[COSE] Re: [EXT] Re: AES-GMAC in COSE
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Wed, 20 November 2024 14:16 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF7FC14F702 for <cose@ietfa.amsl.com>; Wed, 20 Nov 2024 06:16:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0fEbPtXt6Fr for <cose@ietfa.amsl.com>; Wed, 20 Nov 2024 06:16:11 -0800 (PST)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) by ietfa.amsl.com (Postfix) with ESMTP id B98CEC14F6E9 for <cose@ietf.org>; Wed, 20 Nov 2024 06:16:11 -0800 (PST)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.18.1.2/8.18.1.2) with ESMTP id 4AKCnrLK011779; Wed, 20 Nov 2024 09:16:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=cc : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=JHUAPLDec2018; bh=1hgkcdGEOvd26XN/esfUTsVK+F6YXZRE2rmgWEckRFM=; b=DMTCVRCouGg80404aSHg9IgUq3cML37M+mevhgw15999koizl9641IC4FH+GB9DJiP2G u6iGPWycfFlRQ5tpT76gPEwpGycKwjkO2V33OG/c72UHkUtbW7jpLbJMWuBVaHpeqiUb MFrTy3fBgiNh742mL0HiKbDMGiteGutzvQ5PnMI8lco1C5ENQY9hDSymFTmkbPBQ3lTx NQNhOFluHJZ0JWu7lBkJibP+BApSqd+dMVaZGaPJWRFQYhl7y8RfhIkhtaXXjQBc/0Ww SHSd/KIrQGtmaX6psnUnqsfc2/cp18QuOccagsE/EUB/qBImVT9abGeEujsFk20OJhcM Ng==
Received: from aplex20.dom1.jhuapl.edu (aplex20.dom1.jhuapl.edu [10.114.162.5]) by aplegw01.jhuapl.edu (PPS) with ESMTPS id 42xnad474p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Nov 2024 09:16:07 -0500
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX20.dom1.jhuapl.edu (10.114.162.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 20 Nov 2024 09:16:06 -0500
Received: from APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2]) by APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2%5]) with mapi id 15.02.1544.011; Wed, 20 Nov 2024 09:16:06 -0500
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: John Mattsson <john.mattsson@ericsson.com>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [COSE] Re: [EXT] Re: AES-GMAC in COSE
Thread-Index: AQHbK7R3EuiTygscdEaQ2dseUPAfc7LAUcrw
Date: Wed, 20 Nov 2024 14:16:06 +0000
Message-ID: <4bee085a548848bdb89d4d563a18f7e5@jhuapl.edu>
References: <8f7c43772ede4d37a79cbef74025b0ba@jhuapl.edu> <15FCC70A-877C-4A4D-BB01-B28E54BB3CF8@vigilsec.com> <ef62ca75aaf342bcb8560a1b5f7fcb54@jhuapl.edu> <GVXPR07MB967838BF875641323BF032F189552@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967838BF875641323BF032F189552@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.19]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_03FB_01DB3B2C.D2FDA680"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX20.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX20.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-11-20_11,2024-11-20_01,2024-09-30_01
Message-ID-Hash: 247KRKKRR2M6UKDCPSUK37XH6BFDWNJH
X-Message-ID-Hash: 247KRKKRR2M6UKDCPSUK37XH6BFDWNJH
X-MailFrom: Brian.Sipos@jhuapl.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cose@ietf.org" <cose@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: [EXT] Re: AES-GMAC in COSE
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/osPTA9Up47T3sGzTmLLqP9A4fJE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>
All, I now have a first non-internet-draft version of a GMAC and KMAC registration [1] available for browsing and initial feedback. After that feedback I can post this as a proper internet draft. Right now, the code point registrations follow existing AES-related parameters for 128, 192, 256 -bit keys and full-length tags. I don’t have particular interested in shortened tag lengths so didn’t put in allocations for them like some of the existing COSE MAC algos have. I also don’t have strong feelings about useful key lengths. John, I understand your comments about the IV uniqueness vs. randomness and if you have some specific language for Section 2.1 that is welcome. Otherwise I will add a requirement to forbid random IV values. Is there any stronger recommendation for how to generate non-random IVs? Russ, if you would like to be added as a coauthor and want to steer the KMAC details just let me know from where I can take your up-to-date contact details. Right now, this allocation does make use of the KMAC customization string similar to the IPsec draft. But if there is some guidance or benefit to avoiding the customization that would be useful to know. [1] https://briansipos.github.io/cose-gmac-kmac/draft-sipos-cose-gmac-kmac.html From: John Mattsson <john.mattsson@ericsson.com> Sent: Thursday, October 31, 2024 12:47 PM To: Sipos, Brian J. <Brian.Sipos@jhuapl.edu>; Russ Housley <housley@vigilsec.com> Cc: cose@ietf.org Subject: Re: [COSE] Re: [EXT] Re: AES-GMAC in COSE APL external email warning: Verify sender john.mattsson@ericsson.com <mailto:john.mattsson@ericsson.com> before clicking links or attachments Hi, Specifying KMAC is a great idea, we (Ericsson) are planning to transition as much as possible to SHA-3/SHAKE/cSHAKE/KMAC in the transition to PQC, which ML-KEM and ML-DSA use internally. I am happy to help with any introduction of SHAKE and KMAC in IETF protocols. I assume the document will specify KMAC128 and KMAC256. A remaining question is what the tag length should be and if several tag lengths should be specified. (Regarding the IPsec draft: I don’t see any use of HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, these are very inefficient constructions. I don’t think there are any reasons to use anything else than KMAC. Similarly, the requirement on signature algorithms should be SHAKE. Also, NIST is soon disallowing SHA3-224.) https://datatracker.ietf.org/doc/rfc8692/ https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd Regarding AES-GMAC, I think AES-192 could be skipped. I agree the tag length should be 128-bits for GMAC. In addition to stating “Within the scope of any content-authentication key, the AES-GMAC nonce value MUST be unique.” I think the draft should explicitly state that random nonces MUST not be used. As I brought in my comments to NIST, SP 800-38C (CCM) states that the nonce shall be unique but there are still implementations that use CCM with a 11-byte random nonce as the default… https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38c-initial-public-comments-2024.pdf Cheers, John From: Sipos, Brian J. <Brian.Sipos@jhuapl.edu <mailto:Brian.Sipos@jhuapl.edu> > Date: Thursday, 31 October 2024 at 16:56 To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > Cc: cose@ietf.org <mailto:cose@ietf.org> <cose@ietf.org <mailto:cose@ietf.org> > Subject: [COSE] Re: [EXT] Re: AES-GMAC in COSE Russ, I looked into KMAC and it seems like it can also be included as a set of fully specified algorithms parameterized like you mentioned. Other proposed uses in IPsec [3] do make use of different customization strings, which might apply in this situation but I’ll leave that detail to other experts. I have an initial draft going through internal release review. After that I can add you as coauthor if you’d like and can point me to (e.g. a recent draft that has) your contact info. Thanks in advance, Brian S. [3] <https://datatracker.ietf.org/doc/draft-salter-ipsecme-sha3/> https://datatracker.ietf.org/doc/draft-salter-ipsecme-sha3/ From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> > Sent: Friday, July 19, 2024 1:49 PM To: Sipos, Brian J. <Brian.Sipos@jhuapl.edu <mailto:Brian.Sipos@jhuapl.edu> > Cc: cose@ietf.org <mailto:cose@ietf.org> Subject: [EXT] Re: [COSE] AES-GMAC in COSE Brian: I am willing to assist on the GMAC document. Any reason not to do KMAC as well? See RFC 8702. I would think that KMAC with SHAKE128 (outputs 256 bits with no customization string) and KMAC with SHAKE256 (outputs 512 bitswith no customization string). I am willing to consider other parameter choices if people see a need. Russ On Jul 19, 2024, at 11:28 AM, Sipos, Brian J. <Brian.Sipos@jhuapl.edu <mailto:Brian.Sipos@jhuapl.edu> > wrote: All, I was looking in the COSE algorithms registry [1] for any existing allocations for GMAC uses but don’t see any. My reason for looking was that in some hardware-accelerated environments AES-GCM is faster than HMAC processing, so a GMAC would also benefit from the acceleration. I expect that a COSE use of AES-GMAC would look similar to the use in CMS [2] except that COSE algorithms typically combine options like authentication tag size into a single code point, so an initial thought would be max-length tags like: AES-GMAC 128/128, AES-GMAC 192/128, AES-GMAC 256/128 Would there be WG interest in allocating GMAC algorithms in the near-term time supporting max-length tags? Thanks, Brian S. [1] <https://www.iana.org/assignments/cose/cose.xhtml#algorithms> https://www.iana.org/assignments/cose/cose.xhtml#algorithms [2] <https://datatracker.ietf.org/doc/html/rfc9044> https://datatracker.ietf.org/doc/html/rfc9044
- [COSE] AES-GMAC in COSE Sipos, Brian J.
- [COSE] Re: AES-GMAC in COSE Blumenthal, Uri - 0553 - MITLL
- [COSE] Re: AES-GMAC in COSE Russ Housley
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Sipos, Brian J.
- [COSE] Re: [EXT] Re: AES-GMAC in COSE John Mattsson
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Sipos, Brian J.
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Russ Housley
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Carsten Bormann
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Russ Housley
- [COSE] Re: [EXT] Re: AES-GMAC in COSE Sipos, Brian J.