IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

"Dr. Pala" <madwolf@openca.org> Tue, 26 March 2019 23:36 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923B412012E for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 16:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6QG3hzgfuBn for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 16:36:17 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACD5120126 for <saag@ietf.org>; Tue, 26 Mar 2019 16:36:17 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 3BCFB374128E for <saag@ietf.org>; Tue, 26 Mar 2019 23:36:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TrTvjbrwAycz for <saag@ietf.org>; Tue, 26 Mar 2019 19:36:16 -0400 (EDT)
Received: from Maxs-MacBook-Pro.local (unknown [62.168.35.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 260613740F7B for <saag@ietf.org>; Tue, 26 Mar 2019 19:36:10 -0400 (EDT)
To: saag@ietf.org
References: <21dec229-5b5c-8d52-6817-edac2e39ceec@openca.org> <20198.1553629138@dooku.sandelman.ca> <20190326200103.GR3822@straasha.imrryr.org> <D8BFFE5D.D8084%carl@redhoundsoftware.com> <20190326222740.GE4211@localhost>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <46912a6f-cfb9-c682-b438-27863a91a486@openca.org>
Date: Wed, 27 Mar 2019 00:36:06 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <20190326222740.GE4211@localhost>
Content-Type: multipart/alternative; boundary="------------CFA303963D744A692DEE6E1E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6UgQGyBKJHyqPkyTdchKuNBAP3E>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 23:36:21 -0000

Hi Nico, all,

thanks to everybody for your messages - I think the conversation is very 
interesting. A complier for TCP/IP packet parser is really an 
interesting idea :D But only if we (just a joke, do not kill me!) use 
ASN.1 and define a TIED (TCP/IP Encoding Rules) :D

Back to be serious... At the end of this thread, you ask "/why build a 
new one/" ?

I think, but there might be other reasons I am not aware of, that the 
main argument was to save few hundreds bytes per certificate (but the 
first step was to change your certificates' profile as an interim 
solution - which in many environments you can not really do for many 
reasons.

... and this consideration reminds me about an observation that I have 
not brought up during the meeting, but I should have: the current trend 
in cryptography seems to be oriented towards the need to use larger 
structures (signatures and keys) to cryptographically authenticate data 
(e.g., certificates, etc.). I think that ECC was a pleasant aberration 
from this point of view that made everybody think we discovered gold - 
same or increased security at a fraction of the price! That is great - 
and we are all very happy we can now use a quite efficient 
crypto-systems like ECC. However, I think, things are going to change: 
most of the quantum-resistant algorithms come with increased signature 
and/or key sizes (up to 40K for signatures in some cases) or with new 
usage paradigms (stateful keys) that are not trivial to handle.

Besides the fact that I am all for being more efficient - the added 
efficiency (that frees more resources that can be dedicated to other 
tasks) can be leveraged to increase security and/or to provide more 
services without incurring in additional costs. However, my fear is that 
people will start to feel "comfortable" with the idea that the size of 
authentication data is very small and will start designing systems that 
do not take in consideration the envisioned evolution of crypto 
algorithms... leading to some inevitable disaster down the road.

In this view, maybe pushing for such an herculean effort to save few 
hundred bytes per certificate might come with costs so high (in terms of 
the needed changes to support the new format(s)) that would not justify 
its deployment, IMHO.

Last consideration about "This is why we hate DER, and we like 
CDDL/CBOR." statement - I think that each format has its own merits and 
downfalls (even the amount of code that exists out there that supports a 
format can be seen as a merit) and it is up to us to provide good 
indications about when and where the different formats make sense (i.e., 
it depends on the environment). For example, in most of my application 
the CDDL/CBOR approach would not be secure enough because of the 
"relaxed" nature of the parsers - but that is just one environment, 
other environments might have different reasons to deploy/use this 
format based on their requirements.

Bottom line I would say rephrase your statement to "In our 
environment/ecosystem DER is not the right choice because of these 
reasons ... the pair CDDL/CBOR, on the other hand, satisfies these 
requirements because .... "

Thanks again to everybody for the interesting discussion :D

Cheers,
Max


On 3/26/19 11:27 PM, Nico Williams wrote:
> On Tue, Mar 26, 2019 at 04:08:58PM -0400, Carl Wallace wrote:
>>>> This is why we hate DER, and we like CDDL/CBOR.
>>> Whatever the abstract syntax, the real solution is probably more
>>> widely available/used compilers.  Hand-rolled codecs will have more
>>> (frequent and subtle) bugs.
>> Fully agree with this. The first time I had to consume CBOR/COSE the
>> encoded structures were every bit as buggy as folks complain about DER/CMS
>> structures.
> I recently had to review a hand-rolled codec by a seasoned developer.
> It had a number of fatal security bugs, exactly as one might have
> expected (as I did, going in).  Hand-coding codecs is simply very
> difficult.  It's easier when you have "bits on the wire" specifications,
> like TCP/IP, or when you have XDR specifications.
>
> No one uses a compiler to generate TCP/IP packet parsers, though this
> is first and foremost a result of not having anything like a
> machine-readable formal language specification for TCP/IP packet
> headers.
>
> XDR is so darned obvious and simple that in Heimdal we have just library
> functions for it and simply don't have or need a compiler.  The
> traditional XDR compiler, rpcgen, is also very limited, so generally XDR
> codecs are hand-coded using well-maintained and well-tested libraries
> that make it easy.
>
> Something similar can be said of SSHv2's encoding rules.
>
> The ASN.1 packed-like encoding rules are XDR-like, though with 1-octet
> instead of 4-octet alignment -- these too are easier to hand-code, but
> because there's often an escape to BER (e.g., for encoding of lengths of
> fields that cannot have fixed lengths, or encoding OIDs), it's still
> tricky by comparison to XDR.
>
> But it is a very strong truism that, whatever the encoding rules, having
> a compiler for an abstract syntax that generates codecs with usable APIs
> and characteristics, is inordinately easier, safer, and less time-
> consuming than hand-rolling a codec for any encoding rules.
>
> It is also a strong truism that simple syntaxes with simple encodings
> admit safer hand-coding of codecs, but also that, by being informal,
> also typically preclude compilation.
>
> I would and do accept informal syntaxes and encoding rules for protocols
> like SSHv2, or TLS, because a) it's already done, b) the messages are
> simple enough, c) it's easy enough to build libraries that make mistakes
> unlikely, d) often the implementors do not believe they have access to
> proper tooling, e) having access to ASN.1 tooling doesn't help if the
> only ERs you get are TLV ones.
>
> CDDL is not an informal syntax.  For new formal syntaxes I have a higher
> bar just because it is very difficult to come up with something that
> ASN.1 does not already have -- unless there's a trivial mapping between
> the two.
>
> BTW, who can forget FastInfoSet?  That's... XML with transliteration to
> ASN.1 and application of PER as a compression of XML.  While XER is
> essentially the reverse: transliteration of ASN.1 to XML, with XML as
> the encoding rules.  These, for me, prove the point that syntaxes are
> likely interchangeable (so why build a new one?).
>
> Nico
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

v2.23.0 | Report a Bug | By Email