IETF Logo Mail Archive

Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)

Brian Campbell <bcampbell@pingidentity.com> Fri, 10 July 2015 22:09 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C771A000F for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 15:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiV5-Fki9VCf for <cose@ietfa.amsl.com>; Fri, 10 Jul 2015 15:09:02 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3C861A009D for <cose@ietf.org>; Fri, 10 Jul 2015 15:07:18 -0700 (PDT)
Received: by igrv9 with SMTP id v9so22612575igr.1 for <cose@ietf.org>; Fri, 10 Jul 2015 15:07:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+2s9cWjgZpxi+HjZI0QsJV9ocq7gZrGJo89ZzNFIIlY=; b=Zmc/zAVt44hv5f2UqeEKZoJY69QARc7+Yb1thjucACU+3vKM2sxi38WcPOx644BEwN bCw6IeTBE6Q6Z59938yQvnB0Lmfyd51LxR9/V8EF0s6t7l6CRn875f1ZpPIxVN/2qXku PwQxq/qW0qP3MYkuuYLfRT/DjTyxJ7b7sx+iU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+2s9cWjgZpxi+HjZI0QsJV9ocq7gZrGJo89ZzNFIIlY=; b=gG3a5DYK2gzoClxx1JKJc9cWgX/9kCPGgrBFm2ccio3ziFr1wZ/MguF3bccXJ1wfv+ FgKpGL3PcLAIqXR+nYrVPnCi+JPwBSiLnritze8S5VUhveyrYltEvrrbxRS4H+VbFXZE aPsk2N9f4a/ffVjQtkQ2gKahg2NIHzM3wwQPd4QlmMkH+B6aAElWve8ej+4F2syllh24 9ToTiawmn8GI/65Yqlo5KZBBSBntIQJPspP+Nlae5aqwXB6cGg0JKJwNnsCFl7HNijY8 dex1oM8u3eSX5hQwYWEXTyjOnkew8iXbzwNSQiQ0HYj7CsTNurg5nzgUyZg2mURqdVe8 Qs0w==
X-Gm-Message-State: ALoCoQlvFiwggV5O4K4G1pWYExpgNumY2oNT9VMPzhBZYq3di05Ah5+JdpYLQsYlUZ5bTt4R3vhu
X-Received: by 10.107.14.148 with SMTP id 142mr6900222ioo.175.1436566038069; Fri, 10 Jul 2015 15:07:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.96.199 with HTTP; Fri, 10 Jul 2015 15:06:48 -0700 (PDT)
In-Reply-To: <00b601d0bb3d$37fe0d60$a7fa2820$@augustcellars.com>
References: <CA+k3eCQUPxZfWM9XcKaTLN-WOx2cHEi9SAGSRFTtv71iSCUqdQ@mail.gmail.com> <559576A9.9090002@gmx.net> <BY2PR03MB442C02F758E34B29BBD0CEAF5970@BY2PR03MB442.namprd03.prod.outlook.com> <001001d0b90c$3c874af0$b595e0d0$@augustcellars.com> <00c501d0b9a5$c8f869d0$5ae93d70$@augustcellars.com> <CA+k3eCS-7UK9RDfnkKCLK0ApTdNhSamYY3LL73+e1=rBvz7vDA@mail.gmail.com> <sjmlheo6t1j.fsf@securerf.ihtfp.org> <20150710171118.GA20991@LK-Perkele-VII> <00b601d0bb3d$37fe0d60$a7fa2820$@augustcellars.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 10 Jul 2015 16:06:48 -0600
Message-ID: <CA+k3eCTeDPP_1oqZ4U3c5a7Z16EgOd3qBjpsGuFxaGYrKJNAiA@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="001a113fc47c656549051a8c98ce"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/vCAlvT-dhkreJWS3RRMS5RTsSBU>
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, cose@ietf.org
Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-schaad-cose-msg-01)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 22:09:03 -0000

And my question was about ephemeral-static DH and RSA-OAEP (both of which
are used in the MAC example at
https://cose-wg.github.io/cose-spec/#rfc.appendix.C.1.4) . Without the
statement of origin, I don't see what value there is?



On Fri, Jul 10, 2015 at 12:21 PM, Jim Schaad <ietf@augustcellars.com> wrote:

>
>
> > -----Original Message-----
> > From: Ilari Liusvaara [mailto:ilari.liusvaara@elisanet.fi]
> > Sent: Friday, July 10, 2015 10:11 AM
> > To: Derek Atkins
> > Cc: Brian Campbell; Jim Schaad; Mike Jones; cose@ietf.org
> > Subject: Re: [Cose] Key management for MACs (was Re: Review of draft-
> > schaad-cose-msg-01)
> >
> > On Fri, Jul 10, 2015 at 09:28:24AM -0400, Derek Atkins wrote:
> > >
> > > Performing a MAC using the output of a DH (be it ECDH, AEDH, or raw
> > > DH) can still tell you that the transmission has not been modified
> > > between you and the party you're talking to.  You're right that it
> > > tells you nothing about the party you're talking to (i.e., without
> > > authentication of the DH keys you have no idea if you're talking to a
> > > MITM or the real endpoint).  However, using DH + MAC does tell you
> > > that you're not being spoofed by a "passive" eavesdropper.
> > >
> > > So IMHO it does have some benefit.
> >
> > It occurs to me that any sort of asymmetric key management with MACs is
> > unsafe, since knowing just public key enables message forgery.
>
> We are going to need to have a consistent definition of message forgery
> for this to be a true statement.  Can one have a forgery from an anonymous
> person?  If you don't make a statement about who is sending the message,
> which may not be done in this case, then I have a problem with saying
> something is a forgery.
>
> To have origination, one needs to use static-static DH.  Without this one
> does not have statement of origin.
>
> >
> > This does not straightforwardly extend to symmetric schems (like key
> > wrapping), but are those useful with MACs?
>
> Depends to a large extent on what you are doing for key roll over of your
> shared secrets.   If you don't do it very often, then as I stated in my
> last message it can improve security as some attacks can be easier to
> detect.
>
> jim
>
> >
> >
> > -Ilari
>
> _______________________________________________
> Cose mailing list
> Cose@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email