IETF Logo Mail Archive

Re: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Mike Jones <Michael.Jones@microsoft.com> Wed, 23 October 2019 19:20 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCD2120906; Wed, 23 Oct 2019 12:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktNHOP8InmDH; Wed, 23 Oct 2019 12:20:25 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640095.outbound.protection.outlook.com [40.107.64.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A633120D81; Wed, 23 Oct 2019 12:20:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IhiCKKcm7SWNYc9xeeI2Oefz4+UWrmawVa7J4TYAito/eI8z5Ap2Ual170FpJhm3XJcKQ70jaqSdc7brI7GTu3wSpejGpkqVswoh99VB/K/cMBSmYM9ryvuq/vmRYxIQbBJEA9y/4zS+p24NkNM8CwHJaDG1MwbltMPVaKCrpDlI4p4CCjMzbb6iL59n/ii4+85II7GvJHGtpINnaY5eSlplo9dcdZ0i75TTg+ik4HlEsmRz62r2pYwoA20pENpJj7MRM6mDXGKyXQY7dT+MSikPn0u4sshWo7g5+fKvcA99QHt7QNsvjoHti4q7qmGZC/Vhj8lkmZz07d3xB59U0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O/+IQXPHmMv4BwKGn39+KcfWZjmVEfrvimNBGSnPSeQ=; b=St1UgAVCk0R8CPWiuasz8L6q5WC34gv5pDuMzYU3u12qffJtVoLuKhqyUJcmxZk2Si+e5vp41rDWXYNBttQ2re0Xd0Xf8hXzox27Gw/l08DpjhDY2AbfokcvMuFNXu7eQMv3+UBux46dwj6/OktYavPkX3kg8DqLK/cvjSjjwRA1qYkRoQsdJ7FAWvD4q82HP14/hSeKNgP6mIhfTAcSLD7phpYke3Zx9tEh4gDFqSd78HVzWuQpjojUkL4P7LFKu16kd7G+syw7HPmxSddLBrTyPUR4j9YkZidkYnWr+cy4antyRJyqR/37jU/cAwNSEuMebYd+cokOxqXPEfKePw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O/+IQXPHmMv4BwKGn39+KcfWZjmVEfrvimNBGSnPSeQ=; b=Hsq933yweD53t1yxxs8Nnk+n58jsqAmYPZ4nciS7YDC4huvN4ag888O0ZOojmJ6UeKadm+O0CkCh4AdtCLUwlN1my5azjrxL8pKPZOp34NlVcnJ7xtkQuoUHgkPSAuzxVQUXT5WRkoxDyf+8dJCCZezD0VY+3UF2q26MXzPrJHw=
Received: from BYAPR00MB0565.namprd00.prod.outlook.com (20.179.56.23) by BYAPR00MB0647.namprd00.prod.outlook.com (20.178.197.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2399.0; Wed, 23 Oct 2019 19:20:22 +0000
Received: from BYAPR00MB0565.namprd00.prod.outlook.com ([fe80::f9aa:3168:3fca:4e98]) by BYAPR00MB0565.namprd00.prod.outlook.com ([fe80::f9aa:3168:3fca:4e98%4]) with mapi id 15.20.2425.000; Wed, 23 Oct 2019 19:20:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Neil Madden <neil.madden@forgerock.com>, Jim Schaad <ietf@augustcellars.com>
CC: cose <cose@ietf.org>, "draft-ietf-cose-webauthn-algorithms@ietf.org" <draft-ietf-cose-webauthn-algorithms@ietf.org>
Thread-Topic: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
Thread-Index: AQHVbWSlFBVJFlStCEe6sWSpGQx0gacwqvUAgDUjSdCAAS3SAIABcr0AgABkD2A=
Date: Wed, 23 Oct 2019 19:20:22 +0000
Message-ID: <BYAPR00MB0565FFE73878304DC8EB94B9F56B0@BYAPR00MB0565.namprd00.prod.outlook.com>
References: <CAJFkdRzEF0wh9-H4dDNQeUHVd_VD8KKv1jOJ7BWs+bKN2e6gBQ@mail.gmail.com> <000001d56dc2$e14f20c0$a3ed6240$@augustcellars.com> <BN8PR00MB05639A215FF3352F58B31F0AF5690@BN8PR00MB0563.namprd00.prod.outlook.com> <00ce01d588eb$6eee22d0$4cca6870$@augustcellars.com> <5B5DD1EA-33F6-4703-B757-66B324CD3706@forgerock.com>
In-Reply-To: <5B5DD1EA-33F6-4703-B757-66B324CD3706@forgerock.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=69e1a472-7080-450f-8a4e-00007169a4a3; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-23T19:19:45Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.93.218]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 206b9449-3e30-4f1b-dbea-08d757ee0cd7
x-ms-traffictypediagnostic: BYAPR00MB0647:
x-microsoft-antispam-prvs: <BYAPR00MB0647A0D4B5E653A5CAFF00F2F56B0@BYAPR00MB0647.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 019919A9E4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(396003)(346002)(136003)(39860400002)(376002)(189003)(199004)(33656002)(790700001)(606006)(86362001)(966005)(110136005)(316002)(22452003)(4326008)(81166006)(64756008)(6116002)(71200400001)(54906003)(76116006)(229853002)(66476007)(3846002)(71190400001)(66066001)(25786009)(66446008)(478600001)(81156014)(8936002)(66946007)(66556008)(14454004)(99286004)(446003)(74316002)(52536014)(10290500003)(236005)(53546011)(10090500001)(14444005)(6306002)(26005)(6246003)(8990500004)(7736002)(7696005)(476003)(76176011)(186003)(733005)(102836004)(9686003)(11346002)(6436002)(54896002)(6506007)(55016002)(2906002)(486006)(256004)(5660300002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR00MB0647; H:BYAPR00MB0565.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MV9gJ4WNX5Wt/AuaaxP425AWQ/t8tZyR8ptnkQcvXV4Fv8sp20t25JVZ+FZDC1pI4/wQBD4rSwyoqb0oudazWaUUTgAVsjFcKZAgKj9yrX8xH1Bsab76IFy73KnBSQvjRymnln3t3W41z3092RwFBNhXfGEHFJ2BtF5AHIHOeZ+q5ougq2P8sJmp/KNpt2PtA/Ycb6GPQ16dHhv8XzScJ5mYZTlbIJ4TWDpPK9pOQkKJqRPQ2yva5wRPHwVG2QiRsWLbUIiXFZ1ym8XxGhql8t1lsceIb5BNFqmzQkdEV7y9XIpUOUMb5dPgRm1BuBHkYiJwREPdg8BTkaQddPmxHtolF9xPOK6wVvDrHA1jxmm+50gcu+3eSopU8AoLaibTUMBcZyFeR4VH08X95P8eewNYlMWgRaShtI2F5d0/cjw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR00MB0565FFE73878304DC8EB94B9F56B0BYAPR00MB0565namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 206b9449-3e30-4f1b-dbea-08d757ee0cd7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2019 19:20:22.4441 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3B6mw40AdQaLB5C9mUEYnd3zSRsb3UeOZTpiMEdo1tpgYpMpbS1rmKfHCn9Psv0ff5pxGZ4mGGJ5/3Gv/T6R0Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0647
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/ZCBVg6_-kr3L8okUtvr22Z9htn8>
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 19:20:33 -0000

Don’t apologize.  You provided proposed wording, which is extremely helpful!

                                                       Thanks Neil,
                                                       -- Mike

From: Neil Madden <neil.madden@forgerock.com>
Sent: Wednesday, October 23, 2019 6:22 AM
To: Jim Schaad <ietf@augustcellars.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>; cose <cose@ietf.org>; draft-ietf-cose-webauthn-algorithms@ietf.org
Subject: Re: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

A couple of additional data points with regard to deterministic ECDSA (sorry Mike!):

 - While deterministic ECDSA is generally more secure, I gather that is not (yet?) a FIPS-approved nonce-generation method. So people with FIPS requirements won't be able to use it, sigh.

 - In the specific context of IoT where devices may be physically vulnerable, deterministic ECDSA and EdDSA have both been shown to be susceptible to fault attacks (see e.g. [1] and [2]). In particular, deterministic ECDSA may be *more* vulnerable to such attacks than randomized ECDSA. The linked papers offer some proposed countermeasures. For CWT usage, I believe including a fresh random "cti" claim in every signed token would reduce the effectiveness of these attacks dramatically as the signature generation will be effectively randomized while also being nonce reuse misuse-resistant.

If I was going to propose wording, perhaps something along these lines:

====
Implementations SHOULD use a deterministic algorithm to generate the ECDSA nonce, k, such as [RFC 6979]. In situations where devices are vulnerable to physical attacks, deterministic ECDSA has been shown to be susceptible to fault injection attacks [refs]. Where this is a possibility, implementations SHOULD implement appropriate countermeasures. Where there are specific certification requirements (such as FIPS approval), implementors should check whether deterministic ECDSA is an approved nonce generation method.
====

[1]: https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fresearch.kudelskisecurity.com%2F2017%2F10%2F04%2Fdefeating-eddsa-with-faults%2F&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381682694&sdata=32po778mehZquVzzUvWCY6zILSaSa9LsVfEbjIExSZE%3D&reserved=0>
[2]: https://eprint.iacr.org/2017/1014.pdf<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2017%2F1014.pdf&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381692694&sdata=zko7f8Kur0aRA4wnNGsMJoxhU4XoQg2jm0pUwoGUHSA%3D&reserved=0>

--
[https://drive.google.com/a/forgerock.com/uc?id=1ZTkSK458MKu3N5i-lczIaaITaTV4znhV&export=download]<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.forgerock.com&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381692694&sdata=TdXp1zlBwft8dTzU7QWIyfIXV8LXVm6r5hZBvFPzO38%3D&reserved=0>
Neil Madden
Security Director  |  ForgeRock
e neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>
web https://www.forgerock.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.forgerock.com%2F&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381702713&sdata=WrPKhjnvg4JLL5lu%2BCEO4P%2FMpTt1k4pUpeuQ%2Bt7woPE%3D&reserved=0>





On 22 Oct 2019, at 16:14, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:

I forgot to respond to this one

From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Sent: Monday, October 21, 2019 5:00 PM
To: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; 'cose' <cose@ietf.org<mailto:cose@ietf.org>>
Cc: draft-ietf-cose-webauthn-algorithms@ietf.org<mailto:draft-ietf-cose-webauthn-algorithms@ietf.org>
Subject: RE: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Thanks for your review, Jim.  Responses are inline, prefixed by “Mike>”.

                                                       -- Mike

From: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>
Sent: Tuesday, September 17, 2019 6:46 PM
To: 'cose' <cose@ietf.org<mailto:cose@ietf.org>>
Cc: draft-ietf-cose-webauthn-algorithms@ietf.org<mailto:draft-ietf-cose-webauthn-algorithms@ietf.org>
Subject: RE: [COSE] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

I start this review by copying forward all of my comments on draft-jones-cose-additional-algorithms-00



  1.  Please include text related to deterministic ECDSA in this text.

Mike> What do you want this text to say?  I’m reluctant to use the text at https://tools.ietf.org/html/rfc8152#section-8.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8152%23section-8.1&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381702713&sdata=eanVngXAzr%2FrDPZE2rB5KhnlIv0wrSEN4LXb%2BCWU8L0%3D&reserved=0>, which says that “implementations SHOLUD use a deterministic algorithm”, which is misleading, in that it implies that there are many such algorithms that could be used.  In fact, exactly one is being specified.

[JLS] I was unaware that there is only one possible deterministic algorithm, any keyed hash algorithm can be used to generate the deterministic ‘k’ to be used for the signature algorithm.  There is not a requirement that the secret value be the private key for the signature key pair, one could generate a private value just for that purpose.  Independent of that, the default ECDSA algorithm specifications all say use a random value of ‘k’ rather than a deterministic value and the use of the deterministic value is far more secure.
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcose&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cdcdbe24007c54a9ff34b08d757bbf158%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074338381702713&sdata=EdmrXriv5X9rr6B1NT9donpBInd8CgcMO0JnmKymIG4%3D&reserved=0>

v2.23.0 | Report a Bug | By Email