Re: [COSE] COSE Support for AES-CTR and AES-CBC
Russ Housley <housley@vigilsec.com> Wed, 26 October 2022 21:51 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C88CC15259D for <cose@ietfa.amsl.com>; Wed, 26 Oct 2022 14:51:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaJa0pVXkHGO for <cose@ietfa.amsl.com>; Wed, 26 Oct 2022 14:51:40 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9B6DC152596 for <cose@ietf.org>; Wed, 26 Oct 2022 14:51:39 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 16EFF92829; Wed, 26 Oct 2022 17:51:39 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id B893B92902; Wed, 26 Oct 2022 17:51:38 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <39D0918E-F757-4205-9D27-882E4587F95A@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0A1E3C4D-B586-4D11-A455-EFA95B87790F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 26 Oct 2022 17:51:37 -0400
In-Reply-To: <32d84d35531543469a4a196a7b137cb1@amazon.com>
Cc: "cose@ietf.org" <cose@ietf.org>
To: "Arciszewski, Scott" <scottarc@amazon.com>
References: <CO1PR00MB13086039D60B9997AE5F5928F54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <SA1PR00MB1310AB40F32B3B2E9FC36D31F5239@SA1PR00MB1310.namprd00.prod.outlook.com> <ADE35F26-5BF8-4205-A8B5-36C1F55E8207@vigilsec.com> <32d84d35531543469a4a196a7b137cb1@amazon.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/WjasYhC4dxf2mVngxRB-dwjaPtg>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2022 21:51:41 -0000
Scott: > Introducing AES-CTR and/or AES-CBC into COSE tokens that already support AES-GCM will open the GCM implementations to new security issues. Namely, potential padding oracle vulnerabilities. I think that adding a reference to the existing paragraph in the Security Considerations will address this concern: With AES-CBC mode, implementers SHOULD perform integrity checks prior to decryption to avoid padding oracle vulnerabilities [Vaudenay]. > At minimum, the Security Considerations section of draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out: Applications that encrypt or decrypt with AES-GCM *MUST NOT* support AES-GCM or AES-CTR with the same cryptographic materials, due to the existence of cross-protocol issues. One way to safeguard users from potential misuse is to use a separate "type" for keys used with unauthenticated encryption modes; similar to how COSE distinguishes MACs from Signatures. I suggest an addition paragraph in the Security Considerations: To avoid cross-protocol concerns, implementations MUST NOT use the same keying material with AES-CTR and AES-GCM. Likewise, implementations MUST NOT use the same keying material with AES-CTR and AES-CCM. > Additionally, I'd like to recommend sharing this draft with the CFRG mailing list to ensure it has the appropriate level of oversight from the IETF's cryptography experts. AES-CTR and AES-CBC are not new cryptographic modes. New techniques deserve CFRG review, but AES-CTR and AES-CBC have been included in RFCs for many years. Russ
- [COSE] Call for adoption of CBOR Object Signing a… Mike Jones
- Re: [COSE] Call for adoption of CBOR Object Signi… Hannes Tschofenig
- Re: [COSE] Call for adoption of CBOR Object Signi… Russ Housley
- Re: [COSE] Call for adoption of CBOR Object Signi… Ken Takayama
- Re: [COSE] Call for adoption of CBOR Object Signi… Brendan Moran
- Re: [COSE] Call for adoption of CBOR Object Signi… Emmanuel Baccelli
- [COSE] Call for adoption of CBOR Object Signing a… David Brown
- [COSE] Call for adoption of CBOR Object Signing a… Russ Housley
- Re: [COSE] Call for adoption of CBOR Object Signi… Mike Prorock
- Re: [COSE] Call for adoption of CBOR Object Signi… Orie Steele
- Re: [COSE] Call for adoption of CBOR Object Signi… Blumenthal, Uri - 0553 - MITLL
- Re: [COSE] Call for adoption of CBOR Object Signi… Mike Jones
- [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Arciszewski, Scott
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Zundel, Brent
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Arciszewski, Scott
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Hannes Tschofenig
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Stephen Farrell
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC David Brown
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Hannes Tschofenig
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Ilari Liusvaara
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Scott Fluhrer (sfluhrer)
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC David Brown
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran