Re: [COSE] COSE Support for AES-CTR and AES-CBC
David Brown <david.brown@linaro.org> Mon, 14 November 2022 21:38 UTC
Return-Path: <david.brown@linaro.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60FB3C14CF13 for <cose@ietfa.amsl.com>; Mon, 14 Nov 2022 13:38:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dc3IBPbqqT6c for <cose@ietfa.amsl.com>; Mon, 14 Nov 2022 13:38:04 -0800 (PST)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AACFDC14CF05 for <cose@ietf.org>; Mon, 14 Nov 2022 13:38:04 -0800 (PST)
Received: by mail-pl1-x62b.google.com with SMTP id p12so11329461plq.4 for <cose@ietf.org>; Mon, 14 Nov 2022 13:38:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a9DOyNmuX3Y8Ar7l+uobrNrBqvBkTOnRgrKK3L+qQ8M=; b=Wusy6dCD4ovnmJnrgg0afBe7SceH+n1Thqy4B5Mr6EHctoMFZac0J2fEqZnJmmUoNf kgotqPReFU5y/ZhTD1A9bfV4Knr0jclI9d+4kLDKJCvFURhLSRAw8c19+bU7HkfkYw0c RPJIhryU96B0tW8ia427j+VdQ5mzS43lK5ca8/m+i6rz+J2AAS2FKYk2Qfdpauz4iUqC uk3tWj/IgVBGvwhyhk6r+K+kulISCro7nM2hR3Y6PUuDOKqrkZ6pZwJgZVUuAA3asuh0 xB5bCD1Redgr7b6nJYcASUGi/hMYLx1kPHxeNcB60oLV2q8u50/oxeGoQTwSa3aexFXA +Xbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a9DOyNmuX3Y8Ar7l+uobrNrBqvBkTOnRgrKK3L+qQ8M=; b=tQQDNTz4RxDyWO3nQ1R4pqc0hd80ceKPulYGuB46s6iExp68xgx3k3JyNlBE7NSWAW H1Tq/x2TEqDAP4xqp5jo5C8txmPVeQ9OsiviJVxS+2uRFztoFjRaMaPrQK6FTIuMlbXu FUhzD5UNIFr+oSullS0qo8m2FI+zE4hDzswN//ZpAIB+sINHYfVTJ/QqTehtyrUNe64z HURCHop+y/S7odpcOMJmcnRsCUPV5piOs+hCXFKYWx5XDzXalMwdzc5BNrfulxNQ9Xzi CZkTM/LShRyY/9I2qtSRTPEvdfj614lfJOtisOlAKK6UaR5dhpmse5EBv0a94XMHXgct TEsg==
X-Gm-Message-State: ANoB5pnKJWBBxp9k4MJc7bQ4u9N0j3VfHPDgc8wXJ5ASIPAdXcsOiswh /eGSxHuVGLspVlgV+QZQrcyQD9lDGQ0Id6gt4T6V8Q==
X-Google-Smtp-Source: AA0mqf6KC4wM/U/gE5200sYzrXghmIsHr/P5H3lmRGRXIfeG83RZ/ZyrVIw6zGJR1X0kXYf6xbYXNaSfAgLdawOQdAA=
X-Received: by 2002:a17:903:25cd:b0:186:ae32:28bc with SMTP id jc13-20020a17090325cd00b00186ae3228bcmr1132187plb.41.1668461883356; Mon, 14 Nov 2022 13:38:03 -0800 (PST)
MIME-Version: 1.0
References: <CO1PR00MB13086039D60B9997AE5F5928F54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <SA1PR00MB1310AB40F32B3B2E9FC36D31F5239@SA1PR00MB1310.namprd00.prod.outlook.com> <ADE35F26-5BF8-4205-A8B5-36C1F55E8207@vigilsec.com> <32d84d35531543469a4a196a7b137cb1@amazon.com> <39D0918E-F757-4205-9D27-882E4587F95A@vigilsec.com> <CAPmVn1N7brE5SsgTU9n3ubCY3NExZfrgobkubRx7671LbU5Tcg@mail.gmail.com> <CAPmVn1OJgeVGkjBnjh-1zQcvptWDqSnE4YiAd7wM7-Eh-0xg=A@mail.gmail.com> <CH0PR11MB54440ECC855D3FF9ABB28551C13C9@CH0PR11MB5444.namprd11.prod.outlook.com> <0FC770F8-8E4E-44EA-AC55-BB5E1C8EAF27@vigilsec.com> <CAPmVn1OT9sHngCQwbParMdMLH-EVfuJvtsOxqTXF6Ku2d9Dg3A@mail.gmail.com> <6E40DA4A-71A5-4B1B-93A7-EC9C7E298376@vigilsec.com>
In-Reply-To: <6E40DA4A-71A5-4B1B-93A7-EC9C7E298376@vigilsec.com>
From: David Brown <david.brown@linaro.org>
Date: Mon, 14 Nov 2022 14:37:26 -0700
Message-ID: <CACTP9nvAHGxQYrwt0hX=KuUH4AY+-fU67=GRW+XhtXqX6xUpOw@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Brendan Moran <brendan.moran.ietf@gmail.com>, Scott Fluhrer <sfluhrer@cisco.com>, "Arciszewski, Scott" <scottarc@amazon.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e112fa05ed750da1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/mFpteUkdBoCxFBl5z4FYjF62a6A>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 21:38:08 -0000
I'm not sure this is quite right. As I understand what Scott/Brendan is suggesting in #2 is that we use AES-GCM, and we verify the tag when the initial message is received. Then, when we piece-by-piece decrypt it, the tag is not verified, because we are not verifying the entire image. I like this approach, because we don't have to say that it is AES-CTR. But, I'm a little concerned that our implementation is effectively implementing this after the tag has been verified. I think we limit damage from ciphertext modification because after the entire image is decrypted, we validate a signature over the plaintext. This gives us the best of both, and would be acceptable to mcuboot. David On Tue, Nov 8, 2022 at 4:20 AM Russ Housley <housley@vigilsec.com> wrote: > I am not sure that #2 meets the requirement. At least one bootloader > implementer has said that it is hard enough to finds space for the > signature value, but adding authentication tags on top of that is too hard. > > Russ > > On Nov 8, 2022, at 5:24 AM, Brendan Moran <brendan.moran.ietf@gmail.com> > wrote: > > Am I correct in understanding that we have three options as far as the > SUIT use case goes? > > 1. We register an algorithm identifier for AES-CTR, mark it as > deprecated. > 2. We take a variant of AES-GCM to cfrg; one where plaintext data > explicitly IS returned before the tag is verified. If cfrg review > determines it is appropriate, we register an algorithm identifier, and mark > it as deprecated. > 3. We use a block-wise AEAD that is already in COSE and accept that > there is a payload inflation due to the additional tags. > > Best Regards, > Brendan > > On Mon, Nov 7, 2022 at 6:29 PM Russ Housley <housley@vigilsec.com> wrote: > >> Scott: >> >> The AES-CCM specification says: >> >> If the T value is not correct, the receiver MUST NOT reveal any >> information except for the fact that T is incorrect. The receiver >> MUST NOT reveal the decrypted message, the value T, or any other >> information. >> >> My reading of the NIST AES-GCM specification has a similar requirement: >> >> If T = T′, then return P; else return FAIL. >> >> So, your technique works from a math perspective, but it does not honor >> this requirement. >> >> Russ >> >> >> On Nov 7, 2022, at 8:46 AM, Scott Fluhrer (sfluhrer) < >> sfluhrer=40cisco.com@dmarc.ietf.org> wrote: >> >> Here’s how out-of-order GCM works: >> >> The decryption part is easy; if you know where the ciphertext fragement >> falls within the overall message, then it is obvious how to select the AES >> input to decrypt it properly. >> >> What’s less obvious is the integrity piece; that is, how to compute the >> GCM tag (so that you can compare the value you compute to the tag included >> with the ciphertext). Yes, it can be done; to see how it is done, we need >> to explore how GCM tags are computed: >> >> With GCM, we take the ciphertext (and the AAD), and convert them into a >> series of 16 byte values M_n, M_{n-1}, M_{n-2}, …, M_1; this mapping is >> quite simple (so 16 bytes of the ciphertext are placed into a single M_i >> value). Once we do that, we compute: >> >> M_n H**n + M_{n-1} H**{n-1} + … + M_1 H**1 >> >> (and then, we add in a value that depends on the nonce, and that’s the >> tag – that part isn’t affected by out-of-the-order processing. >> >> Now, the multiplication operations (both in evaluating H**n and >> multiplying M_n with H**n), and the addition operations are both in >> GF(2**128); these are not the traditional schoolbook operations, instead, >> the multiplication looks odd, and the addition operation can be implemented >> by bitwise xor’ing the two values together); however all the traditional >> ways of rearranging operations work (and any GCM implementation will >> already have the appropriate multiplication logic already). >> >> So, when we need to implement out-of-order evaluation of the above >> polynomial, that is, if we get the parts of the ciphertext that corresponds >> to M_a, M_{a-1}, …, M_b, (where c = a-b), what we can do is evaluate the >> intermediate polynomial: >> >> M_a H**c + M_{a-1} H**{c-1} + ... + M_b H**0. >> >> Once we have that, we can compute H**b (which can be done with log(b) >> multiplications), and multiply the polynomial with that. The result of >> that is: >> >> M_a H**a + M_{a-1} H**{a-1} + … + M_b H**b. >> >> We can add that to the running sum. >> >> Once we have all the fragments, we have the sum; if you add them all >> together, that’s the formula GCM expects, and so we can compute the >> expected tag. >> >> Just some notes: >> >> >> - If the ciphertext fragment you have doesn’t happen to fall on nice >> 16 byte boundaries, you can zero fill in the first and last word and it >> still works. For example, if you have a two byte fragment that falls >> across a 16 byte boundary ABCD, you would process this as the two words >> 0000000000000AB and CD00000000000000 >> - One thing that this depends on is that you get all the fragments, >> and you get each one exactly once; if you get one of the fragments twice >> and add both to the running sum, well, this doesn’t work. >> >> >> *From:* Brendan Moran <brendan.moran.ietf@gmail.com> >> *Sent:* Monday, November 7, 2022 6:33 AM >> *To:* Russ Housley <housley@vigilsec.com>; Scott Fluhrer (sfluhrer) < >> sfluhrer@cisco.com> >> *Cc:* Arciszewski, Scott <scottarc@amazon.com>; cose@ietf.org; >> s.fluhrer@cisco.com >> *Subject:* Re: [COSE] COSE Support for AES-CTR and AES-CBC >> >> Sorry, I had the wrong email address for Scott. >> >> I’m trying to understand some of the concerns that have been raised. I >> understand that AES-GCM is not exposed to the concerns that Sophie and has >> raised? >> >> If we used AES-GCM with out of order reception and on-the-fly decryption, >> would that mitigate the risks? >> >> Best Regards, >> Brendan >> >> On Mon, 7 Nov 2022 at 11:03, Brendan Moran <brendan.moran.ietf@gmail.com> >> wrote: >> >> I talked with Scott Fluhrer today about this use case and he’s pointed >> out that GCM can be processed out of order. >> >> Scott, would you be able to elaborate on this? >> >> Best Regards, >> Brendan >> >> On Wed, 26 Oct 2022 at 22:51, Russ Housley <housley@vigilsec.com> wrote: >> >> Scott: >> >> >> Introducing AES-CTR and/or AES-CBC into COSE tokens that already support >> AES-GCM will open the GCM implementations to new security issues. Namely, >> potential padding oracle vulnerabilities. >> >> >> I think that adding a reference to the existing paragraph in the Security >> Considerations will address this concern: >> >> With AES-CBC mode, implementers SHOULD perform integrity checks prior >> to decryption to avoid padding oracle vulnerabilities [Vaudenay]. >> >> >> At minimum, the Security Considerations section of >> draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out: >> Applications that encrypt or decrypt with AES-GCM *MUST NOT* support >> AES-GCM or AES-CTR with the same cryptographic materials, due to the >> existence of cross-protocol issues. One way to safeguard users from >> potential misuse is to use a separate "type" for keys used with >> unauthenticated encryption modes; similar to how COSE distinguishes MACs >> from Signatures. >> >> >> I suggest an addition paragraph in the Security Considerations: >> >> To avoid cross-protocol concerns, implementations MUST NOT use the >> same keying material with AES-CTR and AES-GCM. Likewise, >> implementations MUST NOT use the same keying material with AES-CTR >> and AES-CCM. >> >> >> Additionally, I'd like to recommend sharing this draft with the CFRG >> mailing list to ensure it has the appropriate level of oversight from the >> IETF's cryptography experts. >> >> >> AES-CTR and AES-CBC are not new cryptographic modes. New techniques >> deserve CFRG review, but AES-CTR and AES-CBC have been included in RFCs for >> many years. >> >> Russ >> >> _______________________________________________ >> COSE mailing list >> COSE@ietf.org >> https://www.ietf.org/mailman/listinfo/cose >> >> _______________________________________________ >> COSE mailing list >> COSE@ietf.org >> https://www.ietf.org/mailman/listinfo/cose >> >> >> _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose >
- [COSE] Call for adoption of CBOR Object Signing a… Mike Jones
- Re: [COSE] Call for adoption of CBOR Object Signi… Hannes Tschofenig
- Re: [COSE] Call for adoption of CBOR Object Signi… Russ Housley
- Re: [COSE] Call for adoption of CBOR Object Signi… Ken Takayama
- Re: [COSE] Call for adoption of CBOR Object Signi… Brendan Moran
- Re: [COSE] Call for adoption of CBOR Object Signi… Emmanuel Baccelli
- [COSE] Call for adoption of CBOR Object Signing a… David Brown
- [COSE] Call for adoption of CBOR Object Signing a… Russ Housley
- Re: [COSE] Call for adoption of CBOR Object Signi… Mike Prorock
- Re: [COSE] Call for adoption of CBOR Object Signi… Orie Steele
- Re: [COSE] Call for adoption of CBOR Object Signi… Blumenthal, Uri - 0553 - MITLL
- Re: [COSE] Call for adoption of CBOR Object Signi… Mike Jones
- [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Arciszewski, Scott
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Zundel, Brent
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Arciszewski, Scott
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Hannes Tschofenig
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Stephen Farrell
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC David Brown
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Hannes Tschofenig
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Ilari Liusvaara
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Scott Fluhrer (sfluhrer)
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Carsten Bormann
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Sophie Schmieg
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Russ Housley
- Re: [COSE] COSE Support for AES-CTR and AES-CBC David Brown
- Re: [COSE] COSE Support for AES-CTR and AES-CBC Brendan Moran