Re: [secdir] Secdir last call review of draft-ietf-cose-aes-ctr-and-cbc-04
Daniel Migault <daniel.migault@ericsson.com> Tue, 16 May 2023 20:37 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D947C1524DD; Tue, 16 May 2023 13:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WMOxcRpP6tng; Tue, 16 May 2023 13:37:50 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2062c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e88::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA06C14CE22; Tue, 16 May 2023 13:37:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kAHzRcbcTSKSI9DueXgTGbs9floM9KH+mZOpKJYd4MiAagNPcsUQoplFonUKxlUPwjGnarfbDX9egLW44ANuiweNShggD75wBLPUWzcFmmNRiIXHy/0Izj/1YEBjB10U1XvveAg58aM+GnCS9lZ0dJKY7pHOMUu2cMetZhxNFHTfGJiPsBH4xX0jGWJpXqnWKUSjHtx6tHBainE51uhiA347QQE8sMN2A5610YerGIQu8NhM1kypmPViisOdrjciEpj9USlTL0Bbav7r9Uf1+Ni3uuo6m86TNxhPoYkPBongnAiOQG6pmbJQ/pWhwIUJs8S64ZTqlxmG861p7cc95A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6CgNnqSxJRMyEAktHeVs0oYnu35Id6l1LnIee7jOx1A=; b=AeERjXoSKUMq0cxTvFpM1VSnZss+Ro86bipkQjSqazIIrhBrNeU9iEbApubBf8ioATd6cFbPHX0Tfnb6tnorChsvbBksKp93ORhLlwwHDQazTECNSyxcZeXq2i5uAwViBLCoxb8tx9QIMcIiVzqawksWMlOpcoSGhugaVCZYfTbH+6LoiiTBB8Ar5PqES1qof4Vzx3vTxbJpe7LN/bkH/GB0EtI7p3pduyjPO4tf/sUdxItncZBLhDKwuNJWuGZtEDelaCnBrEsma1qb+KDCoLs2HtAkpG+3Zt8qSdYkzXbXpVdYX0rOYVouYT4xwpBvAGdXQuj2UP4vhzjUL6TJAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6CgNnqSxJRMyEAktHeVs0oYnu35Id6l1LnIee7jOx1A=; b=ClupBZ4YJH9xZSJDsLVO475JjpVIpBQqX/6rz1ySwuFShLyU56Jfd7GImber5lZ0I+VHUJ31dPSQlgBf9xjB2S0vuCOsOdwyndZvB5WKt0hdrD8rhdRryTpCB1Tx4sOtlsGNArtDPz1f+rXLTh0+BzKTphpn67ZcNFuWBNftc58=
Received: from DM6PR15MB3689.namprd15.prod.outlook.com (2603:10b6:5:1fb::27) by DM4PR15MB6256.namprd15.prod.outlook.com (2603:10b6:8:189::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.30; Tue, 16 May 2023 20:37:35 +0000
Received: from DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::3fb8:40b9:7e84:c4f7]) by DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::3fb8:40b9:7e84:c4f7%6]) with mapi id 15.20.6387.033; Tue, 16 May 2023 20:37:35 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: IETF SecDir <secdir@ietf.org>, cose <cose@ietf.org>, "draft-ietf-cose-aes-ctr-and-cbc.all@ietf.org" <draft-ietf-cose-aes-ctr-and-cbc.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [secdir] Secdir last call review of draft-ietf-cose-aes-ctr-and-cbc-04
Thread-Index: AQHZiCODxfWEb3j8CEesuefP4qei9K9dSLGAgAATWtA=
Date: Tue, 16 May 2023 20:37:35 +0000
Message-ID: <DM6PR15MB3689EB6EE634E6056BB88AC7E3799@DM6PR15MB3689.namprd15.prod.outlook.com>
References: <168426133976.16012.18353276769573616615@ietfa.amsl.com> <E96F7DC2-F4D7-407E-B64D-D88FB0F4E17B@vigilsec.com>
In-Reply-To: <E96F7DC2-F4D7-407E-B64D-D88FB0F4E17B@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR15MB3689:EE_|DM4PR15MB6256:EE_
x-ms-office365-filtering-correlation-id: b828f0b8-af28-4820-0cd6-08db564d61b5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kQK17KPujpbWCPknjxAgz2zW5D0RO9pY01WDAG/md4oiQIoKzIlBYeO5QiOvliQ0gmQ5labO4rMuDvuJE/GeB7A2SmLIJcgz/U2l/eqM+ocPijcwaeVClNnvhXptbble+41HuRHQmLJCzzaSlWmdyZq04z2FuRSVE3M9hOi+O7bF9YE/b4Ae/d38eSU++VSrcbaV8Bn2rK2Dz6owZTJq5JvSeMiW9Z9UbLnDZZQs/tI/VTMXjuSImhZOxnWWhWiktZn9tcHfNnIcrNnZysyMnJAdL8q4/uKxO5EGLaHzoGuH0nj+HvTCs1xXmRc7AArF5JRfsC/eH8pg8ecIOHrdXrOUebRvNdpq+IaOnGUXmtVRDxNDogPg82vXDYriICO3rMiqmZ5vg4Jl0eBmXJk4Z8HvmPSYT+KYV8NUcKucNkp6vBcNbp3YrwRNXtyL9yhiFJ1NR91NB0CDXzTlhPo48DwzMpv7Ppmv/XvptVozfYeDk/oIz1rcvGSHZN/UMC9hVZSyrRzyjimEA0yOghE6++i3Ox5whr5DFFbEDOFxpoCVS1OVGPU8LTSMoCaDzDccWLutEhmKOFNC1V/cPtZHmlsrx62K/m8U6V49f7VTZmJP8WyXhL9FYXU5MMQUhody
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB3689.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(39860400002)(376002)(366004)(396003)(346002)(451199021)(33656002)(54906003)(66556008)(66476007)(6916009)(4326008)(478600001)(66946007)(66446008)(316002)(86362001)(64756008)(76116006)(7696005)(55016003)(5660300002)(8676002)(52536014)(8936002)(2906002)(82960400001)(44832011)(122000001)(38070700005)(38100700002)(41300700001)(186003)(53546011)(9686003)(6506007)(26005)(71200400001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tghdvl0H90Ey3Gn9rbTHPBnLo6D3lhvmHCJJ4MGVJ1noy9CXwO36+RK84hFMm64g6dbrJ1q6GsqGztP45WGf4u5tJxEZMOwlepRuzWrFRRpNqPjlYu3zpt89pXWUaXa1mxus0ebNiUoGT4C6dbkYG+8uuz6LJc+T4P//S8d+NDNmr3hHIo6v4qjXS4r/7FPaLD0ADr21t8KAN6JzxxsXQpK1eXAauz1ehLkNNUNSrFrhYjvuwv2AIeqXYF7v2qzBg4yNfeG1DVRYqVo1ku9Jc90X/wI8larAlMvf3t4or9N/ta8+KZxWtC+OQjz81ohqr6jXz3Ho625h0MnrHZQ8+vGs0lsR2dS+sgjgnWCxcQ+JnUzGgdyL8AwgUndM7FnujIgbXLMv+rKgcgoqznXeL51gcbJccer3KzhnrwQdft8dDY4rrmzGBg6Ln/EVpJCNOUadsK4orCnhFeKuD1ydm0kMW4wNcvyrij+cxW7Sh7YNeebEv91m69rHXf9L8PxtiX/NfQ+EtviMEq6FvEZDHTO1FmG+9prM/k6MSw3v9UFmwujihATaeZSFdSFTBkRTUjGnPrvV2rn9la3eN8lOeCvl6cA2YCr2CJWkfmu32jiPQQa/NP5C5mGgytDORxxLUek29jR7sHxaQp5Ipoy5shVfbo1Zf3nRLA5SAzD0ETceeLLOIRy//6NTkgCEvq99KeGpEJ84yBs9hW4ScDL4+HFGBOg+CdKJhJtdQvmVE05LFq88Ap9MQl6gG0NaFN3ILLW6pTKKEjPG3SyKBfXuBSQBXBM0ReBMEZPB/m0xqthxup8lmZ3fRcQFYFvtiMDxopcsw/N9+0oaqJbJCJEg6KWYOa7dz4Uu+Oh/EZtjvUsxxVyzA3PPuH0Ar5Y+0Xnh2Vuv1cktonkqbsC8H/i5ugkGBbVeTnrwZR4jDFU3r3adS2GsGE8euVDT6DANKGiEMpLP0BB78P6ZmhVNvleG5lIwl/0w8qlwxO41mPUjDofHRYZFy1YXM7NuLBUM+IWFZXyFHzQo3ShRVW8w6dFiD5h1CnmGF45baGXo6dXQBp1lHPvgsvBx6+CapwcsIjlveJpNg99npygEyOx7IHkWLATgsD5PwGpKOcugtUCfC7tg4OPsUK6WiJR3ZQi+8tkjceCTs1qTUmYcGQzsmEo2/gmPNVUQptLZ4jAogbvvQFQ089vphWYSH9JugLa7b/7cj8v2XUHgfA7nBJ4Gr/MO6i18CKiCV5vC4zKMTke5oxFf/O/Tfh29GCSlT1dvZb6ZjQCIHjgePdg8tG5bOQ5ShRKIhiJ7NxFUbQS327Ent/Amhi/yY4Iu7zUJjBMqPVQQ77ocSQn/+HnMit7rgRc/oNQ1+JYkZNuXk7eVeLrjP+aa+wlGtGyOgJPHlpwXDrRzVQPrusq+W3/fJ7X00ktforc/HGnC/IwEXWzPsiv81Zwi8au0ssJ2hUut6HyT/qEwq+AQUGGuQdt7WVRbR7lbpwaoxLIPBKAyUalaoQPhVNsTVSF8GR7SKh9+tbD1ndZFAiNwR8NCI7Tof3+mhkgYJ2xcWopsTjujf7hijM0mZEKBvrlknlqdOa03jrZwE2xc
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB3689.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b828f0b8-af28-4820-0cd6-08db564d61b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2023 20:37:35.4253 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rQrt4VnIuBcwCoVZ49Eff5OyPVqWlyOy0eAsvXW+lqceJJNVFf65r1fPXnjXCK1XkxcCOv3hiKKNa406Mz7mA1/p1zfhGRU2GItu7KMs0OU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR15MB6256
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/R31ZAFJvUajkU2A8K7HD0nyKi5g>
Subject: Re: [secdir] Secdir last call review of draft-ietf-cose-aes-ctr-and-cbc-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 20:37:54 -0000
Works for me. Thanks for addressing my comments. Yours, Daniel -----Original Message----- From: Russ Housley <housley@vigilsec.com> Sent: May 16, 2023 3:28 PM To: Daniel Migault <daniel.migault@ericsson.com> Cc: IETF SecDir <secdir@ietf.org>; cose <cose@ietf.org>; draft-ietf-cose-aes-ctr-and-cbc.all@ietf.org; last-call@ietf.org Subject: Re: [secdir] Secdir last call review of draft-ietf-cose-aes-ctr-and-cbc-04 > On May 16, 2023, at 2:22 PM, Daniel Migault via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Daniel Migault > Review result: Ready > > Reviewer: Daniel Migault > Review result: Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other > > section 4 AES counter mode > > In "AES encryption of (IV +1) mod 2^128" I am wondering if "mod 2^128" > is needed as I see the encryption returning a 128 bit block. That said > we understand why it is there, it is more that I am curious if there is any reason. If the IV is zero, then the "mod 2^128" has no impact. If you start with another value, it needs to wrap. > I am also wondering if we should mention the IV + i is called the > counter block as this is mentioned in section 8. Okay. I think the following does the job: AES-CTR has many properties that make it an attractive COSE Content Encryption algorithm. AES-CTR uses the AES block cipher to create a stream cipher. Data is encrypted and decrypted by XORing with the key stream produced by AES encrypting sequential IV block values, called counter blocks. The first block of the key stream is the AES encryption of the IV, the second block of the key stream is the AES encryption of (IV + 1) mod 2^128, the third block of the key stream is the AES encryption of (IV + 2) mod 2^128, and so on. AES-CTR is easy to implement, and AES-CTR can be pipelined and parallelized. AES-CTR also supports key stream precomputation. Sending of the IV is the only source of expansion because the plaintext and ciphertext are the same size. > The following text sounded cryptic to me until I reached section 6. I > suspect that adding a reference to section 6 might be useful. The same > comment applies for CBC. > > """ > Since AES-CTR cannot provide integrity protection for external > additional authenticated data, the decryptor MUST ensure that no > external additional authenticated data was supplied. > """ I suggest: Since AES-CTR cannot provide integrity protection for external additional authenticated data, the decryptor MUST ensure that no external additional authenticated data was supplied. See Section 6. and: Since AES-CBC cannot provide integrity protection for external additional authenticated data, the decryptor MUST ensure that no external additional authenticated data was supplied. See Section 6. > section 4.2. AES-CTR COSE Algorithm Identifiers > > In the title “Algoritm” needs to be changed. Fixed. > It is surprising to define a "Deprecated", but the note provides the rationale. > I am wondering if that rationale could be also mentioned in the IANA > page - this is just a suggestion. This has been discussed on the thread with Rob Wilton. Not sure where that will land yet. > section 5. AES Cipher Block Chaining Mode > > I believe that another reason for using integrity protection is the > vulnerability to padding oracle. When CBC decryption returns an "invalid padding" error instead of a generic "decryption failed" error, then attacker can gain a lot of information. It is better to not distinguish between these two error cases. Russ
- [secdir] Secdir last call review of draft-ietf-co… Daniel Migault via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley
- Re: [secdir] Secdir last call review of draft-iet… Daniel Migault