Re: [secdir] SECDIR review of draft-ietf-jones-cose-rsa-03
Mike Jones <Michael.Jones@microsoft.com> Fri, 16 June 2017 02:15 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCEF129404 for <secdir@ietfa.amsl.com>; Thu, 15 Jun 2017 19:15:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdGogTZd60tC for <secdir@ietfa.amsl.com>; Thu, 15 Jun 2017 19:15:50 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0118.outbound.protection.outlook.com [104.47.33.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0AB2127871 for <secdir@ietf.org>; Thu, 15 Jun 2017 19:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Bo98rZfXjJd5HSQ0UYzGIPQI+CjMWOS/ktbCqBw2dhA=; b=J4UXyX0wp+THmZznu8SHRk0vk1RFqwqZA/oNaLaWV+meg+KO3gsWzWoHAvytlut21+tA/SlSOX+GESuIq4Kct31JyGHXXBxuNUMBWO8S+LqPh60dhrZfnBf4uKfBDBpn15Irns/d1Q84h/9gMRGvogFKF/5/1tOOKg/vYjVGb5I=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0119.namprd21.prod.outlook.com (10.173.189.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1199.3; Fri, 16 Jun 2017 02:15:47 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1199.007; Fri, 16 Jun 2017 02:15:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Steve KENT <steve.kent@raytheon.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>, "secdir@mit.edu" <secdir@mit.edu>
Thread-Topic: SECDIR review of draft-ietf-jones-cose-rsa-03
Thread-Index: AQHS2VoBpt0pt0IJLE6kGvr040XfZKIR/WjggAE84GqAE581MA==
Date: Fri, 16 Jun 2017 02:15:46 +0000
Message-ID: <CY4PR21MB0504FD6F8A39CEBF51CCEEABF5C10@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <13f9d58aea3e4c49aa8367f7eac63d79@CY1PR0601MB023.008f.mgd2.msft.net>, <CY4PR21MB050431BAEB6D80A4DD0D96E4F5F70@CY4PR21MB0504.namprd21.prod.outlook.com> <2a6e1bfad8814c9ca9d0b5ba1a3f457a@CY1PR0601MB023.008f.mgd2.msft.net>
In-Reply-To: <2a6e1bfad8814c9ca9d0b5ba1a3f457a@CY1PR0601MB023.008f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-06-15T19:15:45.8253896-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: raytheon.com; dkim=none (message not signed) header.d=none; raytheon.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:9::5ef]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0119; 7:KrEutSRWrKLZrrA0OxEFoCeHUMjun3lQ6Cxu5eFGWfHG5q75qLdl3TAVsD1OzOHnknsG/LoLezwDwwMvWBTS8qkOkslCVnszfETZbs4XkNXjuQIIbZORLK5I6qVbedO1Fl2IqMN8cVnwaX/nNOChB1ukytyQbJn6BGknMsZT+Lmzy9I0914rFdvJfAPD+YoG2lzaRsrIPYc/Em1lsla3Q2mz3mf3NXLe7CKwkuMWz8WCLaRXVvmw1LCrhSVGlg5Nrt2dP24frk2cxR49tH1WJ+X/fNiLMDJlTyplqvzk81SV3DAAhpoCBFzA/0q7b+R16LvSgAyF5wDOaB7JstwvU2LyANoZiCzgQRFNa9ziT2GiQjdshGWpP3cQ/J3gm/Xdl8OfBTTlIzcO3dYjxOJHLDC+9XTsYhawsCQ+u6sF3mN4rKT6f4Cbzg73/IPes/n14sDHLFxn/uCLqZjMQ3SGPCFX1EWGyX/ccNe91HHffw4r4cQuLHgp0Qpz7Z88Rk0tMhOdLYSU/8Vdn+/IaSfyV7NhhRYVC2sbst17JJHOa0AR6Yabki07f5kZfwQA6Je0xoLY6gCZMe7OxFxjS4ofe9MJW4khdssjxYBgsVFeLVNHk4hXwo8EHSvIvLV3gQ1p8EkHqPx8IrB/jX3TFI1H5gC+146mYLvmj8SnBMfseiRUfd/JhTqIQXsIjezGJvg+raS4RqMmPUKPSGiX16V4bSz73g2Hb9odo9eqqRqQ91wq0fJOnlkVg1gpW7m19wmyiBn223QfOnqkQvW2vbpJfR/UPQRGB0uAudt6wj2PjrNe8PrT+UzxvmVGiFaZzFNk
x-ms-office365-filtering-correlation-id: 484f6769-bebe-40c5-58f9-08d4b45d99d1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500039)(300135000095)(300000501039)(300135300095)(300000502039)(300135100095)(22001)(2017030254075)(48565401081)(300000503039)(300135400095)(201703131423075)(201703031133081)(201702281549075)(300000504039)(300135200095)(300000505039)(300135600095)(300000506035)(300135500095); SRVR:CY4PR21MB0119;
x-ms-traffictypediagnostic: CY4PR21MB0119:
x-microsoft-antispam-prvs: <CY4PR21MB0119033C235AD719ED704ABFF5C10@CY4PR21MB0119.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705)(31418570063057)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(3002001)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123562025)(20161123560025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0119; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0119;
x-forefront-prvs: 0340850FCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39400400002)(39410400002)(39840400002)(39860400002)(39450400003)(209900001)(43784003)(377454003)(790700001)(25786009)(606005)(189998001)(2501003)(6436002)(14454004)(53546009)(2906002)(10090500001)(86612001)(5005710100001)(86362001)(8990500004)(4326008)(3660700001)(3280700002)(33656002)(584604001)(39060400002)(6116002)(8936002)(81166006)(122556002)(229853002)(6246003)(6306002)(54896002)(7696004)(53936002)(76176999)(8676002)(2900100001)(102836003)(50986999)(54356999)(230783001)(7906003)(54906002)(72206003)(99286003)(38730400002)(10290500003)(478600001)(966005)(55016002)(2950100002)(5660300001)(7736002)(236005)(77096006)(74316002)(9686003)(53376002)(6506006)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0119; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504FD6F8A39CEBF51CCEEABF5C10CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2017 02:15:47.0112 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0119
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/JGnRmR63EH-QlDjGbe1nfOABj-E>
Subject: Re: [secdir] SECDIR review of draft-ietf-jones-cose-rsa-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 02:15:54 -0000
https://tools.ietf.org/html/draft-jones-cose-rsa-04 contains the changes we discussed, Steve. Thanks again for the useful review! -- Mike P.S. I also thanked you in the publication announcement at http://self-issued.info/?p=1697 and as @selfissued<https://twitter.com/selfissued>. From: Steve KENT [mailto:steve.kent@raytheon.com] Sent: Saturday, June 3, 2017 7:36 AM To: Mike Jones <Michael.Jones@microsoft.com>; secdir@mit.edu Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Subject: Re: SECDIR review of draft-ietf-jones-cose-rsa-03 Mike, I think the text you cited re "trust criteria" is good. Yes, let's see what the CFRG suggests re a reference. deleting the last sentence in 6.3 work for me. Steve ________________________________ From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> Sent: Friday, June 2, 2017 4:14:28 PM To: Steve KENT; secdir@mit.edu<mailto:secdir@mit.edu> Cc: Kathleen Moriarty Subject: RE: SECDIR review of draft-ietf-jones-cose-rsa-03 Thanks for your useful review, Steve. Replies are inline below... From: Steve KENT [mailto:steve.kent@raytheon.com] Sent: Tuesday, May 30, 2017 8:34 AM To: secdir@mit.edu<mailto:secdir@mit.edu> Cc: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> Subject: SECDIR review of draft-ietf-jones-cose-rsa-03 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines algorithm encodings and representations for using RSA algorithms in the context of COSE messages (draft-ietf-cose-msg). Encodings for the use of RSASSA-PSS signatures, RSAES-OAEP encryption, and RSA keys are specified in this document. This is a very brief document, only 8 pages, including the usual RFC boilerplate. Most of the document consists of tables specifying the numeric values assigned to RSA algorithms (and parameters thereof) used for encryption and signing in the COSE message context. Section 2 defines the parameters for RSASSA-PSS, appropriately citing RFC 3447. Section 3 provides analogous specs for RSAES-OAEP. Section 4 defines RSA key pair parameter identifiers, including support for multi-prime RSA keys, based on conventions described in RFC 3447. Security Considerations are the topic of Section 6. Section 6.1 establishes 2K bit keys as a minimum SHOULD size, but also establishes 16K keys as a maximum SHOULD. The text notes that very large keys create a possible DoS attack surface, and it suggests (lower case "recommend") that a size check be performed before beginning crypto operations. The final paragraph of this subsection includes text that does not seems very useful, as it is too vague. Specifically it says "...no cryptography would be done except with keys of legitimate parties." The term "legitimate" is too vague to be useful. Does it mean that only keys extracted from verified public key certificates or acquired through trusted channels are to be employed? The second countermeasure noted here, i.e., that applications can specified maximum as well as minimum key sizes, seems much more useful. Rather than talking about "legitimate participants", how about I instead talk about "parties trusted by the recipient" or possibly "after making a trust decision about the key"? The notion is that you should only perform crypto after making a trust decision about the key. This concept is further spelled out in Appendix D (Notes on Key Selection) of RFC 7515 (https://tools.ietf.org/html/rfc7515#appendix-D) as: 4. Make trust decisions about the keys. Signatures made with keys not meeting the application's trust criteria would not be accepted. Such criteria might include, but is not limited to, the source of the key, whether the TLS certificate validates for keys retrieved from URLs, whether a key in an X.509 certificate is backed by a valid certificate chain, and other information known by the application. Section 6.2 opens with the following statement: "There is a theoretical hash substitution attack that can be mounted against RSASSA-PSS." This sentence should include a reference to a paper that describes this attack. I've asked the CFRG for a reference. We'll see what they come up with. I'm thinking that it might also be valuable to add this Security Considerations text about RSASSA-PSS from Section 8.3 of RFC 7518 (https://tools.ietf.org/html/rfc7518#section-8.3): Keys used with RSAES-PKCS1-v1_5 must follow the constraints in Section 7.2 of RFC 3447<https://tools.ietf.org/html/rfc3447#section-7.2>. Also, keys with a low public key exponent value, as described in Section 3<https://tools.ietf.org/html/rfc7518#section-3> of "Twenty Years of Attacks on the RSA Cryptosystem" [Boneh99<https://tools.ietf.org/html/rfc7518#ref-Boneh99>], must not be used. Similarly, the closing sentence of Section 6.3 also would benefit from a reference to a paper that supports the author's assertion that using SHA-1 in this context does not enable any (known) attacks. I'm actually thinking that that this sentence should just be deleted, as I doubt that any supporting references can be found - for the simple reason that you typically can't prove a negative, nor would anybody likely publish saying "There are no practical attacks yet." Since researchers wouldn't publish this, I probably shouldn't say it in an RFC either. Thanks again, -- Mike