IETF Logo Mail Archive

[jose] Re: [COSE] My review of draft-ietf-jose-fully-specified-algorithms

John Mattsson <john.mattsson@ericsson.com> Sun, 15 September 2024 09:30 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2061C14CEED; Sun, 15 Sep 2024 02:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.256
X-Spam-Level:
X-Spam-Status: No, score=-2.256 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTQYpAuy1vAy; Sun, 15 Sep 2024 02:30:00 -0700 (PDT)
Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2073.outbound.protection.outlook.com [40.107.241.73]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54425C14CF18; Sun, 15 Sep 2024 02:30:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=morettfcf6GgrAL1gnuIhDZlaQ6L0ZBPpnrrxCsu2BKafHkMHTyz+GJmkeuKuJP10n5kU8eYypei/CNwhWB6YFN87assc5TDCvMKSDhbLhu2NdvFEGYzDyjh68OZpc+91/D3mb0FHuqiNefgu+GuUEolWuBuUZmwePQbkRY7QPifQApVv+t2mjfBX82zfcjdkldkYzuyKYcOqdrFsvJcnR9oXzMEl/SWWg2cHtDd5R+P7F82jmheitrD8lUv2XaE3PMVv2grxFgBiD5h0iJyulrFvZzLqsYqX6yCgMXouHzPmRYOJCme5z9Ne9oaS7/jYrebx/I5L3qtqisK1wnhgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TE/ATqRwzCq4Voda1JTRUbRIz+q4H64jYUcZBJrYSxw=; b=cLGnRKCg0tMZ7n7zeSMb6RUK9x7dCC+MMXe0WhXePOq27BJJgb8t9A55Z0S22wClQSiaVA03AjBBSf1lcEIrngX+0QR8Wy2P3zJa5kapRuPEp0EuY31U5KlzLteZIS5kmmChf67Dz5RAYKcuQd5TFXS95dRAdEOYAoaGKlq6RlmgFdXm18WHjs84ft7pi0+n6amo7rUjldZ3ft4932O1Kpazdq9YxLQ7Dq1C8/qCfqgA882RG5ZALFr10JVuBe7uHBPVCw3EJVlWPPD1gIPQEKaB6CtttgcO2NxbfkKHS2kqf9I+oamnp8QwnJJJdRNYMuI0PJe9mjbMtxr6X5JA9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TE/ATqRwzCq4Voda1JTRUbRIz+q4H64jYUcZBJrYSxw=; b=eOIOXqtlDFqw6NkJPF1r0wRG34B9HKg4tu7joT9pma6ID0JYvJ2ep56kyAtXhgiCzGOis6u5G3pMlsxtUyr0bwca77kMOR+9W5faBGq+7nVrclDyncXm/Miop7eg/jt/J9fMhKB/Y/+E+aJ5yAW/piDxsrWFvbvYX27A6FPcGjwW3DywDHageVyB45QTIm0f+kwg2zA1irrjcslT9pxuD0lSzBzBxw5t2F1EvPbi4zt+cSpEQSNnhx4xadY11jFYwrPhqI5L+zROHMuawE+oAXQL8LOEgFaRoe1W7io9EUekxrWDK1zOiIhHl3a5QtuIlHcBPicT+wmSpqt1SNxDRw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PA4PR07MB7373.eurprd07.prod.outlook.com (2603:10a6:102:cd::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.23; Sun, 15 Sep 2024 09:29:56 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%4]) with mapi id 15.20.7962.022; Sun, 15 Sep 2024 09:29:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "hannes.tschofenig=40gmx.net@dmarc.ietf.org" <hannes.tschofenig=40gmx.net@dmarc.ietf.org>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] My review of draft-ietf-jose-fully-specified-algorithms
Thread-Index: AdsHS1b/Ozza1SIYTu2IfncIkqWMYgAA6cZh
Date: Sun, 15 Sep 2024 09:29:54 +0000
Message-ID: <GVXPR07MB96785F126A91D0AEA777F36689672@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <008001db074b$57585530$0608ff90$@gmx.net>
In-Reply-To: <008001db074b$57585530$0608ff90$@gmx.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PA4PR07MB7373:EE_
x-ms-office365-filtering-correlation-id: 5b661251-40f9-448c-0d1c-08dcd568f563
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: emgWV+Bilnm7zZ4ltVzKpSLdTilzX8ssLmPkLwvalsM+Di+Jhh5hh5B0ISuPhYbNPPh70cKdnTTvsNCiDsoT7IJViOh5clvcEllmrgFwREknU9bPTa1LB7DUx8QT6R7Var6pL7DqIX/1P9WKa8XSDRnCBrNYTkBZqucxENcycCFjjSSSD2CdICc6onFJ2WSFO+NRF4ibXBNBvYQt2puIrbyxoj4fqv0IRi3mZcS7YxM1xir8/clT77ZuJndS0rcC7GuJXKN/PiJPkqwAEi7I/nLnM2Da0zGtenzSiXNANp5qUoZ/xsCr9WZO2G3O4XuAvu5YeL+lzD518DauoLXy4GATMr4MoCaWqv8V7f236Q7At7Oqn/dfsGsZgN7vzIdLK5lA7Wj3g4gagVHOso6jkbRfbjCAL9j6aommeSnQKul8Px0N8ECZvoWqGbY7GxkO/jKAj1j0+nxaJKSSIpcfMnQLaMpzmla4Xs10AycSQ/Plr12YL5OSBlYe8weDrwIYL1y2TOiy7qr4ttJJ+YiMr3crpCRP6x4wDPDHeOKRkpal8DbJULM4+Or/FmBHdLYliAzIMvnLtGGG4m5qZmtvJvuO5Ut46eRYbW8fNFfvQ6wCtEBa3xIZbHBOntkMtQ0hZwTJuv+0u6Dagn2YDM1GIbipQ/EFgDSPIDT+T997x5GjsYXRaO4KS9yb+i5FOzMu0HZnCtg45UljctJFhslFVfa/lvM+LFbe5WnRqhupO1/gbHrX3LkOiXxscJ13BnIFqTswyWtXcn/UErwmm6Dfw/4qR2qIG3YnL7R07aXxzsGeYhol4fhelf/NNhbGosSlx+qSGp61gkBYoBvxN61T3VXIfu6IrW8IvHdqQU3bMR+Z+SYwTEz7DkAWgzfdL+Am5YQ7j6HPdziWGWM55CKlHwncR+mdvIah5DjLVs6pE5m3fM9dNUWCgdrNXm9ydmNteRy+iylHzrxUPOQBGDAC7+SCqpExsLtpOx6MiH+G1lD9hooiMk65NrezGysKzzkBsAwJYpu8KVxk5k1uZ+zfBVWdQBo41alv8wiXad2F/hw8PB6VANHlzX2izAycz1sVFchoDGul9KkcsUklwxsQsZE9RO11U8YiWCNJwc807caWiKUEieJ1FjzS06eTkztrjnQuUl+spkXYFlVy7nBBr04eSxD7eUh2WXgwDGQYgTWRGGYQCXVohMYnS5cMWTdR8hlQWEbdACZ9jkSWw5wns/O4uk831oe2gtiYWOr/6nMc6V7cCQcPZ8zUZGmcwzbF/eaQPVZXOwRfOF8lrZs36YgV3xafiHtVBqR5yTNOcYUggFe0p4mKfym5iyxSvzfgJCwTjekdw+FD8pWWvESKfA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: G+PoSh/KlLvtbgXiV59DQA03/cPwGlDCN0AhsrMIGadpsdV46tOfDJUgA6kFP2XvCTCPyAMsB6Mq2Tx6Hm0m9EGulHwpgNZUOJ9aLQjc5UgckwZTAiA938B0aXhUNolQb4g7lYrSyv6xS/bopFwbxLsE/dFdx21z8fTbhAdeWyywUBdnDZ4EEsQ7bVgCRp7lf8CF6v+GEo+VFTQiP7ET7ka1F+d7fiR90z64Xdr7dPBShp96sVJTYCVlJeNQHxG61kxyhnYw7foDdwQTtaf5L/1aVe0Sx6guDB32bOcfjCLjx8x89/AWT2EeMaqjCNtlYYlNJw8+pN+Pe4x+BAlXIVEe0ecc1CN+ECHJxnw9EVWGcJtOIwrs3bZ2LnMqCFQnXRQD9/Lrk7MkLyHqLTAl+7FLEDr43bpHan5lRQpsPZTYMp1s9ViImIl2kCKP8KLo/7RQikkL9VVDjNrEuAb72owWaJC2IG4Qo6TiRbNsXmqY20FKyiKTZl8xa8VmXqIbDfypvTHiUNSNGOd48kEykvoTeRAY62KkgPwGFXz6+BFk3o1jZNossqlCLqgqqL7T91xCOGtZZODu2sjHKUR9+LiwrCqb/bTkLrvcE77qGdL22Y83lKhVV8gAvOahQm2sICDShxZid621M1y8GQF1X5IjXxb2COfOd91xk1xpM+3hu9nZcEJyKEE7oX3/omvX31ylgfKRDa5dUAvlsfvBzFAyY6yqQ12rfUXaoVAGmpCggfXlH2dicqgIbl7bAYsX4mzx9487xIHm3qx024ne5seJXwRfSjxrWeY7DIQYE2vpxguFYOZUurc99mgEVvnjobF3UUzEqDU276wQDKz91KVAi0gRfVgduFsftW35lX/AEjm4Tz8pui4FHd2HzpVdi11I1r9/K6FqX9XIqErAjHW2FCT8XrTg4nDlCJ4bZCyE6I+dZJEZL/g6NR/Wz5DA1ce6IHC1ew5qK6pGv6TLj2Q8STBhDALfgYyUEAvekVzMZGgve+3lebMsyX8A0jO3STeKM+ferwDpc010ecJTVk8kLk11C17R8HM4tYuCCjFhmbuKBNevMy/aqgFkdO0SmpONJKdR7/plFHFwdvoICe8lDgWkKMHhLyX0RQwWiGTA4NVu056PLxvVBQTd2pGkx61ZDvhNl81hYo9NsV/WMnU/dwNbi1WsEdKw2cR79Zo7pug7KTxuIaARuxcefFBNV762pxsIVJLdsXzEZDp1pZtTSZZKgf604hC0jef4IyTgNp0FX0vH3Q2EZyHIIvhGLb2fCoGBWBVO73pzr8Z9nJZvSPGhSIQOvjQAz4LWL8w6p5nCBQXj5W8Toz7g5KDbnKiybOp0RiiETWvnm9WiHEPUUPTs5PX+8YGEfvOjvhdx/TuZY935u98lIl4LrehJI0EQYO7hEN3PdPR/eetWapkas97lQjmeoObywTXNau69YVaNEtqDK5E8+Fysh1utF/c8q+09gHBNEopTyPkQLs/8U+oNPLTnZcNX3jNownuJBCL2ULOG0SHfQ5pzvS8y2w1eiq0vwio9TzlH5QDeeuJnzPPHyDz0TrNT/55qgKNaWnBp3YHrC/jyKMlt1nzWqjlKe6R7I+6nwDXfuPQpLDfakBGiJq6imTtUtYQgIkE=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96785F126A91D0AEA777F36689672GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b661251-40f9-448c-0d1c-08dcd568f563
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2024 09:29:54.9813 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oqZTrbeRtKom2EcjWcj613o2GWBwPoyFioSCFqlQm7z6AxNXBM0BHPa7j2RqDwrcLs7FyHyM0E1nXPyIQQz7wmXsvpn6u2AkLdWcDtrIIBc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB7373
Message-ID-Hash: 4T4EYJYQJBMKHRQDED7RCZMAQC2ZDE4M
X-Message-ID-Hash: 4T4EYJYQJBMKHRQDED7RCZMAQC2ZDE4M
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "jose@ietf.org" <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [COSE] My review of draft-ietf-jose-fully-specified-algorithms
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/VuTRqXgu4OjgnhJn4AWtRgqtsgw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

HI Hannes,

Thanks for your review. I include JOSE WG as well.

I think the cipher suite versus vs. à la carte is a good description for parts of the draft but not others. I don't think the discussion of having all domain parameters in the algorithm specifiers vs having some parameters in the key maps well to cipher suites. TLS 1.2 cipher suites are less specified than IKE and COSE and the term cipher suite only makes sense if there is an encryption algorithm included.

Cheers,
John




Sent from Outlook for <https://aka.ms/o0ukef> VIC 20
________________________________
From: hannes.tschofenig=40gmx.net@dmarc.ietf.org <hannes.tschofenig=40gmx.net@dmarc.ietf.org>
Sent: Sunday, September 15, 2024 10:43 AM
To: cose@ietf.org <cose@ietf.org>
Subject: [COSE] My review of draft-ietf-jose-fully-specified-algorithms

Hi all,

as requested, I have reviewed the document. Here’s some background information first:

Security protocols like TLS and IKEv2 perform an initial handshake to authenticate endpoints, negotiate algorithm combinations, and establish a symmetric key for securing data traffic. After the handshake, there's no need to carry algorithm information around, as the key identifier implicitly defines the algorithm in use. However, JOSE and COSE are not multi-round-trip protocols but rather building blocks for other protocols, often used in applications involving one-shot messages (such as JWTs or CWTs). It has become common practice to include algorithm information in the headers of JOSE/COSE payloads to specify the algorithm and key exchange mechanism. Despite the risk of attackers altering algorithm identifiers to deceive recipients into using incorrect algorithms with a given key, this practice persists.

There are two main philosophies regarding algorithm identifiers in JOSE/COSE headers:

- Ciphersuite Approach: The identifier refers to a meaningful combination of algorithms, key sizes, etc. This is an example from the draft: ECDH-ES using P-384 w/ HKDF and AES Key Wrap w/ 192-bit key --- this ciphersuite represents the combination of all these individual algorithms, key sizes, key distribution mechanisms, KDFs, etc.

- À La Carte Approach where individual properties are expressed independently.
Here is an example: Algorithm = AES, Key Size=128, Mode of Operation: GCM

The document aims to revise the IANA registry for JOSE and COSE algorithms to list ciphersuites, which is necessary as other specifications have assumed that ciphersuites are being used.

Initially, the focus of the draft was on digital signature algorithms, but later, encryption algorithms were also included. This added complexity, as encryption algorithms support various key exchange methods. The expanded scope was discussed at the last IETF meeting. This expansion of scope is, however, unavoidable since otherwise the content of the registry is misaligned.

Mike and Orie argue that content encryption and key exchange algorithms must be independent of each other:

"Each of these multiple algorithms must be independently fully specified. The operations performed by each of them MUST NOT vary when used alongside other algorithms. For instance, in JOSE, alg and enc values MUST each be fully specified, and their behaviors MUST NOT depend upon one another."

I disagree with this perspective since these algorithms depend on each other. The key exchange algorithm must produce a key of the appropriate length for the content encryption algorithm. Additionally, binding them together is necessary to prevent attacks, as discussed in the context of COSE HPKE.

Interestingly enough, later in the text they acknowledge this fact on page 14:
"
  In COSE, preventing cross-mode attacks, such as those described in
   [RFC9459], can be accomplished in two ways: (1) Allow only
   authenticated content encryption algorithms. (2) Bind the the
   potentially unauthenticated content encryption algorithm to be used
   into the key protection algorithm so that different content
   encryption algorithms result in different content encryption keys.
"

I disagree with the text as currently written, as described in https://datatracker.ietf.org/doc/draft-tschofenig-cose-cek-hkdf-sha256/. I believe I understand what the authors are trying to communicate but it does not quite get across. Their view is purely from a registry value perspective and not so much from a security point of view.

Section 3.2's API descriptions are incorrect. For example, most ciphers used for content encryption in COSE and JOSE are AEAD ciphers, and their API does not align with the description in Section 3.1.1.

I found nits in the draft. For instance, Section 3.1.1 (which discusses direct encryption) references AES-KW, stating: "Key Wrapping algorithms impose additional implicit constraints on AAD and IV." While true, AES-KW, as defined in RFC 3394, does not have public parameters that vary per invocation. Consequently, for COSE, the protected header in the recipient structure is a zero-length byte string, which does not apply to the content encryption layer. You could call this "constraints" - it would be more correct to just state what is meant by these constraints or point to the respective section in the relevant RFC(s).

In Section 3.2.2, it appears that the document creates new KEM-definitions and their APIs, despite several existing IETF specifications that could be referenced. For example, text could be copied from RFC 5990bis (see Section 1.2 of https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/)

Finally, I have concerns about the terminology used in the draft. For instance, I am not convinced that introducing the term "polymorphic" is a good idea, as it is not used in the security field. In the IPsec/IKE discussions I have seen the terms Ciphersuite vs. À La Carte being used.

With all that said, I agree with the overall concept of the draft. My review focuses on providing feedback on the content, and I am happy to collaborate with the authors or the group to refine and improve the wording of the text.

Ciao
Hannes

v2.29.0 | Report a Bug | By Email | System Status