithm text Benjamin Kaduk
- Re: [COSE] Updated message recovery algorithm text Jim Schaad
- Re: [COSE] Updated message recovery algorithm text Benjamin Kaduk
- Re: [COSE] Updated message recovery algorithm text Rene Struik