[COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-rfc8152bis-algs-09: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 11 June 2020 01:45 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: cose@ietf.org
Delivered-To: cose@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 681603A1627; Wed, 10 Jun 2020 18:45:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-cose-rfc8152bis-algs@ietf.org, cose-chairs@ietf.org, cose@ietf.org, Matthew Miller <linuxwolf+ietf@outer-planes.net>, linuxwolf+ietf@outer-planes.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.3.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159183990940.7725.14952700358572148848@ietfa.amsl.com>
Date: Wed, 10 Jun 2020 18:45:09 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/bFJOxa5SVX9d0j-LPyrAbruXjr4>
Subject: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-rfc8152bis-algs-09: (with DISCUSS and COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 01:45:09 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-cose-rfc8152bis-algs-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-cose-rfc8152bis-algs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I think we need to check the [MAC] reference; following links (and chasing redirects) seems to only find a 1985 publication that talks about DES, with no mention of AES-CBC-MAC. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- It's interesting that both -struct and -algs make the claim in the Abstract that "this specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization". Shouldn't that only be true for one of them? I'd really like to see a reference for the analysis of and validity/safety of the deviations from RFC 5869 HKDF, in Section 5.1. Section 1 Should we refer to RFC 8259 by its STD number (90)? Section 1.3 We don't seem to use the "AE" term (just -struct does). Section 2.1.1 Note: Use of a deterministic signature technique is a good idea even when good random number generation exists. Doing so both reduces the Note the ongoing work in the CFRG on "deterministic signatures with additional randomness" (the name has been changing a bit recently), and fault attacks on deterministic signatures. Section 2.2.1 How public values are computed is not the same when looking at EdDSA and Elliptic Curve Diffie-Hellman (ECDH); for this reason, they should not be used with the other algorithm. Just to check: the claim is that EdDSA and ECDH compute public values differently (not EdDSA and ECDSA?), but that EdDSA keys should not be used with algorithms other than EdDSA? If batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED. Signing and non- batch signature verification are deterministic operations and do not need random numbers of any kind. RFC 8032 doesn't talk about "batch" at all, so a reference is probably in order. Section 3.1 Some recipient algorithms transport the key, while others derive a key from secret data. For those algorithms that transport the key (such as AES Key Wrap), the size of the HMAC key SHOULD be the same size as the underlying hash function. For those algorithms that derive the key (such as ECDH), the derived key MUST be the same size as the underlying hash function. "same size as the output of the underlying hash function", please -- hash functions can also have an internal block size that is larger. Section 3.2.1 * A single key must only be used for messages of a fixed or known length. If this is not the case, an attacker will be able to What's an example of a known-but-not-fixed length message? Just something with internal framing? Section 4.1 The Galois/Counter Mode (GCM) mode is a generic authenticated encryption block cipher mode defined in [AES-GCM]. The GCM mode is combined with the AES block encryption algorithm to define an AEAD cipher. GCM on its own is merely AE but AES-GCM is AEAD? That doesn't seem to add up... Section 6.1.2 If the salt/nonce value is generated randomly, then it is suggested that the length of the random value be the same length as the hash function underlying HKDF. While there is no way to guarantee that it "output length of the hash function", please. Section 6.2, 6.3, 6.4 Why does Direct Key [encryption] get its own top-level subsection with reference to -struct, but we jump straight into AES Key Wrap without a wrapping "Key Wrap" subsection or -struct reference, and likewise for "Direct Key Agreement" and "Key Agreement with Key Wrap"? It feels like Section 6.1 is the outlier here. Section 6.3 be unique for the pair of keys being used. It is acceptable to use a global counter that is incremented for every static-static operation and use the resulting value. When using static keys, Perhaps say something strongly worded about storing the updated counter value to permanent storage before using the resulting key? Section 7.2 s/X25591/X25519/ Section 8 The algorithm identifier is not part of the capabilities data as it should already be part of message structure. There is a presumption in the way that this is laid out is that the algorithm identifier nit: strike the last "is". itself is not needed to be a part of this as it is specified in a different location. nit(?): "be a part of this" is a little vague/informal. capabilities. This means that if one wishes to enumerate all of the capabilities for a device which implements ECDH, it requires multiple pairs of capability structures (algorithm, key) to deal with the different key types and curves that are supported. For a key, the An example of this would be pretty helpful. Section 8.1 * OKP, EC2: The list of capabilities is: - The key type value. (1 for OKP or 2 for EC2.) - One curve for that key type from the "COSE Elliptic Curve" registry. Am I reading this right that the idea is to use capabilities to lock a key down to a single curve? * Symmetric: The list of capabilities is: - The key type value (4). but we're not using this opportunity to indicate whether a symmetric key is for encryption vs. HMAC? Section 8.2 (from the "COSE Key Types" Registry). It is expected future registered algorithms could have zero, one, or multiple elements. nit: missing "that". Section 10 Is [this document] going to be added as a reference on these registries? Should it replace or augment 8152 in that role? I think that the COSE Header Algorithm Parameters Registry updates need to be in this document, not -struct. Section 10.1, 10.2 Do we want to say anything about the encoded verson of the Capabilities array being an array of integers? Section 10.2 Why is the word "reserved" in the description for the IV-GENERATION algorithm? Section 11 I'm not 100% sure that we want the security considerations to be so close to identical between -struct and -algs. One area that has been starting to get exposure is doing traffic analysis of encrypted messages based on the length of the message. I think this may have graduated from "starting" to be more of a mainstream thing :) Section 12.1 Trying to chase [MAC] gives me a "reference has moved" notice. I guess there's a newer version? Section 12.2 I think RFC 8017 needs to be normative, since we use it for I2OSP Acknowledgments Göran could probably get his proper name, now.
- [COSE] Benjamin Kaduk's Discuss on draft-ietf-cos… Benjamin Kaduk via Datatracker
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Jim Schaad
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Jim Schaad
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Jim Schaad