IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Brian Campbell <bcampbell@pingidentity.com> Thu, 09 July 2015 22:38 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F01CE1A1B34 for <cose@ietfa.amsl.com>; Thu, 9 Jul 2015 15:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 8.979
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FB_MORE_SIZE=10.357, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ef-3tjuUGXhM for <cose@ietfa.amsl.com>; Thu, 9 Jul 2015 15:37:59 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F5B91A1B40 for <cose@ietf.org>; Thu, 9 Jul 2015 15:37:59 -0700 (PDT)
Received: by igoe12 with SMTP id e12so24057755igo.1 for <cose@ietf.org>; Thu, 09 Jul 2015 15:37:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7mp5dftEEva3ELCDEalbb7DpoB5s00zVhlzPRvIaQb4=; b=fwxwFOqjry+tnmPp/EVn1yBWx8cm7PGK6RhP9SeT7vHxW8jjucREiZKxXHEzT8feh5 huwf8WeZbK9LX2oK+xxGRul+PZFmI64L+7DXtNEtmJ0VhKkZG1tdIo7L0++7RILDy6mb 7R8TqWf84UwEUOfYdTilW6T4sJHKww5Vzoo0k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7mp5dftEEva3ELCDEalbb7DpoB5s00zVhlzPRvIaQb4=; b=Om+9aVbk43QYYMf7IknA3oIlGHzabxDJDA75HYNdgLAVEKrXTohMV1UKzrQ5ua6tq0 JTsD2LUmtCCTJxxcnNuLDygT/aSNmvVROsnPDEhDXLOz0Zu8qmBTezZv6jKqJtQ+NR42 fInfcqgYTB8keDuqG87P4gXh4IWZsFv1b00pUwek2u7Yv2B34bpOgN8mlQlj2UkShK87 obUg1Ebvkw88gjo/fPyd+ZAQ6JNoQhgqy5pXKpmgA8/0qpDEQTDUTgP4oTupf9FLWkgk GZeUjGeNMw3K1Jhgdr/VVHoAKPbPRxAL2BbKm7ope8Dz2KwG5yBsoFqY8hQ1iDgw0/od JyOw==
X-Gm-Message-State: ALoCoQl/CtanI11u09pmQ3fK2cCGCpMJQUDQnrIQ1NGbqdAunmI1cVpgCRYjBzB/BcU8OMq9vv58
X-Received: by 10.50.18.39 with SMTP id t7mr155182igd.3.1436481478631; Thu, 09 Jul 2015 15:37:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.96.199 with HTTP; Thu, 9 Jul 2015 15:37:29 -0700 (PDT)
In-Reply-To: <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 09 Jul 2015 16:37:29 -0600
Message-ID: <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="089e014947ac42bac4051a78e8b5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/nBqxc557PlnQo4uB7iqfJX5XcW4>
Cc: Mike Jones <Michael.Jones@microsoft.com>, cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 22:38:02 -0000

I typically look to MACs with a pre-shared key for integrity protection and
authentication of the sender (the latter, as you say, "assumes that there
are only two parties involved and you did not send the message yourself). I
use the key directly and I'd be really surprised if I wasn't in the vast
majority in doing so. This is all that JOSE offers, as we know. I suspect
some keys get rotated more than others.

The paper you sent mostly goes over my head, honestly. But seems concerns
about that kind of cryptanalysis could be mitigated by running the key
though a KDF with a nonce or other additional context, as you said. Key
wrapping a random per-message MAC key also ensures that repeated MAC
operations aren't being done with the pre-shared key. But then repeated key
wrapping is. I presume repeated key wrapping is considered better than
repeated MACing? A key wrapping approach seems more complicated and likely
results in more size overhead for the message. But maybe I'm wrong. Are
there reasons in practice that one would chose key wrapping over a KDF?

If I were able to do DH, I'd have a public/private key and I guess I never
would have thought about doing a key agreement and MAC. I'd probably just
sign with my key. Maybe I'm just not very creative. But while having
options is good, having too many options can be problematic.

Doing a MAC with RSA OAEP key encryption or ECDH-ES key agreement, to me
anyway, seems to provide little value and a big opportunity for confusion
and security problems. I don't believe it's an option that should be
provided.


On Wed, Jul 8, 2015 at 11:44 AM, Jim Schaad <ietf@augustcellars.com> wrote:

> Another case where key management for MACs can be very useful is the case
> of
> DH direct.  This allows for creating of a new unique key for the MAC every
> time, while not needing to keep per connection secrets for everything.
>
> Just what security service do you exect to get from a MAC?  That is going
> to
> control how you feel about doing key management.
>
> > -----Original Message-----
> > From: Cose [mailto:cose-bounces@ietf.org] On Behalf Of Jim Schaad
> > Sent: Tuesday, July 07, 2015 4:26 PM
> > To: 'Mike Jones'
> > Cc: cose@ietf.org
> > Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> > schaad-cose-msg-01)
> >
> >
> >
> > > -----Original Message-----
> > > From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> > > Sent: Thursday, July 02, 2015 10:53 AM
> > > To: Hannes Tschofenig; Brian Campbell; Jim Schaad
> > > Cc: cose@ietf.org
> > > Subject: RE: [Cose] Key management for MACs (was Re: Review of draft-
> > > schaad-cose-msg-01)
> > >
> > > If MACs without key management were insecure, I'm sure that JWS [RFC
> > > 7515] wouldn't have survived the SecDir review or the IESG review
> > > since it has no key management for MACs, but it did.
> >
> > [JLS] There was no assumption that there was no key lifetime management
> > for the case of JWS or JWE.  The assumption was that the key management
> > was being down outside of these documents.  I am sure (or at least
> strongly
> > hope) that nobody is suggesting that a single key was going to be
> > negotiated between the sender and the receiver of a message and it would
> > never be modified in the future.
> >
> > >
> > > The question is what *additional* value key management adds in the
> > MAC
> > > case.
> >
> > http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-
> > GCM/multi-
> > forge-01.pdf
> >
> > provides a method to looking at how to attack a key.  This would be done
> > by looking at the recipient of the message as an oracle to see how it
> > responds to messages.  The more one uses the same key the more data
> > there is to work with to attack keys.  From this point of view,
> encryption
> > can be better because traffic analysis might be all you get from re-using
> a
> > key.
> >
> > Even doing something as simple as running the shared secret through a KDF
> > (with perhaps a sequence number or time marker in the context) will make
> > the system more secure as the same key is no longer being used to MAC
> > every message.
> >
> > >
> > > (I completely understand the value of key management in the encryption
> > > case.  If you're using a deterministic content encryption algorithm
> > > and you're encrypting the same plaintext with the same key without key
> > > management, the ciphertext values will match, allowing attackers to
> > > correlate messages.  Using a randomly generated content encryption key
> > > means that encryptions of the same plaintext result in different
> > ciphertext
> > > values - preventing this correlation.  But the payload in a MAC is not
> > > a secret, so there's no equivalent benefit in the MAC case.)
> > >
> > >                             -- Mike
> > >
> > > -----Original Message-----
> > > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> > > Sent: Thursday, July 02, 2015 10:37 AM
> > > To: Brian Campbell; Jim Schaad
> > > Cc: Mike Jones; cose@ietf.org
> > > Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> > > schaad-cose-msg-01)
> > >
> > >
> > >
> > > > Particularly for constrained devices, it is unlikely that
> > > > applications will want to pay the performance penalty of generating
> > > > and encrypting a key management key to perform a MAC operation.
> > > > Heck, they may not have credible random number generation in the
> > > > first place!  And they are likewise unlikely to want to pay the
> > > > message size penalty of carrying the encrypted key.
> > >
> > > It would be good to know what devices you have in mind in this
> > discussion.
> > >
> > > I personally don't think we should target devices that cannot even do
> > > key management for symmetric cryptography. I would even argue that we
> > > should aim for devices that support a random number generator and are
> > > also able to do public key crypto.
> > >
> > > We are not doing ourselves a flavor if we place artificial constraints
> > > on
> > our
> > > protocols that make them pretty insecure in practice. We already have
> > > enough insecure IoT devices in the market.
> > >
> > > Here is the slide deck I presented in the LWIG group at the last IETF
> > > meeting; it explains the performance of state-of-the-art crypto on
> > > common Cortex M class MCUs.
> > > https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf
> > >
> > > Ciao
> > > Hannes
> >
> > _______________________________________________
> > Cose mailing list
> > Cose@ietf.org
> > https://www.ietf.org/mailman/listinfo/cose
>
> _______________________________________________
> Cose mailing list
> Cose@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email