[jose] Re: [COSE] Re: Re: My review of draft-ietf-jose-fully-specified-algorithms

Michael Jones <michael_b_jones@hotmail.com> Mon, 21 October 2024 19:50 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDBDC180B5D; Mon, 21 Oct 2024 12:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XL02gBhrKe0; Mon, 21 Oct 2024 12:50:31 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11olkn2042.outbound.protection.outlook.com [40.92.20.42]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FB55C15198C; Mon, 21 Oct 2024 12:50:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qU4epF6FngfHkTJpNp7NCr0vRaOyDxLo+NNTDDl2RR6g6ijXv9GKP0QOLxADLIQir2EbXVbzh5xABSlNL5EEelJQ+d1vHZv32fHOB/o8aMExtezKp4nEa4BBcngcfw3RZz642EqnuN9ScII412k+ecni+Zn3lEdNfD+Gzbz8FCudtAQYFxKVjPcOlz9Co2LdV1swevVxKcu3lZqQShIPk1yhA6NF1QUHAx9nUrkIz+hp9VOMdQTcUYyGHkYPiHt7gvSzCko/asVYJ48t5SumXi88/Mj7DPFpQ7Rpe6+P2fJEJZqFtieMm5FjHgN446rTwH+uHsrLU0QjlqkB14YgzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CIc4RVjdrxkTdm9j7boyJqMzLEDfsu95ZpT5ZtoHbi4=; b=G5aHrDsOFLU4BnLwQI2jzE+eBC6fWvSIHydLDdnQdwODknasNqzfvPGlcYwgjv1AzxIlCYA4uZE6X5EFpVw7Y8W3mH/03ZmXsMO8/Gex1fe9/8WP8+e5AdqlUjGiqaDTuhCSSeXYYYmWSs5R4WmQW8D2RZaQk57H/5aa9Am4sLR6q1uRmOdRFqG3yDgQHRJWqlz9EhNHBURl0dFyX8uyCn43X6XgZieYqHzCjstJ39xoqRw8u/z4nlJfObWVIX8j5nvjedKwNiOasGZrj98uQ9AjWhzOiXrvcwa3EnkwvZWxmNtW9T8KwJOUeCS4QOkFaowOi/eC8bYoovwSgnPYCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CIc4RVjdrxkTdm9j7boyJqMzLEDfsu95ZpT5ZtoHbi4=; b=VXxhj62RHvxvvMcRHsDfclKdoxtrxyDbBwcYD9J7XJfbPwOj1uMIEj7aYR+nrtO7qdt3fQ0yJlkPp9SdMtQloYcNmta3RxPQ7o02lo4B0xuOdNQQPeoE/B/GmpNuVKRECUcrBU99lJLntifXqIJkIpz4l3k596pzMxS/IebzTUwXp/xzB89C5UNbQkZ9Asi7wfg1A6nd/Qx+0us4PY7FOwkHYsBIiXU2dIOtHdEbI5YXRvGzmzWpYcmc0d6cwBMGW3hqX8ySsYgGQRE83y/3w89bXHwG/XfEx9XB9+c8Xu+/Xv2lPY6q5bRyLtAGEh9KUsLufUqPyZ+rReInuyV+jA==
Received: from PH0PR07MB9077.namprd07.prod.outlook.com (2603:10b6:510:107::13) by DM6PR07MB7306.namprd07.prod.outlook.com (2603:10b6:5:219::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.28; Mon, 21 Oct 2024 19:50:28 +0000
Received: from PH0PR07MB9077.namprd07.prod.outlook.com ([fe80::5075:92e8:a12d:d85f]) by PH0PR07MB9077.namprd07.prod.outlook.com ([fe80::5075:92e8:a12d:d85f%5]) with mapi id 15.20.8069.016; Mon, 21 Oct 2024 19:50:28 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, "cose@ietf.org" <cose@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [COSE] Re: [jose] Re: My review of draft-ietf-jose-fully-specified-algorithms
Thread-Index: AQHbCNW+/UORsxQlhEyRhP+ZA/aC47KRnTzA
Date: Mon, 21 Oct 2024 19:50:28 +0000
Message-ID: <PH0PR07MB9077B042A936210CDCD2701DB7432@PH0PR07MB9077.namprd07.prod.outlook.com>
References: <008001db074b$57585530$0608ff90$@gmx.net> <ZucO0geTKZDGcqO7@LK-Perkele-VII2.locald> <AS8PR10MB7427013C7A14FC0412396B11EE612@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AS8PR10MB7427013C7A14FC0412396B11EE612@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=a6fcebc1-1dd6-4274-8ced-d9779f49bfcd; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-09-17T07:38:48Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR07MB9077:EE_|DM6PR07MB7306:EE_
x-ms-office365-filtering-correlation-id: e42f24e1-3071-4241-6fcd-08dcf2099d46
x-microsoft-antispam: BCL:0;ARA:14566002|19110799003|8062599003|8060799006|15080799006|7092599003|461199028|440099028|3412199025|4302099013|10035399004|102099032|56899033|1602099012;
x-microsoft-antispam-message-info: SKCt8pCiHHZRuGNqM+VMin7d8HhgyV/aq2qKqkapCeiR56LmbiWtaQGM0kwN3P7tmXEQylaW6FfD58AbP/iyi/0m/vs94PaZ+0qQ0fZ19YBeON8O4+FAbVWdWNbF6Hq54VMQT26WMZffzo+wXEITYKtDCKKbq1RVM9MxEnPdwKqmzn2h3nvlSQoQd9C7/SQNUmmkAYWv7rBad9PtlAtPMsW/scC05OLPdKm3Zt/6BkklN95KxDQZhCh8sinVfuPM32T8MyQOuXtPVmLYccl7xBAr2jCELyqFtyByOrfK5t3FFoMdXkS8wMPDooYGCQWABzgmj4ijthDX+RzjkVGb6JwBhxGyFIlQNsqNFQNvIJoOlC0ayuXy0mydPOH7ptFv2gBhCszAJlhRLJNNo/EQ0C/Tg2kqzYlJZy18OcIzYtk/y5PoRRDm72Dxeqhnm9ZQjf8rLrm744+kgQG8Rj1UV7hnQZ54XDG0KKjgCShmWtVY9DPL2RnFX6ygh5/ejnwFn3kSl30o7S+99WAS+4IiJreGNsNj/3a2Z3LkSbk9q9Eapxpf3zTfP4GGH/f9pDB7RdMoMw1AlayoYmyvwIWrREhov+8tBmucUYM6qTi5jsU6W+/wlfU9jP2NdMi3z91HmUjDSRCul245SqZjrD7Bd+llrg91gwlzJ1DO4x37RNbM/QU2rep5ZQIVtizKcG+K3EhtgJrv04d0KW1FkrlNj1MRcpeJjpncS/p8GBjgEjHR1QzSEOQX86YGhg8VSWYCZLPJhp1sIjYtetVOqOI66ostopWJKnaGGXaDq+yvqcqsbAcRdxcHmR5AK/BJZVgDBYUFJ0nOwgfrJSA0qFX0Fqy/lVhxx5xHvlZe7Mpp2vGCsomSi+eTS0WaQn1JbkMA01odpoB763maezKOm0I0DYk8zVHmFh7pFydNS9qY731QmniRygo8S0QFJ7RUBjvk
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DbfP0ZrNreZqCAr4WfkM5jZnIqj2PSJsxi9ZaLz3VB/yQrG86C/I1cguf0XV/UroAgr6/VVeGazgjWklk5MqrZcch8T/2p7OnaHdu5rR4dozsUyj8yRlpQcwc0o3LLTebufFw3wf+0GhbhIVjnUA1w6y4DCtkX+3xngCme4TfbIZJO82LCS+uIHyAQQLdf0EMK+5YJVRcc8Xm5J80nZgWFSS5zmeAmQVNg5XwrPm3dQ+eZwxjOjHj8vddgb6jPXQ/zr3Y3FGG8Ta9rxSDmx3c4mcOUXDjKOdKcVQZ/zkjb0kVETrVDwA8y3eEXGzi7Xopy5om0qyH05CaUHtIwCIntruVwIX4DCQI9xWgx6xCo9NcTF8qiMmun0KyTX12adcvOXOwqyM1EgO0I1LVe7x3frM5Uajk9RQVUf8EmiiQejk/Q+6vlieM4j8eTAWjcssMvtmuCHE/y6o5UGjOfstXs0GE0U4zbB4IPKzeJYh2ZCN649wY8cEAXe9Vksg+qRaVVexlb19GwCX8eOONlXZbsxjKjrBdp0EBGDmAXVd8PZFjA4EKsFM5UsrnFeVD1Ks7sCy+nrESALU87d+GpstIGQo57eQtN3S4b6ht8UNkrHSIzDpSPAM7eLa0TEoAwQ41iEZVMkKdTPaaN0YBeN0xDnVHsfaCS6yd3QhfAqpfHSz78Bp+8PyD7k8U6lKQe/dfRPkVNdC2yrCvYAsa+tvjqAc8/HLnmh7cS/o5iCCSC7J70VrHStbUdEkF+17BIOaZBy5NkM3wc2UiOuD1MyM8IY/IL0b1QKZ3Nr5dNBYn+pKQFhXLGd4mwdHUlkmgglHjReEUaSZJxkLyqIdsJlMGnSf339e4515ZT3Qf9m2NK1YzhFnbL1MYIansFICACBCNgPR7wi9z8vxA8HisoQC+Hqv/yB3MqP2PC930Nza/271FQqbZ4ajRccyuaJCmdk64HUFqgs5Lr/knM/BL0gFwZc/9zvyb7Iw5XWGuPMNsnmwYoRsYYDNw7dqrj3kXK+rEtiIR7xzM5gzD80nvOzFAO4NRbzl9MzkSfM8PmgJzpA/GWaM7HfUgGOTEIZLtGdIIyxm3db4T5x5Z6ou3c1+ztN2slJB/Ci0RUnnFMzomLjTfggU21jiCjoa7i4N/CoNUnOqWsK30Mr/1uwiWQQsQ/RgMi/q1Q0bw0Z5EnDhNOsWNnspl6LB/oVbGlkmnUNK7ndzvGJPA3G+rQwGAy7tMjKq/7AdE/NrQaSEYOGIjsbHgrbpJXOZaDk+3uTM8mYYVeFJPC/UUExydFUEJ5RceH20PK9keRtlWt5crVEETjxiUtH4vt5ntUxguJhRwaii
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7741-18-msonline-outlook-99cdb.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR07MB9077.namprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e42f24e1-3071-4241-6fcd-08dcf2099d46
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2024 19:50:28.6561 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR07MB7306
Message-ID-Hash: 24TVLFXVDMKJORML3YZ37NVE2WRFNY5K
X-Message-ID-Hash: 24TVLFXVDMKJORML3YZ37NVE2WRFNY5K
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [jose] Re: [COSE] Re: Re: My review of draft-ietf-jose-fully-specified-algorithms
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/swm5gvC8P-R93TXYJh4E21boP6U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Thanks for pointing out that the problem exists both for signature and encryption algorithms, Hannes.

                                -- Mike

-----Original Message-----
From: Tschofenig, Hannes <hannes.tschofenig=40siemens.com@dmarc.ietf.org>
Sent: Tuesday, September 17, 2024 12:46 AM
To: ilariliusvaara@welho.com; cose@ietf.org; jose@ietf.org
Subject: [COSE] Re: [jose] Re: My review of draft-ietf-jose-fully-specified-algorithms

Hi Ilari,

just a few remarks. I disagree with your statement that the draft is about interoperability, not security. I guess it is probably a matter of wording but why would any document coming out of COSE not be about security given the type of documents being developed in the group.

You made a remark about the encryption functionality and the lack of consensus. I was at the meeting, and I heard Brian sharing his views to the group. That was it.

It makes little sense to me to just focus on digital signatures since the same problems exist for encryption algorithms as well.

Ciao
Hannes


-----Original Message-----
From: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
Sent: Sunday, September 15, 2024 6:44 PM
To: cose@ietf.org; jose@ietf.org
Subject: [jose] Re: [COSE] My review of draft-ietf-jose-fully-specified-algorithms

On Sun, Sep 15, 2024 at 10:43:30AM +0200, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>
> Initially, the focus of the draft was on digital signature algorithms,
> but later, encryption algorithms were also included. This added
> complexity, as encryption algorithms support various key exchange
> methods. The expanded scope was discussed at the last IETF meeting.
> This expansion of scope is, however, unavoidable since otherwise the
> content of the registry is misaligned.

My interpretation of last meeting is that there is no consensus on extending the scope to encryption, mainly due to the large number of algorithms this would require.


> Mike and Orie argue that content encryption and key exchange
> algorithms must be independent of each other:
>
> "Each of these multiple algorithms must be independently fully
> specified. The operations performed by each of them MUST NOT vary when
> used alongside other algorithms. For instance, in JOSE, alg and enc
> values MUST each be fully specified, and their behaviors MUST NOT
> depend upon one another."
>
> I disagree with this perspective since these algorithms depend on each
> other. The key exchange algorithm must produce a key of the
> appropriate length for the content encryption algorithm. Additionally,
> binding them together is necessary to prevent attacks, as discussed in
> the context of COSE HPKE.

This contradicts fundamental assumptions in JWE: That "enc" and "alg"
are mutually independent, and that there is no need for binding to prevent attacks.

COSE makes weaker assumptions: Any AE(AD) algorithm is independent from all else, and that there is no need for binding to prevent attacks.

Unfortunately, the latter was left implicit, and then accidentally broken.

And even if COSE does not fundamentally assume that all algorithms are independent, it is very bad idea to have dependencies between algorithms without a good reason (basically, either the combo makes no sense, or is trivially insecure).

Most key managment algorithms in JOSE and COSE do not support binding (in some cases, it would be highly nontrival to add), and assumption "no need for binding to prevent attacks" is necessary to have such algorithms.


> Interestingly enough, later in the text they acknowledge this fact on
> page 14:
>
> "
>   In COSE, preventing cross-mode attacks, such as those described in
>    [RFC9459], can be accomplished in two ways: (1) Allow only
>    authenticated content encryption algorithms. (2) Bind the the
>    potentially unauthenticated content encryption algorithm to be used
>    into the key protection algorithm so that different content
>    encryption algorithms result in different content encryption keys.
> "
>
> I disagree with the text as currently written, as described in
> https://datatracker.ietf.org/doc/draft-tschofenig-cose-cek-hkdf-sha256/.
> I believe I understand what the authors are trying to communicate but
> it does not quite get across. Their view is purely from a registry
> value perspective and not so much from a security point of view.

Yes, The text seems confused.

What is needed in case (2) is having a KDF step before symmetric encryption to ensure that different symmetric encryption algorithms use (cryptographically) independent keys.

In some cases, COSE already has such step depending on key managment algorithm (e.g.,DKA and direct+KDF), but not all (e.g., any non-direct algorihm).


> Section 3.2's API descriptions are incorrect. For example, most
> ciphers used for content encryption in COSE and JOSE are AEAD ciphers,
> and their API does not align with the description in Section 3.1.1.

I think that description is strange, but not flat out incorrect, as it does allow for additional aad input.

All JOSE content encryption algorithms are AEAD, as JWE absolutely requires that.

COSE does allow using non-AEAD for content encryption, but all the current algorithms suitable for content encryption are AEAD, and this state of affairs is expected to continue. Moreover, using any non AD- capable encryption at layer0 is of questionable use.


> In Section 3.2.2, it appears that the document creates new KEM-
> definitions and their APIs, despite several existing IETF
> specifications that could be referenced. For example, text could be
> copied from RFC 5990bis (see Section 1.2 of
> https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/)

Looking at section 3.2.2:

What the heck is "Key Establishment with Direct Encryption"? Neither JOSE nor COSE define such term, and it looks like an oxymoron anyway.

Then some references to "JWE Protected Header" are incorrect and should be "JOSE Header" instead.

Then the stated method of constructing a fully-specified algorithm in JOSE does not work, as it breaks fundamental assumption in JWE (the indepence of "enc" and "alg").


> Finally, I have concerns about the terminology used in the draft.
> For instance, I am not convinced that introducing the term
> "polymorphic" is a good idea, as it is not used in the security field.
> In the IPsec/IKE discussions I have seen the terms Ciphersuite vs. À
> La Carte being used.

This draft is about interoperability, not security. It does define what it means with "polymorphic", and it is not quite the same as "À La Carte".

In fact, "fully-specified" can be less secure than "polymorphic", as "polymorphic" might make some critical security checks into required for function. Unfortunatly, this has proven to not be theoretical.




-Ilari

_______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-leave@ietf.org _______________________________________________
COSE mailing list -- cose@ietf.org
To unsubscribe send an email to cose-leave@ietf.org