Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 10 July 2015 17:11 UTC

Date: Fri, 10 Jul 2015 20:11:18 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Derek Atkins <derek@ihtfp.com>
Message-ID: <20150710171118.GA20991@LK-Perkele-VII>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com> <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com> <sjmlheo6t1j.fsf@securerf.ihtfp.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <sjmlheo6t1j.fsf@securerf.ihtfp.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/_beZ_zRs8XcMqHoGlI5O66sU1Yk>
Cc: Jim Schaad <ietf@augustcellars.com>, Brian Campbell <bcampbell@pingidentity.com>, Mike Jones <Michael.Jones@microsoft.com>, cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
Precedence: list

On Fri, Jul 10, 2015 at 09:28:24AM -0400, Derek Atkins wrote:
> 
> Performing a MAC using the output of a DH (be it ECDH, AEDH, or raw DH)
> can still tell you that the transmission has not been modified between
> you and the party you're talking to.  You're right that it tells you
> nothing about the party you're talking to (i.e., without authentication
> of the DH keys you have no idea if you're talking to a MITM or the real
> endpoint).  However, using DH + MAC does tell you that you're not being
> spoofed by a "passive" eavesdropper.
> 
> So IMHO it does have some benefit.

It occurs to me that any sort of asymmetric key management with MACs
is unsafe, since knowing just public key enables message forgery.

This does not straightforwardly extend to symmetric schems (like
key wrapping), but are those useful with MACs?


-Ilari

[Cose] Key management for MACs (was Re: Review of… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Hannes Tschofenig
Re: [Cose] Key management for MACs (was Re: Revie… Mike Jones
Re: [Cose] Key management for MACs (was Re: Revie… Hannes Tschofenig
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Derek Atkins
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Ilari Liusvaara
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Derek Atkins
Re: [Cose] Key management for MACs (was Re: Revie… Derek Atkins
Re: [Cose] Key management for MACs (was Re: Revie… Ilari Liusvaara
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Mike Jones
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Jim Schaad
Re: [Cose] Key management for MACs (was Re: Revie… Mike Jones
Re: [Cose] Key management for MACs (was Re: Revie… Brian Campbell
Re: [Cose] Key management for MACs (was Re: Revie… Derek Atkins
Re: [Cose] Key management for MACs (was Re: Revie… Ilari Liusvaara