IETF Logo Mail Archive

Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 04 March 2022 06:54 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F8E3A0D48 for <cose@ietfa.amsl.com>; Thu, 3 Mar 2022 22:54:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2iC4bqI7U1Ku for <cose@ietfa.amsl.com>; Thu, 3 Mar 2022 22:54:09 -0800 (PST)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8A53A0D34 for <cose@ietf.org>; Thu, 3 Mar 2022 22:54:08 -0800 (PST)
Received: by mail-wm1-x32a.google.com with SMTP id r187-20020a1c2bc4000000b003810e6b192aso4554627wmr.1 for <cose@ietf.org>; Thu, 03 Mar 2022 22:54:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:from:subject:to:cc :references:content-language:in-reply-to; bh=Xlz5BFop4XFg+yy1SloyqZ9KvA+5lVLDHM5ncdGQ2HM=; b=S2CoFlAzkANjLNPyjrcePMy5bCoNGtlQiy/lXyrfUNB0YoceEvg2YFwzIoC25LPGW6 SXSAAyMHHme8wr6t7KF4+fUBtafmGPhwMX3xQvW5Ydoh2IfRLFcx9gRQQDSvoD8MQnUP vCTxyLr16F+hQre6H146Mcc3kxKDDK6/3x5y03awjefpqWBm4Q+kmsZ9x3JA/09DTpeR B/VRRkYXGABk7LjksVheiJTXn2bAt8TYS/qN7keQ0tX5rPX+PezqJYsxS1YOPhGSBTqf WgIVnrUvUTLorCE5kRwlgsyCT6l4Q6uMsMepE+mNUvgQifMHkoskDHRjAY1yFBuxYOrr CwTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:to:cc:references:content-language:in-reply-to; bh=Xlz5BFop4XFg+yy1SloyqZ9KvA+5lVLDHM5ncdGQ2HM=; b=AJE8+SsVMBc32xvXwzhWyemw+OiUSgVkcOL/wNElox6xqpfB3XVsZkY4VAqbsKEyzM G2tpmpsKM5ya1bArnYPMjX9Wrzb7P38D/zYfqGHl9tt2cREeKkfqLdW2KOwmty3akREO S3WH1XqtG5W5zPCrfpCFd9kncdjKX9ub2qbcyy4VliZTOTbrLRS1FmzcQ8h8HwdNjMOx ahFw8noFmfTT+S9n0v3ZN8cgsRvPqUlGBfO/mePqUkoa5pGH8gF4nGEGmZRLnVpZkSqQ HlmC76d+DoaN25QTfQ1RO36zWglbnleutnkfW6ms/YjVCiQ5xjc+dtNLT2P+lnhkxPuk JZKg==
X-Gm-Message-State: AOAM531ki2sqWb5v0nxnZmCG5Z6tPYh8i5JHAZiiH2SAI3bIeilWsyNw w0Jh8IFUmV1YAxUGYgFEdTFMduNml1c=
X-Google-Smtp-Source: ABdhPJzVUR63aIZ4j3p0Bq7Hn50/h0PjguSecptd1uJ0GajIw4VHf6BqzcH/WgRG70I6+BbQcqe7GQ==
X-Received: by 2002:a1c:a7ce:0:b0:380:eb26:f41a with SMTP id q197-20020a1ca7ce000000b00380eb26f41amr6359525wme.105.1646376846458; Thu, 03 Mar 2022 22:54:06 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id v12-20020a5d4a4c000000b001e68ba61747sm3895854wrs.16.2022.03.03.22.54.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 03 Mar 2022 22:54:05 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------nd5xf09Zu00Z0m2Cuz3XaTLm"
Message-ID: <f4dd91ee-b6e1-2dd4-abaa-21e75b3106b1@gmail.com>
Date: Fri, 4 Mar 2022 07:54:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>
Cc: Tobias Looker <tobias.looker@mattr.global>, "cose@ietf.org" <cose@ietf.org>
References: <SY4P282MB1274BCAC469DFE3B7284DFB29D039@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <DBBPR08MB5915A5EE40B555A4953E7BA0FA039@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10050EBE6EAB4E80584A31B9F5039@SJ0PR00MB1005.namprd00.prod.outlook.com> <280EEA8E-67E4-4E7A-94A6-8C0A60048F81@island-resort.com> <36e34eb7-ee20-3644-4383-1c3f72279fc3@gmail.com> <DBBPR08MB59154C935195F0ADEFD0EC4BFA049@DBBPR08MB5915.eurprd08.prod.outlook.com> <SJ0PR00MB10051A6A8F8D3C9F87896899F5049@SJ0PR00MB1005.namprd00.prod.outlook.com>
Content-Language: en-US
In-Reply-To: <SJ0PR00MB10051A6A8F8D3C9F87896899F5049@SJ0PR00MB1005.namprd00.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/aHA6IVmBMeL5UHftLZ5x5JeMgG0>
Subject: Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2022 06:54:15 -0000

On 2022-03-03 18:02, Mike Jones wrote:
>
> We are **definitely** not attempting to change anything about COSE message processing, including how encryption is done.  We are defining an additional header parameter that can be used – that’s it.
>

Dear Mike, what I showed is effectively an /alternative to COSE/. It is a spin-off from an attempt to marry FIDO and CBOR for payment authorizations.  Since FIDO signatures are pretty unique, it is not entirely obvious what to do: https://www.w3.org/TR/webauthn-2/images/fido-signature-formats-figure2.svg

By leaving "Legacy CBOR" [*] behind, you can create FIDO based authorization signatures like this:

{
/ Key 1-9 hold application data /
   1: "1.0",
   2: {
     1: "Space Shop",
     2: "7040566321",
     3: "435.00",
     4: "EUR"
   },
   3: "spaceshop.com",
   4: "FR7630002111110020050014382",
   5: "0057162932",
   6: "https://bankdirect.com",
   7: "additional stuff...",
   8: {
     1: {
       3: "Android",
       4: "10.0"
     },
     2: {
       3: "Chrome",
       4: "103"
     }
   },
   9: "2022-02-02T10:14:07+01:00",
/ Enveloped authorization signature object /
   10: {
/ COSE signatureAlgorithm = ES256 /
     1: -7,
/ COSE publicKey /
     2: {
/ COSE kty = EC /
       1: 2,
/ COSE crv = P-256 /
       -1: 1,
/ COSE x /
       -2: h'e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b5',
/ COSE y /
       -3: h'9826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8'
     },
/ FIDO authenticatorData /
3: h'412e175a0f0bdc06dabf0b1db79b97541c08dbacee7e31c97a553588ee922ea70500000017',
/ FIDO ASN.1 encoded signature /
5: h'304402205c29e1971c0ceb78a977b7fac2aa955ccc8e7d1b6de79e2b9fd1b230313392b70220392d17dacff64bf69a7586cc1aa11e93611a0514ae0c431eef67d47718de763a'
   }
}

The signature validation algorithm then becomes quite simple:
- Collect key and algorithm data from the authorization signature object.
- Save and Remove FIDO "authenticatorData" and FIDO "signature" from the CBOR container.
- Set "authorizationData" = re-serialized CBOR container.
- Verify signature using ("authenticatorData" || sha256(authorizationData) as signed data.

The same model (but without the FIDO specific "authenticatorData" and double hashing) can be applied to most other systems requiring signed CBOR data.  As shown in the previous posting, the core concept fits encryption as well.

I'm considering submitting some of this to the EU ID-Wallet program:
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/digital-2022-deploy-02-electronic-id

Cheers,
Anders

*] The rationale for keeping legacy CBOR seems pretty hollow: https://github.com/cyberphone/D-CBOR/blob/main/d-cbor-4-constrained-devices.md


> -- Mike
>
> *From:*Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> *Sent:* Thursday, March 3, 2022 1:45 AM
> *To:* Anders Rundgren <anders.rundgren.net@gmail.com>om>; Laurence Lundblade <lgl@island-resort.com>om>; Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Tobias Looker <tobias.looker@mattr.global>al>; cose@ietf.org
> *Subject:* RE: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
>
> Hi Anders,
>
> Thanks for jumping in.
>
> The example you provide below is actually quite interesting and related to a question I posted to the list a few days ago (see https://mailarchive.ietf.org/arch/msg/cose/9nowDz5kbfUvrGR-o6U1Tm31XAA/).
>
> I am not sure whether the intention of Tobias & Mike are actually to re-define the way how encryption is accomplished. They should confirm.
>
> Ciao
>
> Hannes
>
> *From:*Anders Rundgren <anders.rundgren.net@gmail.com>
> *Sent:* Thursday, March 3, 2022 8:39 AM
> *To:* Laurence Lundblade <lgl@island-resort.com>om>; Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
> *Cc:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>rg>; cose@ietf.org
> *Subject:* Re: [COSE] Newly Submitted Draft - CBOR Web Token (CWT) Claims in COSE Headers
>
> On 2022-03-02 19:33, Laurence Lundblade wrote:
>
>     Makes sense to me. Helps out for the EAT claim named “profile” which gives information about the type of the token you might want before fully verifying it. Addresses an issue Anders brought up about the profile claim.
>
>
> Not so fast  :)  I brought up a bunch of things which can be illustrated by this (just implemented...) example of an encryption object:
>
> 211(["https://example.com/myobject" <https://example.com/myobject>, {
>   / COSE content encryption algorithm = A256GCM /
>   1: 3,
>   / Key encryption container /
>   2: {
>     / COSE Key encryption algorithm = ECDH-ES+A256KW /
>     1: -31,
>     / Key identifier /
>     3: "mykey",
>     / Ephemeral key /
>     5: {
>       / COSE Key type = OKP /
>       1: 1,
>       / COSE Curve = X25519 /
>       -1: 4,
>       / COSE X coordinate /
>       -2: h'33a04b83d4428824b6d5477522d4a88fac4441122bc46136c0203faa308c3929'
>     },
>     / Encrypted key /
>     10: h'e08977c25aeccaecd63b3367de2e2b8f700c82e098ad1e5099d9db510920ccff14debf820427e4ba'
>   },
>   / Tag /
>   8: h'59a84826983e3247fbec4295f75cc138',
>   / IV /
>   9: h'fd8556c122cff2bc128d5119',
>   / Encrypted data /
>   10: h'e16b16c29da5163eb0131dd1f10f080f8850f55df2ae9d89a3b839ad50952858445f290dfb60'
> }])
>
> The core of this builds on /Deterministic CBOR/ which unleashes the /true power/ of CBOR in a way legacy solutions do not.   The enhancements include:
>
>   * Eliminating wrapping of header and (unencrypted) application data.
>   * Using the entire container (modulo the algorithm output variables which are added lastly) as input to a signature process and to the authentication part of an encryption process.  In the example that includes the top-level CBOR tag as well. cryptoOperation(cborObject.encode()) is all that it takes on the encoder's side.
>
> This is pretty much what the X.509 folks have been doing from the very start so there is close to zero innovation here 😁
>
> In the example I have also used a URL as profile/object type indicator since IANA CBOR custom tag 1537244 or whatever you end-up with, simply isn't pretty enough :)  To be more serious: URLs are /decentralized/ and would in this context probably be /browseable/ as well.
>
> Cheers,
> Anders
>
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

v2.8.7 | Report a Bug | By Email