IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 28 October 2022 09:44 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37715C15259E for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 02:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=bNZzTv5M; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=bNZzTv5M
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knxqRaCEF9A1 for <cose@ietfa.amsl.com>; Fri, 28 Oct 2022 02:44:45 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D041C14F73A for <cose@ietf.org>; Fri, 28 Oct 2022 02:44:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=XLVo3FhU7eaFebMkI7vSJIwFUXWDupRoFez/zvl3CWQExiOhawTThj2E5Es3PDaU/xhCGX/zVWXu7C9Kgvt14Efm9EGMT90H5xVkWH3vg2qClOlBxT885gj/WTxheT/vbiK6qvS7rhebkW7wATAghN2C1cRAsqUHnxbpb7SRS1NvloRXQaXLW/DST1DoIZDjkEC42DMMPVk/DTO9EBfMuipkohp7YHm/oVlLW4vRyK2SaGle/7EkZRLHVZBBXB1/loDjRGnd207/yNMwJq5thTo5kT0/gbNgkQYw/Fvldn38O2GelkLlTbDB9YO+Slo44k5havbymydgcTjrTOt0Bg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q4JTgXvhwHMzmIxEj6NoM1UjHqcf2Kn0EVxBDFxqzAw=; b=lQImgIZL+u/snWUu4igfsq4HEEfvklkgXWG8A3jVztF68kHihZ7jrwnFMQVAR6dKMs6jgl2lCFM4hNVYmjtqpOUB8EeSpIJKjg1wKsrK5dhmbuiIf9qK5mQDRZxE1Q0Yfl6pXWg40MVDkUr6a8B2TZ6C+B8Nx/8meWFbCCrQ4xy2CPGs+xruOFR6lhIofTJD+0R3c8DWHN/wtHWqtsx9AGY4hzUxxqctl8rDRXYCu4clA0XGsbNGa+/rTIvdYNX+Z7A5EEF8+L6xeZcXIaklDZ/zI38bX2wnZPFPrCcRipXm9SzIP1shQh0hLAywnFRllN3JmmC88wNpyEQuH5vZEA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=ietf.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q4JTgXvhwHMzmIxEj6NoM1UjHqcf2Kn0EVxBDFxqzAw=; b=bNZzTv5MffX5DoArYLEFk7y9kPi1Gq7YsRIIJ8hG2Xyo8l0xWeNxC+RM+7ymRJk+hoLoOZ184P2EyxgdMH8sWffidyhUSzTPDcHVA7CW3XKxk96ulKUdKACcQWZG2nnsGwp30EboPP/lm3W4RBfsq2kRSnKtwn3j7jqZHUc/zxM=
Received: from AM6P192CA0050.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:82::27) by DBBPR08MB6044.eurprd08.prod.outlook.com (2603:10a6:10:207::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Fri, 28 Oct 2022 09:44:30 +0000
Received: from AM7EUR03FT047.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:82:cafe::ad) by AM6P192CA0050.outlook.office365.com (2603:10a6:209:82::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.15 via Frontend Transport; Fri, 28 Oct 2022 09:44:30 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM7EUR03FT047.mail.protection.outlook.com (100.127.140.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.14 via Frontend Transport; Fri, 28 Oct 2022 09:44:29 +0000
Received: ("Tessian outbound b4aebcc5bc64:v130"); Fri, 28 Oct 2022 09:44:29 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 9df037c1a6ffb7aa
X-CR-MTA-TID: 64aa7808
Received: from 5ced4f724981.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E7AB13A5-FC7E-4AB0-B981-631DC826FB57.1; Fri, 28 Oct 2022 09:44:22 +0000
Received: from EUR02-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 5ced4f724981.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 28 Oct 2022 09:44:22 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AraO2Ckf5XAEt/qGBaKcpBRuuB6vYlsEAhb1Wazjv2BOMi1BNczrbQDVD/INsLVMw9LX2Z0PyLePn+9bZo8gtSfx3pV+5/t7Oe5ZsYrN78cv87zZM7OxBdPUnqwuZgksMK5XmLKrHTVZ/LuGlP2CuTYGzfLFOfro9S2l9hTTbJqXkVZudmKRH14a8N8nhEZhb6MdHLZNfyikLokgKwv3++2Aui4q9mDZdhqLyLmeP+Q1NzyBgOZzh07mwjY95S/3aJ/YrGOcBMl2i1YuPWj6AbGyog866COe7UfaGapfVQWW7TXuwaC+AEOz1ESjFf7K5ee4b7knW/NQjzcpkpj5ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q4JTgXvhwHMzmIxEj6NoM1UjHqcf2Kn0EVxBDFxqzAw=; b=MRxR+kPhVKpIDUOLKvZvExFh/DnJ2bAykWFFOlpNIOf4WZ4YiVit6qjX/dqnf5UFYFmGu+56FsfeuDuDMAqbC6KUsH4j/me6DOPJgtOdVeMPmCLnhg0cGbEFgBTQxZGU8OZgO887CpP4AKIxPP4YZP10MTBALqzgnWoskK+m/7iSBic9bVjNPC24GtIl1e5MJQYsVnyWB5tUvoir0xnm6ZQbu38MEnONfOsnFxkQU6bSbGB7pa6npl9IoOKFHSz/IcnchBtDIcJ1yMe0r9ygGPd1yd41eONhOeqx2VaBj19ewEn+pvoA2IB5/0BS5oH9gRo+cHl68mDWJX6Nrp+icw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q4JTgXvhwHMzmIxEj6NoM1UjHqcf2Kn0EVxBDFxqzAw=; b=bNZzTv5MffX5DoArYLEFk7y9kPi1Gq7YsRIIJ8hG2Xyo8l0xWeNxC+RM+7ymRJk+hoLoOZ184P2EyxgdMH8sWffidyhUSzTPDcHVA7CW3XKxk96ulKUdKACcQWZG2nnsGwp30EboPP/lm3W4RBfsq2kRSnKtwn3j7jqZHUc/zxM=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by AM8PR08MB5553.eurprd08.prod.outlook.com (2603:10a6:20b:1da::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.29; Fri, 28 Oct 2022 09:44:16 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::1676:c85a:f2f8:2950]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::1676:c85a:f2f8:2950%4]) with mapi id 15.20.5769.014; Fri, 28 Oct 2022 09:44:16 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, "Arciszewski, Scott" <scottarc=40amazon.com@dmarc.ietf.org>
CC: "Zundel, Brent" <brent.zundel=40avast.com@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] COSE Support for AES-CTR and AES-CBC
Thread-Index: AQHY6hr1I8ZcEspSVUW2p6ZntrN/bK4ihYiAgAAFoQCAAQHeoA==
Date: Fri, 28 Oct 2022 09:44:16 +0000
Message-ID: <DBBPR08MB59154655A83674320C831E32FA329@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <CAGi82uNOmJJdO2HKcE8M491Vv_PLgk8J8vvfsEE88CMZkmALmw@mail.gmail.com> <a69db82e96374a36b1f7164da3c5556e@amazon.com> <CAEEbLAZXLmvQbXkdqJcO2erQLVBic3gfuGPv8XRTSxZRiAaAvQ@mail.gmail.com>
In-Reply-To: <CAEEbLAZXLmvQbXkdqJcO2erQLVBic3gfuGPv8XRTSxZRiAaAvQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: E7A2B17563B78F40BF493F9A7E47084A.0
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DBBPR08MB5915:EE_|AM8PR08MB5553:EE_|AM7EUR03FT047:EE_|DBBPR08MB6044:EE_
X-MS-Office365-Filtering-Correlation-Id: e30dad6f-4500-43fe-b390-08dab8c902ab
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: oJWDZj9iVN3MvfLGjqNSWCWBlDdxQO+2XNDAqEXVxZGG8Fu9TTUaqUt40aGpLz02IMhyLs9kFLlXB++WnKYY1WZSSAW+ixyKl8GND+85PeH6rH74mlkPu4vbpY8lf55h6ijt+VVnBITiLJ21c9Yfj7505Qd43/v8Tl+/F17EvDaN1JPR7GWqp0LU3N3oDOxXBbyMCCMamJa9C/V4/uUlypTh7SrLInlqeb77NGlwhKcDOTAVWAX6n4z0+q6mdaYd0sS1oid83Cq5GnGlRNJQnx7ujsihEB6DWdAXEKbzo1mOmMqPgipHVhbphujhFkCAxM24Xls2BlY1w3KXUGf7iUdPMyWqF4R2YG6EPScEueXPymGnss6xRbUCeSg53fbCHG6XXclaUXGxaBBKidP7ZoYVDrB6fuaE/kQ214VGvmuPqwzz9JkV2R62OMAgb3sQ/PmircSEUPj4r5jb+4yWGbcA22NE2aRJdiWgHoHm6BfURHlNL1By7t0rzCEw47RrlLcgNKPTbrOHokUbt2k5ZMYIBDXhFfxwCFXCqWKPn541ZOEHhy/QvEeprFj+RcFPUb1Tum9sPyjSgF219okVgsCmTwNHa/99/Saw+Bpx6kS2xkds+H9NkQTwveyDvgYqX52sEGL6wNjWiYKpod6gDrgqbuRJeCBlBwoSWVGYTJsnYwgzW8gCxbxH2uNVP6uwEf37xUlKZpO0F3yEe9oioJKO0BJF9eEDGtPOUdcvFF58d9mTbjyyfJcyXmENXrQIiE9I5cxEAA679e4YRnr/mF6zfp55F++/OQlt475hZDGoywde3BV62xXji8GAkX0SkD/PeZHv+lF279yahRr4Cw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(366004)(136003)(376002)(39860400002)(346002)(451199015)(966005)(2906002)(38070700005)(478600001)(186003)(66899015)(71200400001)(66946007)(9326002)(316002)(54906003)(83380400001)(64756008)(8936002)(8676002)(76116006)(7696005)(4326008)(53546011)(33656002)(6506007)(66476007)(66446008)(110136005)(66556008)(52536014)(41300700001)(5660300002)(122000001)(55016003)(86362001)(38100700002)(9686003)(166002); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DBBPR08MB59154655A83674320C831E32FA329DBBPR08MB5915eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5553
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM7EUR03FT047.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: d75ca4bd-cbf5-4fbc-610d-08dab8c8fac5
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: N5wgJ41ydPPEEKYUttXbe5i5DcBw67B/XH4jege4hdHovxoIi3VtIpluC1DN8kiegnWuegeSnCzJ0Q+3FZCGRYZRHQx0hI+sCfoeERLJ8GZPdcBnF8S+AUkS8bjQG95FBPvo0YnPqMDklkz1QWe3wylcy3VDx0wQMH6NK8bKKl/lhK0WWCUGkJhiXuRHGD1Nhz5ubedJpj2eFZ2Ym35AytmkNEaqQ1Kcf/czbX/T6WI9++uTVT2530aE/+c5lCXj9TGjKDA01yaxmu3z5f28LtcoblfiASVIL5obLIXIqGv/qh9GqrBRmrGVcYtKClu3d2z6QNTrG7g8h3USspffPukJffS927R7cLwKpaKukuTCj0953yQF1FpV3vRdVpkJ21+Ic0yCUNXMiF2CFpch+lfQDh5lu7uG/qfblorSztkJJGDbwMf9Ne/Oa0ELeUZXReb+c61/hEk9pbmrG2g7kvW/9PEP3F3fhJjY3rx+BQmhhgs0YBgS3U0EqAFvwXoeIpUqhMcTU0bLU90fHpruBgGOPLKlSKyA23+LCuqA3vE3oe1gZnHQ1QusEk+LME8S1m8EX7HqkKX3vqwdT3LkmqcyDlxNYgkrYhdCjcRv4CNN4nOG1/8XhwxNJpTNwHfv1gc5yMkpVjbn4jNR+E9hUQW9OtRAaSP943fIJ+9Sw0SA/gzueU0juMa8uWhL6wlo/i1U6/+zDdlH8526szayspx1wYFJxKkTM59yKQzg0ZmbVK9RAdBa/eWKkT6kMlj1od5hu1YE/+5qwiq7wr9dwzrMmG7Tpv3zjCYCBFPLB3d2u4xrwkP+hhi0k7a5m0GO/MYbm3PyrxI/9ofz57UYHw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(396003)(376002)(39860400002)(346002)(136003)(451199015)(40470700004)(36840700001)(46966006)(966005)(66899015)(336012)(2906002)(30864003)(186003)(47076005)(478600001)(82310400005)(316002)(110136005)(54906003)(33656002)(83380400001)(8676002)(7696005)(40460700003)(4326008)(53546011)(6506007)(33964004)(70586007)(82740400003)(70206006)(86362001)(9326002)(40480700001)(52536014)(5660300002)(8936002)(9686003)(26005)(41300700001)(356005)(81166007)(55016003)(36860700001)(166002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2022 09:44:29.8309 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e30dad6f-4500-43fe-b390-08dab8c902ab
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM7EUR03FT047.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB6044
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/pEkFOJ8DGePreAatBSuyUZE9lkc>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2022 09:44:49 -0000

Hi Sophie,

Thanks for your comments.

The functionality of ciphers without integrity protection was introduced not to save bytes over the wire but to support a firmware update use case.
It seems that this intention is not well articulated in the draft and hence we will have to add more text.

https://datatracker.ietf.org/doc/html/draft-ietf-suit-firmware-encryption-09 provides a more detailed description of the firmware update scenario, see particularly Section 8.

Hence, we are by no means suggesting that AES-CTR and AES-CBC should be used for generic usage. We highlight this be registering the algorithms as “deprecated” thereby avoiding accidental usage by developers who just browse through the IANA COSE algorithm registry. In the draft itself we also mention several times that the two algorithms do not offer integrity protection and that an additional mechanism must be used to provide this integrity protection.
Ciao
Hannes

From: COSE <cose-bounces@ietf.org> On Behalf Of Sophie Schmieg
Sent: Thursday, October 27, 2022 8:13 PM
To: Arciszewski, Scott <scottarc=40amazon.com@dmarc.ietf.org>
Cc: Zundel, Brent <brent.zundel=40avast.com@dmarc.ietf.org>; cose@ietf.org
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC

Hi all,

I'm Sophie from Google's ISE Crypto team and wanted to add a few comments to this proposal.
I have to agree with Scott's other objection, adding unauthenticated encryption modes will open COSE to several attacks.

Attack 1: Signature Stripping
Since the kid of the authentication layer and the encryption layer would no longer be correlated, the attacker can replace the outer signature/mac layer with their own valid signature/tag without knowing the plaintext that they are signing. The usual defense against this attack is to use an IND-CCA2 cipher and include the sender identity in the plaintext. However, CTR and CBC mode are not IND-CCA2 and would therefore not be able to implement this mitigation. This means that there has to be an implementation enforced mapping from outer kid to inner kid to mitigate this attack.

COSE, similar to JOSE, defines the algorithm in the ciphertext instead of the key. In JOSE, this design weakness results in several common vulnerabilities (alg=none, HMAC to ECDSA attacks). In COSE, this weakness is currently mitigated due to the limited selection of algorithms and the strict separation of digital signatures and MACs. However, adding new algorithms to COSE can affect the security of existing algorithms, as implementations might trust the ciphertext's algorithm information and not have algorithm information on the key. You can find more information about this family of attacks in my RWC talk [1]. This leads to the following family of attacks, which can be combined with Attack 1.

Attack 2: GCM to CTR authentication key compromise attack
AES-GCM is a combination of AES-CTR and GHASH, with the tag being the CTR encrypted output of the GHASH of the rest of the ciphertext. Knowledge of the unencrypted GHASH output allows the attacker to calculate the authentication key used by AES-GCM, allowing for forgeries. In a situation where the attacker has access to a (partial) decryption oracle, they can manipulate the ciphertext, switching from AES-GCM to AES-CTR and extracting the unencrypted GHASH output and with it the GCM authentication key.

Attack 3: GCM to CTR malleability attacks
AES-GCM using AES-CTR for its encryption leads to another attack, allowing the attacker to switch the algorithm from GCM to CTR, and stripping the tag of the ciphertext. This bypasses the authenticity check of GCM, allowing the attacker to manipulate the ciphertext (and with that the plaintext). This attack can even be used to turn a mere decryption failure oracle into a decryption oracle, by crafting messages that trigger decryption failures if a plaintext guess is incorrect, leading to another way to exploit Attack 2.

Attack 4: GCM to CBC plaintext recovery attacks
Changing the algorithm field from AES-GCM to AES-CBC can lead to another type of attack, where guesses of 16 bytes of plaintext at a time can be verified via a CBC padding oracle. The details are summarized (including a proof of concept) in the description of CVE-2020-8911 [2].

In general, COSE is already a fairly overly verbose standard (e.g. including the algorithm identifier in the ciphertext), so it seems to me that saving the 16 bytes of overhead of the GCM tag is not worth the risk of opening implementations up to these attacks which we know from JOSE implementations are extremely frequent mistakes.

Re: Cryptographic review of standards using CBC and CTR mode: Even though the modes are well understood, the interactions between modes are much less obvious, see for [3] for a detailed discussion of this issue. The attacks I lined out are far from theoretical, and have plagued various implementations (whether they are implementing JOSE or not implementing any particular standard), so I think having cryptographers review standards that use modes like this could be a good idea in general.

[1] https://youtu.be/CiH6iqjWpt8?t=1045
[2] https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9
[3] https://ieeexplore.ieee.org/document/959888
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email