Re: [secdir] Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08
Benjamin Kaduk <kaduk@mit.edu> Sun, 14 June 2020 05:04 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD3FC3A0A85 for <secdir@ietfa.amsl.com>; Sat, 13 Jun 2020 22:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bs5u_aIpY4af for <secdir@ietfa.amsl.com>; Sat, 13 Jun 2020 22:04:24 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E0523A0A84 for <secdir@ietf.org>; Sat, 13 Jun 2020 22:04:23 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 05E54DAT025943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 14 Jun 2020 01:04:15 -0400
Date: Sat, 13 Jun 2020 22:04:13 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Cc: Jim Schaad <ietf@augustcellars.com>, "secdir@ietf.org" <secdir@ietf.org>
Message-ID: <20200614050413.GH11992@kduck.mit.edu>
References: <159052818935.17307.5095159295288146706@ietfa.amsl.com> <041f01d635dd$ad489cf0$07d9d6d0$@augustcellars.com> <B03F352A-C595-477E-92EF-679739369E80@cisco.com> <835a6903f5204feab56d4f76901bb0e1@cert.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <835a6903f5204feab56d4f76901bb0e1@cert.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0Bnvwx0ZR5TMEtqJWOx1xSo3Xek>
Subject: Re: [secdir] Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 05:04:26 -0000
Seconded, thanks Nancy and Jim for getting the right updates in place for the document. I entered a Discuss ballot only because I tried to follow the [MAC] reference and got something unexpected -- I want to make sure we've got the right thing there. Thanks, Ben On Tue, Jun 09, 2020 at 05:36:51PM +0000, Roman Danyliw wrote: > Hi Nancy, thank you for this review. > > Hi Jim, thank you for incorporating the feedback in -09 > > I entered a No Objection ballot. > > Regards, > Roman > > > -----Original Message----- > > From: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com> > > Sent: Friday, May 29, 2020 1:49 PM > > To: Jim Schaad <ietf@augustcellars.com>; secdir@ietf.org > > Cc: cose@ietf.org; last-call@ietf.org; draft-ietf-cose-rfc8152bis- > > algs.all@ietf.org > > Subject: Re: Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08 > > > > Hi Jim, > > Thanks for addressing the comments! Answers below: > > > > On 5/29/20, 10:22 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: > > > > Hi Nancy, > > > > Comments inline. > > > > Jim > > > > > > -----Original Message----- > > From: Nancy Cam-Winget via Datatracker <noreply@ietf.org> > > Sent: Tuesday, May 26, 2020 2:23 PM > > To: secdir@ietf.org > > Cc: cose@ietf.org; last-call@ietf.org; draft-ietf-cose-rfc8152bis- > > algs.all@ietf.org > > Subject: Secdir last call review of draft-ietf-cose-rfc8152bis-algs-08 > > > > Reviewer: Nancy Cam-Winget > > Review result: Has Nits > > > > IOTDIR review of draft-ietf-cose-rfc8152bis-algs-08 > > > > Reviewer: Nancy Cam-Winget > > > > I have reviewed this document as part of the security directorate'sÊ ongoing > > effort to review all IETF documents being processed by theÊ IESG.ÊÊThese > > comments were written primarily for the benefit of theÊ security area > > directors.ÊÊDocument editors and WG chairs should treatÊ these comments > > just like any other last call comments. > > > > This document describes an initial set of cryptographic algorithms used to > > protect CBOR, I believe this document is almost ready, barring some editorial > > nits (I only made a few below). In general, the description of the "initial" > > set of algorithms used in COSE make sense and it is good to see each section > > carry their own security section for better mapping of the considerations based > > on the security algorithm applied. As a reader (like myself) who is not fully > > versant to the nuances of CBOR it was a little hard to follow as the structures > > and taxonomy is described in the companion draft (draft-ietf-cose-rfc8152bis- > > struct). As a whole, I think the document is close to ready, I only noted a few > > technical and editorial nits for the earlier sections below: > > > > Section 2.1: > > - What field does the ECDSA algorithm value map to? I presume it is the 'alg' > > field (if present)? But should be made explicit. - It seems that the "should" > > in the 4th paragraph is normative (e.g. SHOULD) as it is needed for > > interoperability, and perhaps even a MUST as I'm not seeing negotiation or > > selection of curve choice. So, if it is to be implicit, then a MUST would be more > > appropriate. > > [JLS] I have added text to section 1.3 (terminology) to describe the contents > > of the tables to make what the value is clearer. > > [NCW] Thanks, that will help. > > > > [JLS] There is no need to negotiate the curve as this is implicit from the size > > of the signature. That is P-256 is going to end up with two 256-bit values as > > the signature. One implication is that only a single curve of any given length > > can be assigned to ECDSA, thus the effort to use the Ed25519 curve with ECDSA > > requires a different identifier so that there is no confusion on what curve is > > being used. This means that the length of the hash algorithm is not part of this > > selection process. It is therefore possible to use SHA-256 with P-521 and SHA- > > 512 with P-256 (the hash value is truncated in this case). The only issue is that > > if a piece of hardware supports the P-256 curve then it might only support SHA- > > 256 and thus would not be able to validate a signature that uses SHA-512. > > There is no special security issue here, this is just a recommendation for making > > things more likely to succeed. This is the reason that it is not a 'SHOULD' or > > 'MUST' but is an 'suggested'. Does this both make things clearer and reduce > > the feeling on you part that a stronger statement is needed? > > [NCW] Agree that there is no security issue, it was more of breaking > > interoperability. I don't feel strongly either way, it was by the way it reads....if > > you want to ensure interoperability the it seems that stronger language would > > be needed (but that’s my personal bias). > > > > Section 2.2: > > - The rationaleThere may be some corner case in which there may be a very > > large > > (2K?) structure to be protected. It would be better to quantify "extremely > > large" or perhaps another/additional rationale for the need to ONLY do Pure > > edDSA is the intent for constrained devices not have enough memory to > > compute the block updates. > > > > [JLS] I don't know that I would consider a 2K message to be very large, I > > would expect a firmware update to be at least that large. The issue is that > > EdDSA needs to do two passes over the message, this means that the entire > > message needs to be held in memory. That would be limitation on what I > > would consider to be "extremely large". The presumption is that one is not > > going to try and create and stream the object out as this would also require a > > streaming processing on the recipient. If streaming is removed from the > > equation then there is no benefit not to use Pure EdDSA. This means that ones > > idea of large is going to be very device specific. I will not be surprised if some > > firmware packages do indirect signing, but the manifest description is still going > > to need to fit in memory. > > [NCW] 2Kbytes can seem very large to some IoT devices __. But your point is > > well taken...sorry if I was too nit-picky....as for guidance I personally prefer to > > have quantification (ranges). > > > > Section 4.1.1: > > - GCM's limitation for one encryption string is 2^39-256 e.g. not "a single > > key"....so sufficiently large for COSE! However, it does mean that the nonce > > MUST be unique for every encrypted message (e.g. the bullet before this one is > > correct). I think the limit for one key using GCM is based on the size of the > > nonce as it must be unique. > > [JLS] You are going to make me look this up again. However I think that this > > limit may end up being smaller with more modern analysis so going back and > > re--checking this is going to be worthwhile. It just will take a few days. > > [NCW] No worries, as an early adopter of GCM, I do recall that number being > > for a packet.... > > > > Section 4.2: > > - 'k' is the key size in bits (I presume), would be good to describe that before > > the table. > > [JLS] I changed the title of the column to 'Key Length' > > [NCW] Thanks. > > > > Editorial nits: > > Section 1.5 > > - The second sentence is hard to parse. Is it that the intermediate values > > used for debugging are represented in both a hex as well as a CBOR diagnostic > > notation format"? - Third sentence, is it that some examples were designed to > > fail (e.g. they are "failure test bases")? > > [JLS] I have updated this section. I think that this should solve your issues. > > <t> > > A GitHub project has been created at <https://github.com/cose- > > wg/Examples> that contains a set of testing examples as well. > > Each example is found in a JSON file that contains the inputs used to > > create the example, some of the intermediate values that can be used for > > debugging, and the output of the example. > > The results are encoded using both hexadecimal and CBOR diagnostic > > notation format. > > </t> > > <t> > > Some of the examples are designed to test failure case; these are > > clearly marked as such in the JSON file. > > If errors in the examples in this document are found, the examples on > > GitHub will be updated, and a note to that effect will be placed in the JSON file. > > </t> > > [NCW] Thank you, I can parse this better. > > > > Section 2.2: > > - The rationale for why Pure EdDSA is used only (vs. HashEdDSA) may leave > > more room for questions; as there may be some corner case in which there may > > be a very large (2K?) structure to be protected. For those that are in the > > healthcare sector (of IoT), I could see potential for large blocks and may wonder > > what qualifies as "extremely large". RFC 8032 speaks to HashEdDSA as > > providing better collision resilience...so am inclined to suggest to either remove > > this rationale or be more complete in justification. > > [JLS] See above. > > [NCW] OK > > > > Section 3.1 > > - 3rd paragraph: "Some recipient algorithms carry the key while others derive > > a key from secret data"....I think you mean "Some algorithms are used to > > transmit a key, e.g. key wrapping." "Carry the key", in this sentence leads me > > to imply it's the same key being used in the HMAC. > > [JLS] This is the same key that is being used in the HMAC algorithm. I have > > changed "carry" to "transport" because I think that is going to be clearer. > > [NCW] Yes, indeed, that makes it better. > > > > > > > > >
- [secdir] Secdir last call review of draft-ietf-co… Nancy Cam-Winget via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Jim Schaad
- Re: [secdir] Secdir last call review of draft-iet… Nancy Cam-Winget (ncamwing)
- Re: [secdir] Secdir last call review of draft-iet… Jim Schaad
- Re: [secdir] Secdir last call review of draft-iet… Nancy Cam-Winget (ncamwing)
- Re: [secdir] Secdir last call review of draft-iet… Roman Danyliw
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk