IETF Logo Mail Archive

Re: [COSE] Authentication tag

Samuel Erdtman <samuel@erdtman.se> Mon, 20 March 2017 19:57 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C759126C0F for <cose@ietfa.amsl.com>; Mon, 20 Mar 2017 12:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qn1MPR-Yihtc for <cose@ietfa.amsl.com>; Mon, 20 Mar 2017 12:57:52 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAFE113161E for <cose@ietf.org>; Mon, 20 Mar 2017 12:57:50 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id a94so27822944oic.2 for <cose@ietf.org>; Mon, 20 Mar 2017 12:57:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CCc0VwqSNBea00KSwYKXUuU4X8/D1k5MQp0D60mLXNA=; b=mZ+coyznY51jFlepbKQeSH93grIDB6NhjPdqlEIhMMebUPNb9qikKScVnsh1QQ21GA PD0dTdtiC7UZEGzKfsdf98QQkfUjgO4UbjvAnGi+INv55tiLhvnSWh/vMHs4cKh7txhM gELSL/bn8JSnHGtkDLWKevElggvt4UInAplV6dsl1sn8OiNFh/zGKnYPn3cyI/KDqg8X MrvEyXNrjIoR9MrPK+h8mja4S8zxulfg4Vgc3dAot03x2bJ8omhI6rCY1uNuAz4057VM yPkth2+9/GL3vIE2ZJEYNUHJ3E+Tzg0cHZVL9irNpu1xzf7KXoAvFqQl3+hZJSHUrSyE WKJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CCc0VwqSNBea00KSwYKXUuU4X8/D1k5MQp0D60mLXNA=; b=cgEojNlTTS6pP4jAjr2V2iwk1aqUQkDSRKQUojHeBoOf13HAITJUsEszkXR0IrulAm 45dUOXjzOi665Tog+0Xdg4Qka+GbDiuhrS1o9nJUq8Gx1wSBLMOv1VGtpP8GKbHpjXQO Go3wTXuYq3a5hB0oL2sI07EOYUjrVb/pVoD6M2GlgCitOhvQzx2P7LnP7Zk97AYnWMAq P3XNQYY00vvv2YUoa6V6+/TS0kocFaNxgS1XHbImXA20Vks5hQtTVqO8UxAvq9IgKICi Y3/ntqqMsC/jtK4IbLoqyrm8OLo3jMWcNlCAG6xuVWj570zq+4E7+W8R51jSELvBCeJP nUow==
X-Gm-Message-State: AFeK/H2SDSD40WFVLTOeqpsCnUZZJUsUhytKhCZzazlH+EQvtG9dLBlRQ+BmW7BTTKNbpbj7F4AcWvBua22Z5g==
X-Received: by 10.202.231.69 with SMTP id e66mr10417172oih.34.1490039870058; Mon, 20 Mar 2017 12:57:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.125.40 with HTTP; Mon, 20 Mar 2017 12:57:49 -0700 (PDT)
In-Reply-To: <016501d2a02b$ecd2edd0$c678c970$@augustcellars.com>
References: <CAF2hCbYALonNaZ6BrmEhYosCrNsJqLmHs3YMupjOCeRxav2X9A@mail.gmail.com> <00f701d29f43$c278fd60$476af820$@augustcellars.com> <CAF2hCbbsEm7YNpPmQj_e2b-zfKyZ9B9E1BjLUPyZjbd44jtcNw@mail.gmail.com> <016501d2a02b$ecd2edd0$c678c970$@augustcellars.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 20 Mar 2017 20:57:49 +0100
Message-ID: <CAF2hCbZB_QtDHWexdzWWzhe4iWfF38JMBJf6CLwnPtL_KuESCA@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141ad7c2808a6054b2ef16e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/XQufXxQ_MxF2u4XIfYfxStkytn8>
Subject: Re: [COSE] Authentication tag
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 19:58:05 -0000

Thanks again!

I think this will add some clarity for tormentors.

//Samuel

On Sat, Mar 18, 2017 at 10:09 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> There are two different schools of thought about where to put the
> authentication tag.  RFC 5116 was designed so that it is part of the
> standard set of parameters rather than separate.  Thus, for GCM, it is
> included as part of the cipher text.  For SIV mode it is the IV and there
> is no extra authentication tag.
>
>
>
> Other encodings have made the fields be separate, JOSE and CMS keep the
> tag and the cipher text as separate items and, for some systems, you then
> get the opposite world of needed to combined them when doing decryption
> operation.   The decision of where and how authentication tags are placed
> is always going to be an encoding decision and not part of the encryption
> algorithm.
>
>
>
> The decision was made to combine them for COSE because it saved an
> additional field, and thus one or more bytes are removed from the
> encoding.  This followed the guidance of trying for very short encodings.
>
>
>
> I have filed an issue to remember this at the next revision.
>
>
>
> Jim
>
>
>
>
>
>
>
> *From:* Samuel Erdtman [mailto:samuel@erdtman.se]
> *Sent:* Saturday, March 18, 2017 1:08 PM
> *To:* Jim Schaad <ietf@augustcellars.com>; ilariliusvaara@welho.com
> *Cc:* cose <cose@ietf.org>
> *Subject:* Re: Authentication tag
>
>
>
> Thanks Jim and Ilari for the quick replies.
>
> So if I understand it correctly RFC 5116 defines AE and AEAD with the
> requirement to bundle the tag with the ciphertext, so it would not be
> allowed to put the tag in the COSE headers.
>
> Section 10 Content Encryption Algorithms, gives a hint of where to find
> the tag, 'normally' appended. Forgive me my ignorance, but does GCM have a
> more normative requirement on the location of the tag in a ciphertext?
>
> If GCM does not mandate the location of the tag in the ciphertext and we
> cannot put it in a header attribute then I would like more explicit
> language about where to find/put the tag.
>
> Once again thanks for the quick and enlightening reply.
>
> Cheers
>
> //Samuel
>
>
>
>
>
> On Fri, Mar 17, 2017 at 6:27 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
>
> From Section 10:
>
>
>
> COSE restricts the set of legal content encryption algorithms to those
> that support authentication both of the content and additional data. The
> encryption process will generate some type of authentication value, but
> that value may be either explicit or implicit in terms of the algorithm
> definition. For simplicity sake, the authentication code will normally be
> defined as being appended to the cipher text stream. The encryption
> functions are:
>
>
>
>
>
> *From:* Samuel Erdtman [mailto:samuel@erdtman.se]
> *Sent:* Friday, March 17, 2017 9:50 AM
> *To:* cose <cose@ietf.org>; Jim Schaad <ietf@augustcellars.com>
> *Subject:* Authentication tag
>
>
>
> Hi
>
> I´m working on a JavaScript implementation of the COSE msg specification,
> currently working on the GCM encryption.
>
> In the nodejs crypto environment the authentication tag is set separately
> i.e. a specific setAuthTag call. I looked into openssl and could see that
> that was the case there too.
>
> In the examples provided with the COSE specification I could find out that
> the auth tag is appends to the end of the ciphertext.
>
> I tried to find this described in the COSE specification but could not
> find it. It might be described in some refereed specification but it was
> not obvious to me at least.
>
> If it is not to late I would suggest that authentication tag is lifted out
> from the ciphertext and into the unprotected header similar to IV. Or that
> it is explicitly described that the authentication tag should be appended
> to the ciphertext.
>
> Cheers
>
> Samuel Erdtman
>
>
>
>
>

v2.23.0 | Report a Bug | By Email