Re: [Lake] Clarifications regarding deterministic CBOR encoding needed?
John Mattsson <john.mattsson@ericsson.com> Tue, 05 September 2023 07:08 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFDE5C151532 for <lake@ietfa.amsl.com>; Tue, 5 Sep 2023 00:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C01FnRd-9CnG for <lake@ietfa.amsl.com>; Tue, 5 Sep 2023 00:08:15 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2074.outbound.protection.outlook.com [40.107.6.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A10C151531 for <lake@ietf.org>; Tue, 5 Sep 2023 00:08:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=THFwciqF+dsZxTvER0WqYMAQ0KYDoQ41fNM5bJkHLZzSmIFVewVYXITzUXFZkIiNRrMVsOmpM5v/wPEkhpqDnEMWWqI1sXSSmYtLI/ezOOKUVxZKFJyN71Aao9zVsBceU/omY5jZM4lWtRXx1bTlsO0xoUnX35CXnNd3fSMZ/GVxjR69L5apSlAK/kA2qRBBrCELYDplj06a2Ja8IjloMsZMzoVQvQLHcOclm7/njNy1FTNCqI+HobP0fl7H4rN7Va4wpLsug/waets6uRvTu0Y/5SYP1bIKWrTTnGyahDYfPPF2I3SPNDUrmmzLS2c5n7/S0EzI0B/Qsf1TxMPHuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rcdLNxMTiuhHBm5TamdWtDKP+WVgVjARQaYxzkJkSto=; b=dZP4K37i9ho8jNGuHGqy6t0czGzgMBUl7v5fWZD2sIYIE6+RHAB4Y8R/s+zbadf9fNK51/OI0zslk77IuLdQ0ZNVG010sAW/do9QvXkfs+FRWN8tBasMPEIAlh5wSQcG7Kz4mWQPgIXHMXQ+x+onwLgN44+vS18Ehby/k8Gc9fduaAg46WFLUjBaVD7ukD7fNUAeHQdJ42rxdZlQQAC9SuKXnDmIpC3GLLmlTEsddO+PIDVofk/VmRgGwGzCyxKusv2rzXhbCAaMSoxbomQC9sSlyNksZ+tRfXR43vZUH2SxpvvlP6bjM6BxRjopjUexVtLulQYWHC0fgB4o2vUmyA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rcdLNxMTiuhHBm5TamdWtDKP+WVgVjARQaYxzkJkSto=; b=FG7mm88Gy1e8CC6C0mlMsNplo8wg/W784VgufrUTvmVwVoHlzgEsyP8ZVSzkVTMZNjdUACLGHLS41cW5ZHFqqmfJqgosaF+RLd6ZXzny+PPfliLjMMpnA/4OsCL5lUTVYMrt5vh5D2H0OXpciJWkDTHFfT6IOJX0R9//nlWKp2A=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB9689.eurprd07.prod.outlook.com (2603:10a6:10:4ed::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.32; Tue, 5 Sep 2023 07:08:12 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd%7]) with mapi id 15.20.6745.030; Tue, 5 Sep 2023 07:08:12 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Clarifications regarding deterministic CBOR encoding needed?
Thread-Index: AQHZ3wXnkAo+IdeUN0ymnp7/BCY1qLAKjy2AgAE83yQ=
Date: Tue, 05 Sep 2023 07:08:11 +0000
Message-ID: <GVXPR07MB9678B27767E9FC30B3C33C5489E8A@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB96786E89654927055C14EE1D89E9A@GVXPR07MB9678.eurprd07.prod.outlook.com> <15EAB328-D576-4299-A600-3582B6157DA4@tzi.org>
In-Reply-To: <15EAB328-D576-4299-A600-3582B6157DA4@tzi.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB9689:EE_
x-ms-office365-filtering-correlation-id: 90ce873d-639f-4600-afae-08dbaddedde0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3rZ/OumsI2uHNDb4bhZOj0E4UTSgO8PRl6gOOhBy38CWvd0NnniUggNxFoI4vBQqlJThDAt9PT0clsFn3jH1FradwlJtQhBTKgkvwOa5yBS1oXOkkoXu9QtPOywme+3+AO+jpCJ+20uM4x8CZ+2NZA5L/CVmtmV93Gv5SIcmmmi+3qV+es/hzezSRmq511Os9+47RXM+s6I3LwAt8qFbcsAuvVSYd6WL/NC4c8zF8XyIF/ZVsve3DqKKp4adw4vd4qM29FAiqoHYIIvrOWeiGL1hfYL7GOnS63pHrmEZ/Tij80n0Yg4l9A2k8FvduaHLTFdMfcImmV3Gcd0zmAjKDKjDF2bjY7sxYkYakRYenN9FI14WgNNVyenwKflixE91YGh7zzinNXmWTf2x4AQhWRbwe9HG38nNwiODoDThz3LIF/tuvNDLd4ry9FMYv2fdBYbPnW51ueEgcz2homARxQNcRE/con6XNaNeVWd62yX3uXcOwiNhb3Teed4Nt+Jsv1GhB3IujiEZ/Z7G7rfWVoaTfZclH21LeDc1pfpmv7gaieS5TFXcy0k8pTBdwTIgPhrO449U8eg+ZbCjy8ZqhHFNaz7Kh33mKj4aXYodUU3v/w1GJFAzOOccrEiFlnw1J6UOaSdH6NxiLFy3d3PAe4MirpcS+2OLYcHMIbqySxE1jhYl4+ZhA1wE7XSmZEe3
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(346002)(136003)(396003)(376002)(451199024)(1800799009)(186009)(966005)(41300700001)(8936002)(55016003)(83380400001)(21615005)(44832011)(478600001)(2906002)(71200400001)(76116006)(5660300002)(66946007)(8676002)(110136005)(4326008)(66446008)(52536014)(66476007)(66556008)(64756008)(316002)(9686003)(53546011)(6506007)(7696005)(26005)(38100700002)(166002)(38070700005)(122000001)(82960400001)(33656002)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TR8WjzgQGHelAtFXaivLi6fz9VorEryklPPErvqwkhiHHigl8SrHja8FPZljV71Yuf+P21IXpzNsU6LJIU7quD8f2k6h4jZkTIp4IGZ2fPmBzzfi17qZs3OKEn84Cnpwpyu52qGfSYqDvzXGsfjcnEM4GFQxnIEQOKhDx0XksJJJ5hW1UT3WGgNJDjMQprxenzCzV8xQLz1MESEgO7bm1wVqkrDuTKrw5ZNGw/lj6TDI3TmS2ZW7OIoZC8+cKV2+8aaJDaFkPOZvDscLxBF5vIxthJMQwbgv+527JBD9ug7B7Ih0+1LiSIGrpxMipxk0XWvG+d40xnTOJZPPC0m2eAqMOVhZc+f5jdEH9Syzns0fjyK9syZ/4/zokkReTuMXypT48TUhFQcd3mFbvUswO7I55PLFED9s87TqHbb95wylwvAtF/Z4XyAo8fl4RvQtdYJFcRL3mvuVUXUBzski6PkVQM621qjpl+KTjzyRodeLz+CqjxB/BN1STuyFYdZtshcqI3rw3T4tDkTNFUxD8Wo+WPYOr1h5gsQVqRBD0uvs0ga1GDdZo6BTgFDrHmcMIXyr2DLrt+Wm5RWlZYRWCr94+p0FEnbi3jCvjFVUIwD2bBlRHNCINy3ihaRh1eIUTYXEARdiMhFLP8uRBov2957pQUIW4wgAgoKahWOuWEmv5surH1PKRt7o+ejbN4s4oQn0sDg6xRsBiNMrPszmz4JIQC5gMHbjnJRUeOO1VOGZABFeNSex7++8vXinIki8qEaRTKeyAUs3GM2+r9XlPpbMSReQGRLKFYT+0MqV+7L8jFXZYsR72hTCTQTmuTlZRBwswUnQw0Ld76hxca3ZvwEcQGIbliI/hWn3BLCPQOEKNwA/Sjb78rpvzv24EptmA+E6IveSroGGvTzxUq2njg75DS1Z34TBKFH09FURIrUwziEqJ++t0U8ZhNYrS31li3fgoV9lM8W62kb3BqFzf/LYwdivJlwcqQquOELfKuHQ8J0EyGtMlpmA1LMUWjhSv1ttdSxhNLaglR71sqYu/jzg9qUN8ZbEu3URCGh5apb4Pm6JezQxhL5/JWWWVhFUhseu+xUd2nWeScSAQbQhJTvBztSBDr0fl9leSbEZMq2P1q8moUycoA41040D6Rq/jepvV6seeMMSHIORSZYGGKAanS3fbSxiu1OMejMQcAR8ck70XBI1bo0EXdPTOlkZWCtH8b+8M+rE5EGUsLRFP0qDU3yMxrhxMm5iTYtMqKH8nJtR6AU29bIRsUaPcKEyacH4cibzW3aneCL4dav4Q+t2G+HNxEXXcaI6UTAuH5xW/xAccVDqcVueqOKDBtXQyQqR9mHC9tJfOISF7qoj30bfZ4Gz6XKoMHBmeRvqXF7j61eVbx6/wRlu6txvPZcneFiIr62JAjwq3hO6eIpNppZrW15PWYNs+ExbfT//57YGMTOBM8CZhIYS8whN8ZkfDrwyPwvAyXaUTTxyZB/3BFgmSEbzbGNPnls0wPEjxC9cdcZ3ZdBuIu1yVoYGG3DVEnvZh5whwn0Ev2mNfe/TwDW4Nk3qiCqgTwwJcEF/YnBWf0QpOl7vQ8sXtg340vWWPJ4ahpf1NbVqW+Hko2U867QktCUTdoeiBFUaQOlJfV0=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678B27767E9FC30B3C33C5489E8AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 90ce873d-639f-4600-afae-08dbaddedde0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2023 07:08:11.9764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TgS7Sw/7T/4FGBrGgKU3TKoGd5MQXo/heMKbr1WjHOyvLE3nqvaKKNbu4j81w1cJ7hkdc59kiOJbprRF1C9uKD5Oddp6kP5n/zwuSsifejQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB9689
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/tg-p31UAdWywEPHBN4P6OlYf92M>
Subject: Re: [Lake] Clarifications regarding deterministic CBOR encoding needed?
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Sep 2023 07:08:19 -0000
Hi Carsten, Thanks for the clarifications regarding 4.2.1, 4.2.2, 4.2.3, and dCBOR. That helped. >I don’t know where you need to want deterministic encoding for EDHOC Deterministic encoding is already there. It was added based on feedback from the formal verification, but I don’t think there is a strong security need for it. The biggest win is probably to make clear that 64-bit argument encodings and indefinite-length encodings does not have to be supported. >> - I note that there is no normative RFC2119 terms to use deterministic CBOR, but there is a SHOULD abort. This is a bit strange. > >If you need deterministic encoding for correctness (like, e.g., COSE does for its signing inputs), this needs to be a MUST. The basic rule is that you take what you get on the wire without re-encoding and things just work. I was thinking that the normative “It is RECOMMENDED to abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR” could/should maybe be softened. Forcing implementations to check that received maps are ordered seems complex. I also noted that we are missing clear text on MUST abort if public key validation fails. OLD: When parsing a received EDHOC message, implementations MUST abort the EDHOC session if the message does not comply with the CDDL for that message. It is RECOMMENDED to abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR. NEW: When parsing a received EDHOC message, implementations MUST abort the EDHOC session if the message does not comply with the CDDL for that message. Implementations MAY abort the EDHOC session if the received EDHOC message is not encoded using deterministic CBOR. Implementations MUST abort the EDHOC session if validation of a received public key fails. Cheers, John From: Lake <lake-bounces@ietf.org> on behalf of Carsten Bormann <cabo@tzi.org> Date: Monday, 4 September 2023 at 13:55 To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> Cc: lake@ietf.org <lake@ietf.org> Subject: Re: [Lake] Clarifications regarding deterministic CBOR encoding needed? Hi John, I’m not sure I understand all of this (I don’t know where you need to want deterministic encoding for EDHOC), but here is my quick feedback before I go on vacation: > On 2023-09-04, at 10:02, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > > Some notes and thoughts: > > - The sentence in 3.1 should be changed to "encoded using deterministic encoded CBOR as specified in Section 4.2.1 of [RFC8949]." With randomized algorithms, EDHOC is not deterministic. > - I don't think 4.2.2 of [RFC8949] is relevant for EDHOC. I suggest only refering to 4.2.1. Stating that 4.2.2. is not relevant and that 4.2.3 shall not be used. dCBOR is not references and not needed here. 4.2.2 discusses deteriministic encoding of Tags and floating point values, as well as some application considerations for these. I don’t think these are relevant for EDHOC. 4.2.3 is a legacy variant that indeed should not be used. So referring to 4.2.1 is what you need if you want deterministic encoding for EDHOC. The dCBOR proposal is some entirely different and not relevant here. > - Deterministic CBOR encoding affects all integers and all maps. Maps occur in ID_CRED_x and CRED_x. (Not just integers, also arguments for strings, arrays and maps.) > - I note that there is no normative RFC2119 terms to use deterministic CBOR, but there is a SHOULD abort. This is a bit strange. If you need deterministic encoding for correctness (like, e.g., COSE does for its signing inputs), this needs to be a MUST. > - The reason deterministic CBOR was introduces was to limit an attackers possibilities in the case the hash funtion has weaknesses. Does deterministic encoding cause implementation complexity? Not sure it makes sense to mandate if the ECDSA signatures are randomized anyway. Deterministic encoding is useful if you compute a serialized data item from some other data and want all participants to arrive at the same serialized bytes before, e.g., signing/checking a signature. > - It is not clear when a CCS is deterministicly encoded. That should be fixed. My understanding is > - EDHOC does not mandate deterministic encoding of the kccs value > - When receiving a kccs the kccs value is used as CRED_x without reencoding. > - When identifying a CCS with a kid and there is risk for different encodings, both sides need to encode deterministically. I’m not sure I understand this case. Does a kid identify a CCS in a serialized form, or do you deserialize/serialize before using the CCS for some crypto operation? In the latter case, you probably need deterministic encoding, but you also have to take care of CCS-specific serialization decisions (e.g., int or float for timestamps/NumericDate). If CCS needs to be deterministically encoded and NumericDate can be floating point values, you need Section 4.2.2 Bullet 2 Item 2. https://www.ietf.org/archive/id/draft-bormann-cbor-det-01.html …is a backgrounder on deterministic encoding, and Section 2 of https://www.ietf.org/archive/id/draft-bormann-cbor-dcbor-03.html#name-common-cbor-deterministic-e …actually is not about dCBOR, but about a common way to make decisions about deterministic encoding beyond Section 4.2.1 of RFC 8949. Grüße, Carsten -- Lake mailing list Lake@ietf.org https://www.ietf.org/mailman/listinfo/lake
- [Lake] Clarifications regarding deterministic CBO… John Mattsson
- Re: [Lake] Clarifications regarding deterministic… Carsten Bormann
- Re: [Lake] Clarifications regarding deterministic… John Mattsson