Re: [COSE] Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08
Roman Danyliw <rdd@cert.org> Tue, 09 June 2020 17:37 UTC
Return-Path: <rdd@cert.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5072A3A0ACE; Tue, 9 Jun 2020 10:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jwch6uiV4v2V; Tue, 9 Jun 2020 10:37:05 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4368C3A0988; Tue, 9 Jun 2020 10:37:05 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 059Haqt9022512; Tue, 9 Jun 2020 13:36:52 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 059Haqt9022512
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1591724212; bh=NTYim7DEuWDJJAnrcERFzk/bLJPtag4dLZ14mqDNtWA=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ZJf4rKHzner0BfGqAXMLS52YOPWpe4wq7nybx8WKoe3SP1IhR9ajeZBiP4juBuPte YwVXGJgwpp/ggxeeLcbJ9IhZjlax+zt8kOPfGS7AiPZ8uTxwqbb92ktWy84GOJk25v RufsiULTclyW5H244wraiNJ7V9tdWBgMxv/6B+g0=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 059HapZk009196; Tue, 9 Jun 2020 13:36:51 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 9 Jun 2020 13:36:51 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Tue, 9 Jun 2020 13:36:51 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Tue, 9 Jun 2020 13:36:51 -0400
From: Roman Danyliw <rdd@cert.org>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, Jim Schaad <ietf@augustcellars.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "cose@ietf.org" <cose@ietf.org>, "draft-ietf-cose-rfc8152bis-algs.all@ietf.org" <draft-ietf-cose-rfc8152bis-algs.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08
Thread-Index: AQHWNeFt5VhUvxstA0OWoBPYMGiOqajQnTHA
Date: Tue, 09 Jun 2020 17:36:51 +0000
Message-ID: <835a6903f5204feab56d4f76901bb0e1@cert.org>
References: <159052818935.17307.5095159295288146706@ietfa.amsl.com> <041f01d635dd$ad489cf0$07d9d6d0$@augustcellars.com> <B03F352A-C595-477E-92EF-679739369E80@cisco.com>
In-Reply-To: <B03F352A-C595-477E-92EF-679739369E80@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.211]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/XgoEFpPws_W_KLHMLuctaDdts4E>
Subject: Re: [COSE] Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 17:37:07 -0000
Hi Nancy, thank you for this review. Hi Jim, thank you for incorporating the feedback in -09 I entered a No Objection ballot. Regards, Roman > -----Original Message----- > From: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com> > Sent: Friday, May 29, 2020 1:49 PM > To: Jim Schaad <ietf@augustcellars.com>; secdir@ietf.org > Cc: cose@ietf.org; last-call@ietf.org; draft-ietf-cose-rfc8152bis- > algs.all@ietf.org > Subject: Re: Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08 > > Hi Jim, > Thanks for addressing the comments! Answers below: > > On 5/29/20, 10:22 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: > > Hi Nancy, > > Comments inline. > > Jim > > > -----Original Message----- > From: Nancy Cam-Winget via Datatracker <noreply@ietf.org> > Sent: Tuesday, May 26, 2020 2:23 PM > To: secdir@ietf.org > Cc: cose@ietf.org; last-call@ietf.org; draft-ietf-cose-rfc8152bis- > algs.all@ietf.org > Subject: Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08 > > Reviewer: Nancy Cam-Winget > Review result: Has Nits > > IOTDIR review of draft-ietf-cose-rfc8152bis-algs-08 > > Reviewer: Nancy Cam-Winget > > I have reviewed this document as part of the security directorate'sÊ ongoing > effort to review all IETF documents being processed by theÊ IESG.ÊÊThese > comments were written primarily for the benefit of theÊ security area > directors.ÊÊDocument editors and WG chairs should treatÊ these comments > just like any other last call comments. > > This document describes an initial set of cryptographic algorithms used to > protect CBOR, I believe this document is almost ready, barring some editorial > nits (I only made a few below). In general, the description of the "initial" > set of algorithms used in COSE make sense and it is good to see each section > carry their own security section for better mapping of the considerations based > on the security algorithm applied. As a reader (like myself) who is not fully > versant to the nuances of CBOR it was a little hard to follow as the structures > and taxonomy is described in the companion draft (draft-ietf-cose-rfc8152bis- > struct). As a whole, I think the document is close to ready, I only noted a few > technical and editorial nits for the earlier sections below: > > Section 2.1: > - What field does the ECDSA algorithm value map to? I presume it is the 'alg' > field (if present)? But should be made explicit. - It seems that the "should" > in the 4th paragraph is normative (e.g. SHOULD) as it is needed for > interoperability, and perhaps even a MUST as I'm not seeing negotiation or > selection of curve choice. So, if it is to be implicit, then a MUST would be more > appropriate. > [JLS] I have added text to section 1.3 (terminology) to describe the contents > of the tables to make what the value is clearer. > [NCW] Thanks, that will help. > > [JLS] There is no need to negotiate the curve as this is implicit from the size > of the signature. That is P-256 is going to end up with two 256-bit values as > the signature. One implication is that only a single curve of any given length > can be assigned to ECDSA, thus the effort to use the Ed25519 curve with ECDSA > requires a different identifier so that there is no confusion on what curve is > being used. This means that the length of the hash algorithm is not part of this > selection process. It is therefore possible to use SHA-256 with P-521 and SHA- > 512 with P-256 (the hash value is truncated in this case). The only issue is that > if a piece of hardware supports the P-256 curve then it might only support SHA- > 256 and thus would not be able to validate a signature that uses SHA-512. > There is no special security issue here, this is just a recommendation for making > things more likely to succeed. This is the reason that it is not a 'SHOULD' or > 'MUST' but is an 'suggested'. Does this both make things clearer and reduce > the feeling on you part that a stronger statement is needed? > [NCW] Agree that there is no security issue, it was more of breaking > interoperability. I don't feel strongly either way, it was by the way it reads....if > you want to ensure interoperability the it seems that stronger language would > be needed (but that’s my personal bias). > > Section 2.2: > - The rationaleThere may be some corner case in which there may be a very > large > (2K?) structure to be protected. It would be better to quantify "extremely > large" or perhaps another/additional rationale for the need to ONLY do Pure > edDSA is the intent for constrained devices not have enough memory to > compute the block updates. > > [JLS] I don't know that I would consider a 2K message to be very large, I > would expect a firmware update to be at least that large. The issue is that > EdDSA needs to do two passes over the message, this means that the entire > message needs to be held in memory. That would be limitation on what I > would consider to be "extremely large". The presumption is that one is not > going to try and create and stream the object out as this would also require a > streaming processing on the recipient. If streaming is removed from the > equation then there is no benefit not to use Pure EdDSA. This means that ones > idea of large is going to be very device specific. I will not be surprised if some > firmware packages do indirect signing, but the manifest description is still going > to need to fit in memory. > [NCW] 2Kbytes can seem very large to some IoT devices __. But your point is > well taken...sorry if I was too nit-picky....as for guidance I personally prefer to > have quantification (ranges). > > Section 4.1.1: > - GCM's limitation for one encryption string is 2^39-256 e.g. not "a single > key"....so sufficiently large for COSE! However, it does mean that the nonce > MUST be unique for every encrypted message (e.g. the bullet before this one is > correct). I think the limit for one key using GCM is based on the size of the > nonce as it must be unique. > [JLS] You are going to make me look this up again. However I think that this > limit may end up being smaller with more modern analysis so going back and > re--checking this is going to be worthwhile. It just will take a few days. > [NCW] No worries, as an early adopter of GCM, I do recall that number being > for a packet.... > > Section 4.2: > - 'k' is the key size in bits (I presume), would be good to describe that before > the table. > [JLS] I changed the title of the column to 'Key Length' > [NCW] Thanks. > > Editorial nits: > Section 1.5 > - The second sentence is hard to parse. Is it that the intermediate values > used for debugging are represented in both a hex as well as a CBOR diagnostic > notation format"? - Third sentence, is it that some examples were designed to > fail (e.g. they are "failure test bases")? > [JLS] I have updated this section. I think that this should solve your issues. > <t> > A GitHub project has been created at <https://github.com/cose- > wg/Examples> that contains a set of testing examples as well. > Each example is found in a JSON file that contains the inputs used to > create the example, some of the intermediate values that can be used for > debugging, and the output of the example. > The results are encoded using both hexadecimal and CBOR diagnostic > notation format. > </t> > <t> > Some of the examples are designed to test failure case; these are > clearly marked as such in the JSON file. > If errors in the examples in this document are found, the examples on > GitHub will be updated, and a note to that effect will be placed in the JSON file. > </t> > [NCW] Thank you, I can parse this better. > > Section 2.2: > - The rationale for why Pure EdDSA is used only (vs. HashEdDSA) may leave > more room for questions; as there may be some corner case in which there may > be a very large (2K?) structure to be protected. For those that are in the > healthcare sector (of IoT), I could see potential for large blocks and may wonder > what qualifies as "extremely large". RFC 8032 speaks to HashEdDSA as > providing better collision resilience...so am inclined to suggest to either remove > this rationale or be more complete in justification. > [JLS] See above. > [NCW] OK > > Section 3.1 > - 3rd paragraph: "Some recipient algorithms carry the key while others derive > a key from secret data"....I think you mean "Some algorithms are used to > transmit a key, e.g. key wrapping." "Carry the key", in this sentence leads me > to imply it's the same key being used in the HMAC. > [JLS] This is the same key that is being used in the HMAC algorithm. I have > changed "carry" to "transport" because I think that is going to be clearer. > [NCW] Yes, indeed, that makes it better. > > > >
- [COSE] Secdir last call review of draft-ietf-cose… Nancy Cam-Winget via Datatracker
- Re: [COSE] Secdir last call review of draft-ietf-… Jim Schaad
- Re: [COSE] Secdir last call review of draft-ietf-… Nancy Cam-Winget (ncamwing)
- Re: [COSE] Secdir last call review of draft-ietf-… Jim Schaad
- Re: [COSE] Secdir last call review of draft-ietf-… Nancy Cam-Winget (ncamwing)
- Re: [COSE] Secdir last call review of draft-ietf-… Roman Danyliw