IETF Logo Mail Archive

Re: [Lake] Clarifications regarding deterministic CBOR encoding needed?

Carsten Bormann <cabo@tzi.org> Mon, 04 September 2023 11:55 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66F6C151997 for <lake@ietfa.amsl.com>; Mon, 4 Sep 2023 04:55:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hib2eJyFGmTz for <lake@ietfa.amsl.com>; Mon, 4 Sep 2023 04:54:56 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6069BC151711 for <lake@ietf.org>; Mon, 4 Sep 2023 04:54:55 -0700 (PDT)
Received: from [192.168.217.124] (p548dc15c.dip0.t-ipconnect.de [84.141.193.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4RfRrr1W3XzDCdm; Mon, 4 Sep 2023 13:54:52 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <GVXPR07MB96786E89654927055C14EE1D89E9A@GVXPR07MB9678.eurprd07.prod.outlook.com>
Date: Mon, 04 Sep 2023 13:54:51 +0200
Cc: "lake@ietf.org" <lake@ietf.org>
X-Mao-Original-Outgoing-Id: 715521291.493086-6635c3f03eaae096ba9580b75f163182
Content-Transfer-Encoding: quoted-printable
Message-Id: <15EAB328-D576-4299-A600-3582B6157DA4@tzi.org>
References: <GVXPR07MB96786E89654927055C14EE1D89E9A@GVXPR07MB9678.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/R0a1ec4Tc3TJH3UjqVdTnoM5PEg>
Subject: Re: [Lake] Clarifications regarding deterministic CBOR encoding needed?
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2023 11:55:00 -0000

Hi John,

I’m not sure I understand all of this (I don’t know where you need to want deterministic encoding for EDHOC), but here is my quick feedback before I go on vacation:

> On 2023-09-04, at 10:02, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Some notes and thoughts:
>  
> - The sentence in 3.1 should be changed to "encoded using deterministic encoded CBOR as specified in Section 4.2.1 of [RFC8949]." With randomized algorithms, EDHOC is not deterministic.
> - I don't think 4.2.2 of [RFC8949] is relevant for EDHOC. I suggest only refering to 4.2.1. Stating that 4.2.2. is not relevant and that 4.2.3 shall not be used. dCBOR is not references and not needed here.

4.2.2 discusses deteriministic encoding of Tags and floating point values, as well as some application considerations for these.  I don’t think these are relevant for EDHOC.  4.2.3 is a legacy variant that indeed should not be used.
So referring to 4.2.1 is what you need if you want deterministic encoding for EDHOC.
The dCBOR proposal is some entirely different and not relevant here.

> - Deterministic CBOR encoding affects all integers and all maps. Maps occur in ID_CRED_x and CRED_x.

(Not just integers, also arguments for strings, arrays and maps.)

> - I note that there is no normative RFC2119 terms to use deterministic CBOR, but there is a SHOULD abort. This is a bit strange.

If you need deterministic encoding for correctness (like, e.g., COSE does for its signing inputs), this needs to be a MUST.

> - The reason deterministic CBOR was introduces was to limit an attackers possibilities in the case the hash funtion has weaknesses. Does deterministic encoding cause implementation complexity? Not sure it makes sense to mandate if the ECDSA signatures are randomized anyway.

Deterministic encoding is useful if you compute a serialized data item from some other data and want all participants to arrive at the same serialized bytes before, e.g., signing/checking a signature.

> - It is not clear when a CCS is deterministicly encoded. That should be fixed. My understanding is
> - EDHOC does not mandate deterministic encoding of the kccs value
> - When receiving a kccs the kccs value is used as CRED_x without reencoding.
> - When identifying a CCS with a kid and there is risk for different encodings, both sides need to encode deterministically.

I’m not sure I understand this case.  Does a kid identify a CCS in a serialized form, or do you deserialize/serialize before using the CCS for some crypto operation?  In the latter case, you probably need deterministic encoding, but you also have to take care of CCS-specific serialization decisions (e.g., int or float for timestamps/NumericDate).

If CCS needs to be deterministically encoded and NumericDate can be floating point values, you need Section 4.2.2 Bullet 2 Item 2.

https://www.ietf.org/archive/id/draft-bormann-cbor-det-01.html
…is a backgrounder on deterministic encoding, and Section 2 of
https://www.ietf.org/archive/id/draft-bormann-cbor-dcbor-03.html#name-common-cbor-deterministic-e
…actually is not about dCBOR, but about a common way to make decisions about deterministic encoding beyond Section 4.2.1 of RFC 8949.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email