IETF Logo Mail Archive

Re: [jose] [COSE] Review of draft-ietf-jose-fully-specified-algorithms-02

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 25 March 2024 20:48 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97401C14F69D; Mon, 25 Mar 2024 13:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzYicmo5DPhQ; Mon, 25 Mar 2024 13:48:49 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 326E2C180B72; Mon, 25 Mar 2024 13:48:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 46AEF17060; Mon, 25 Mar 2024 22:48:31 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id D6zZeF_QDC01; Mon, 25 Mar 2024 22:48:31 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 446702309; Mon, 25 Mar 2024 22:40:22 +0200 (EET)
Date: Mon, 25 Mar 2024 22:40:22 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "jose@ietf.org" <jose@ietf.org>, "cose@ietf.org" <cose@ietf.org>
Message-ID: <ZgHhNrQvnIvydWcm@LK-Perkele-VII2.locald>
References: <GVXPR07MB9678C20AE59F6B2251E926C389332@GVXPR07MB9678.eurprd07.prod.outlook.com> <GVXPR07MB9678FF40B08D2AB769DA422B89322@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAN8C-_JZji_Q5GMpoJFt-nwbJaUrg6OqTs3ib2KVFTDDsrPKog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_JZji_Q5GMpoJFt-nwbJaUrg6OqTs3ib2KVFTDDsrPKog@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/CZAIqJz6FqaEEQc_FNGnFCa_j_I>
Subject: Re: [jose] [COSE] Review of draft-ietf-jose-fully-specified-algorithms-02
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 20:48:53 -0000

On Mon, Mar 25, 2024 at 10:23:46AM -0700, Orie Steele wrote:
> I wouldn't say there is nothing wrong with those algorithms.
> 
> Not all the changes COSE made were improvements, some of the differences
> from JOSE are mistakes, and have gone against security guidance, and leaned
> into the "a-la-carte" cryptographic suite approach, which I believe we have
> learned to avoid in protocols.

This issue has nothing to do with the changes COSE made over JOSE.

Both JOSE and COSE are very explictly "a-la-carte". Neither does
binding between indirect CEK and algorithm it is used with.

The difference between the two here is some missing critical security
requirements in COSE.

 
> In COSE, algorithms such as ECDH-ES + HKDF-256 and ECDH-ES + A128KW not
> committing to the algorithm used with the content encryption key, have
> introduced attacks, which we are still discussing how to clean up:
> 
> https://www.rfc-editor.org/rfc/rfc9459.html#section-8
> 
> As evidenced above ^ deprecation without replacement is possible... when
> there is no other option.

I see exactly two ways out for COSE:

1) Add the missing security requirements. This amounts to deprecation
without replacement for AES-CTR and AES-CBC.

Something like:

- All symmetric encryption algorithms MUST be authenticated.
- Content encryption MUST be aad-capable.

(The stuff covered by second requirement but not the first is
hilariously slow anyway.)

Implementations that do not implement the vulnerable algorithms do not
need to change.


2) Add layer-integrated KDF to COSE:

Something along lines of https://mailarchive.ietf.org/arch/msg/cose/hRPFUITlEoAgxZwW_MWDJlOlOKg/
("Doing what CMS did would work as well." part)

This means changes even in software that does not implement the bad
algorithms.


> Signatures being not fully specified seem to have less of an impact, but
> guidance moving forward should be clear, especially for PQ and Hybrid
> Algorithms.

Fully specified signatures is only about interop, not security.

The key alg parameter can already be used for forward binding from key
to signature. Which is not even needed for Ed25519 nor Ed448: those
algorithms always have such forward binding. This part can actually have
security impact.

What does not work today is reverse binding from signature to key.
The only place that needs that is algorithm negotiation in some
applications. And fully-specified algorithms is all about adding such
binding.

 
> Will be marking all the ECDSA / EdDSA / ECDH / DH stuff deprecated when a
> CRQC arrives anway.

If.




-Ilari

v2.23.0 | Report a Bug | By Email