IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Brian Campbell <bcampbell@pingidentity.com> Fri, 10 July 2015 21:56 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED0D1A0354 for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 14:56:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 8.979
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FB_MORE_SIZE=10.357, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWcvZl7d0jkD for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 14:56:14 -0700 (PDT)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 146781A0363 for <cose@ietf.org>; Fri, 10 Jul 2015 14:56:14 -0700 (PDT)
Received: by igrv9 with SMTP id v9so22453460igr.1 for <cose@ietf.org>; Fri, 10 Jul 2015 14:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=pOcPOeLDevaPWCdP2xlSj8EVAKPOmwBNTPX/fElgkTk=; b=baPIgZZsZ01lkOTCaWLO9EKmfTkKVKdt4qlvZz0kheD4JqkMdWEE+say8hoxwhn3RX 6tsJFxOqJCHCt746NnfyTUy+yvPXuwAGavL4iYk3MEH/i/3f7o2cfUfz28fKV5QJ9zcv 9zWq3fpB0mSSOEeexp+y7YcOmPkxNfdie7gXg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=pOcPOeLDevaPWCdP2xlSj8EVAKPOmwBNTPX/fElgkTk=; b=QWqYSOXyJWvXmWGrPlEJ1IX7ZiIbgU5AMOhYSfe4vDVYm+8zOQgZzaQyJ9yXYMjRPj lzQkux+e+RpRFCnMvM2X/y8FaJl9OYFTPuo0pjo0H49i1COsSQOl87+Zlw0STLu+DpQt OsV/kIbSXjWtThPnGqqDWvVCGSGBuTfrAeDC2gw0JGWteRjOYrtVgimEW+edx27L2j0P FkZL5C66wx0o2L7DER+2zl1ug+EI8mjrP65j2fanq/eMr6QLpkUAMAFBlA8TSkMZ42pA Gx0T8nInBFbz7udy6HBmLguENHIcwF3E2VTNorzhqGEz0LU3xEVYFkCePfixQBwKYAq2 QXQA==
X-Gm-Message-State: ALoCoQlHRci6rRWXK0upupcLLGwPfyE/cCLsBznHBpdPdrvZUIJKPVexHcB+gLSdO/ZloEh2ci3u
X-Received: by 10.107.165.206 with SMTP id o197mr35628595ioe.2.1436565373440; Fri, 10 Jul 2015 14:56:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.96.199 with HTTP; Fri, 10 Jul 2015 14:55:44 -0700 (PDT)
In-Reply-To: <000f01d0baad$8a781b20$9f685160$@augustcellars.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com> <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com> <000f01d0baad$8a781b20$9f685160$@augustcellars.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 10 Jul 2015 15:55:44 -0600
Message-ID: <CA+k3eCSHOjdWyqbRAWR8AitEA5Z-vekUcCY7XQpFj=n2vhsi=A@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a11415074c7ec54051a8c701c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/aZQzYNa6D8gWBbEeCam7wDouc6w>
Cc: cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 21:56:16 -0000

On Thu, Jul 9, 2015 at 7:12 PM, Jim Schaad <ietf@augustcellars.com> wrote:

>
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, July 09, 2015 3:37 PM
> *To:* Jim Schaad
> *Cc:* Mike Jones; cose@ietf.org
> *Subject:* Re: [Cose] Key management for MACs (was Re: Review of
> draft-schaad-cose-msg-01)
>
>
>
> I typically look to MACs with a pre-shared key for integrity protection
> and authentication of the sender (the latter, as you say, "assumes that
> there are only two parties involved and you did not send the message
> yourself). I use the key directly and I'd be really surprised if I wasn't
> in the vast majority in doing so. This is all that JOSE offers, as we know.
> I suspect some keys get rotated more than others.
>
> The paper you sent mostly goes over my head, honestly. But seems concerns
> about that kind of cryptanalysis could be mitigated by running the key
> though a KDF with a nonce or other additional context, as you said. Key
> wrapping a random per-message MAC key also ensures that repeated MAC
> operations aren't being done with the pre-shared key. But then repeated key
> wrapping is. I presume repeated key wrapping is considered better than
> repeated MACing? A key wrapping approach seems more complicated and likely
> results in more size overhead for the message. But maybe I'm wrong. Are
> there reasons in practice that one would chose key wrapping over a KDF?
>
> [JLS] Since you are using a random key every time, and can fail if the
> same key is presented in a specific number of times, yes doing a key wrap
> is better than using the shared key directly.  The receiver can be designed
> to not function as an oracle on if the key is good. Also one cannot use
> existing tags and messages to try any offline attacks as the key changes
> each time.
>
> Situations where this might be useful are those such as in the latest ACE
> draft, which I just briefly scanned.  It posits multiple security contexts
> (i.e. shared keys) in a room and the need to potentially send the same
> command to all of those contexts.  One can either send multiple messages
> (one recipient per message, two messages) or send a single message using
> key wrapping for both contexts (one message two recipients).  It would
> depend on how power consumption looks to see which is the better win.
>
There are circumstances where the integrity bit is important, but the
> origination is not where sending a message to multiple recipients can be
> useful.
>

Wouldn't you get assurance of origination with symmetric key wrap + MAC?
Even with multiple recipients. Following from what you said and thinking
about it, seems like it should and that would be something that key wrap +
MAC can provide that KDF + MAC cannot. Though I remain somewhat skeptical
about how often multiple recipient messages would actually be used.


> If I were able to do DH, I'd have a public/private key and I guess I never
> would have thought about doing a key agreement and MAC. I'd probably just
> sign with my key. Maybe I'm just not very creative. But while having
> options is good, having too many options can be problematic.
>
> [JLS] And you are lucky to be in environments where you are not counting
> bytes of the message.  Looking at the new signature formats coming out of
> CFRG, I am not sure what the lengths of the signatures are, but there are
> environments where MACs are going to be the best one can do.  Supporting
> those environments is also a requirement.
>

I've admittedly not done the comparison but the message size overhead seems
like it'd be similar with something like ECDSA (admittedly not RSA).


> Doing a MAC with RSA OAEP key encryption or ECDH-ES key agreement, to me
> anyway, seems to provide little value and a big opportunity for confusion
> and security problems. I don't believe it's an option that should be
> provided.
>
>
>
> [JLS] there seems to be a trend away from RSA for anything, but you might
> want to think harder about the key agreement cases.
>
>
>

I've thought about it. Perhaps I just lack the experience or don't have the
intellect. But I don't see it and I don't think I'm alone. And I strongly
suspect that many people that would want to use this spec, or library
implementations of it, won't understand either.

v2.23.0 | Report a Bug | By Email