IETF Logo Mail Archive

Re: [COSE] [Rats] RAM requirements for COSE/CWT

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 24 February 2022 05:54 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0E43A144D; Wed, 23 Feb 2022 21:54:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m10pliSPODxI; Wed, 23 Feb 2022 21:54:52 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D67AB3A09B9; Wed, 23 Feb 2022 21:54:51 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id s13so1269353wrb.6; Wed, 23 Feb 2022 21:54:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=O9qRCD6rJYoaR4ub/FatVCVKv1lXXP7atvsQHpCDYsI=; b=K2jMLo+2gWauhWqQq70Gy0vrvaZNPs0uFFoWt4Ahyw4/N+md3ULGRpngN8HINXxVGM fVfF++r5loUJPLb9I30fitFvB4KX9icJIluPhABtflhJ/9J4Wbr9rAreVHVCZZaqz5ep ol0PUc8I8mvVLJ6lmQ8gqm4L8vk+wkOq9NcSBl7qXrBaa9qa/gItkiiXU86Ybx1+AN8Q 35b8PGsmn2i65KcIQCESAn9GvxUqDduQo4LtPH2SE6r8Y5IZWjj4TGTohmGOiugA5HkT feuCzGFbzapNBcCFmXqwi5l5/FWtNM+VMVUd1Rab32StBnmJcNTwcInmfsC20bcgo3a8 V3Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=O9qRCD6rJYoaR4ub/FatVCVKv1lXXP7atvsQHpCDYsI=; b=jVbV2GWiXQ2hSe/pyAqRtE7nxyB8ZBVKow4VUI8Kj9OB4YQTttU040Fw9kjCdYj1IP 8d5b/LnAGOoXfNgsCq3EM3PQjp8jUGQas3cfSvqwUolgIN/n7ObYLElIcNjHyt/pgoGX Joa6gQa63XYpsAEqI3KKq+u60uU/IOpjSRHicHve3DqQKw/w63i9uBtybVxDGj9Ut1Ek 6EoQMAYR/KeMVTQ5XNkqUXp+Zyib/PBv8mD6msWATluWB1FUsFkL2Y7/a+8ZyeBA9Jnj +ZM0Z3zK5xR50oEd6GUxIxIJjCU8IAqmjaNp7vUWpcWNxfCMInkh6IiDUZez8nM1Ytab UiZA==
X-Gm-Message-State: AOAM5333s2oLaKod5WDsoBFNhgPvZV/lm2rOifD0vI5GcDN6crcp0R0Y V/omrFmR0/NMgar6xP2CXaZPyvgOJyU=
X-Google-Smtp-Source: ABdhPJyRBEf7gW0aMyFgS1gg29QmBVAMdPsvrR/PhGbHrzEU7U1r4NndNVLBPj3Y6nfVXqqH1nM66g==
X-Received: by 2002:a05:6000:1252:b0:1ed:f6fa:d435 with SMTP id j18-20020a056000125200b001edf6fad435mr362066wrx.193.1645682089590; Wed, 23 Feb 2022 21:54:49 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id n11sm1457070wms.13.2022.02.23.21.54.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Feb 2022 21:54:48 -0800 (PST)
Message-ID: <2d2cc810-7290-1e12-5670-fa625b232316@gmail.com>
Date: Thu, 24 Feb 2022 06:54:46 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
Content-Language: en-US
To: Laurence Lundblade <lgl@island-resort.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "rats@ietf.org" <rats@ietf.org>, "cose@ietf.org" <cose@ietf.org>
References: <e8995f0c-ad85-f702-da6b-051ffdc4cb08@gmail.com> <DBBPR08MB5915B874FD16107A7B0105AAFA3A9@DBBPR08MB5915.eurprd08.prod.outlook.com> <1a16c80d-40cd-baba-b1ce-2033dd0db294@gmail.com> <D22D0D63-F76C-48B3-A034-F8B5B2BB6005@tzi.org> <2c8be442-9899-d117-155c-f6f2096b7055@gmail.com> <92C7CF7C-ED23-41B3-AB32-8438C4C88C20@tzi.org> <14c8d106-3b4b-f973-94b8-018852ff4769@gmail.com> <8C2C6592-D5B9-430A-B878-E1009E9BCF22@tzi.org> <AB9F0C55-9C23-43F1-A83F-91D4159C888F@island-resort.com> <10215.1645656178@localhost> <5A9AB23C-6FD7-4F59-BE1E-378F8C6D939A@island-resort.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <5A9AB23C-6FD7-4F59-BE1E-378F8C6D939A@island-resort.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/gC1GgHUWh_6PvwfKQcxZUTe6obo>
Subject: Re: [COSE] [Rats] RAM requirements for COSE/CWT
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 05:54:57 -0000

On 2022-02-24 2:46, Laurence Lundblade wrote:

> I believe the targets motivating full encoding variance for EAT are pure hardware implementations.

Although I may have misinterpreted Carsten, I think he rather objected to not have this as a default for *all* EAT objects since (in his mind) decoders are *obliged* to deal with this:
https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat#section-8.3.1

> Think of a TPM-like chip that outputs EAT. Or a HW IP core that ARM sells for your SoC.

AFAIK, TPMs currently use DER-encoding which is way more complex than preferred serialization a la CBOR.  My guess is that these systems use precomputed data structures and only fill the blanks. In the early days of Android I had to create an XML Dsig.  I started with porting a pretty complex canoncalization library but later replaced it with a handful of "printf"-like lines.

You may not be aware of this, but there are hordes of people who do not like having their precious data wrapped in base64url (JWT) or bstr (CWT) unless it is proven necessary:
https://github.com/ietf-rats-wg/eat/issues/168#issuecomment-1045958031
This is another side of the coin which stretches far outside the scope of EAT.

Anyway, since you will only get one shot at this topic, I thought it was worth a discussion even if we don't come to the same conclusion :)

I leave it there.  In case you have a minute or two you may try out an on-line CBOR encoder+decoder+signature system that is not burdened by legacy:
https://test.webpki.org/csf-lab/home

Cheers,
Anders

> 
> I’m pretty sure this is quite possible without any SW (except the driver SW for the EAT attestation core, network stack and such that doesn’t need to be secure).
> 
> Experience with SW implementation like QCBOR is not particularly relevant.
> 
> LL
> 
> 
> 
> 
>> On Feb 23, 2022, at 2:42 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>>
>>
>> I've read the exchange between Laurence and Carsten and Anders.
>>
>> If we accept that the only constrained part will be the Attesting Environment
>> on the Attester, and that all other systems (Verifier, RP) are at least >
>> class 2 (RFC7228), then we clearly should be optimizing for ease of encoding.
>>
>> While my experiences with Op-Tee is rather shallow (I compiled it once),
>> my impression is that it is at least class 2 in size.  A bit of memory
>> allocation won't be a problem, or pre-allocating a few kilobytes for the CWT
>> won't be a problem.
>>
>> I have experience with QCBOR, TinyCBOR and NanoCBR.
>> My experience is that indefinite length strings are not really needed as long
>> as one is encoding into a memory buffer.  Noting where the length box is and
>> filling it in later isn't impossible, but it certainly is harder if one
>> doesn't have an estimate of the size to know which integer size to use.
>> Worst case, one can assume that the strings can't exceed the size of the
>> output buffer!
>>
>> My claim that an output buffer is needed is that we are going to sign it all,
>> and while one can construct SHA256 hash calculators that don't need the bytes all
>> in a row, it's such a pain to do generically, that if one is doing it, one is
>> creating a bespoke hasher.
>>
>> I see no strong reason to rule indefinite encodings out: Verifiers and RPs should be
>> prepared to process them.  I would not encourage their use by encoders.
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>            Sandelman Software Works Inc, Ottawa and Worldwide
>>
>>
>>
>>
>> _______________________________________________
>> RATS mailing list
>> RATS@ietf.org
>> https://www.ietf.org/mailman/listinfo/rats
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.8.7 | Report a Bug | By Email