Re: [Suit] draft-housley-suit-cose-hash-sig

Dave Thaler <dthaler@microsoft.com> Thu, 21 June 2018 16:08 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C62130F08 for <suit@ietfa.amsl.com>; Thu, 21 Jun 2018 09:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level:
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCHnQnemsI1C for <suit@ietfa.amsl.com>; Thu, 21 Jun 2018 09:08:13 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0102.outbound.protection.outlook.com [104.47.36.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B02C130ED6 for <suit@ietf.org>; Thu, 21 Jun 2018 09:08:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HBT2YzNGHgdqbsYB/spLrQ3y8PBoMgtlPlWvs2MJpxQ=; b=UFjjdmEOqXp1ztLpoRNHKJgAqRoiM3dHoP66+Y9/JhPJRQfFRhDJCrTaAb7u7fv17BoSc4Brp35DhR+q9CKIWQACN3n4EAZ/fVegVJe5WF6kuZLSmHM8eb6V/AEMb5oQnyU6Ps3KWpeL7/EP7i3WgDmQ+qHKjp4N5I5ZOOysdOg=
Received: from DM5PR2101MB0805.namprd21.prod.outlook.com (10.167.105.149) by DM5PR2101MB1064.namprd21.prod.outlook.com (52.132.130.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.906.3; Thu, 21 Jun 2018 16:08:11 +0000
Received: from DM5PR2101MB0805.namprd21.prod.outlook.com ([fe80::30ec:e30c:8f5c:b685]) by DM5PR2101MB0805.namprd21.prod.outlook.com ([fe80::30ec:e30c:8f5c:b685%2]) with mapi id 15.20.0906.013; Thu, 21 Jun 2018 16:08:11 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Brendan Moran <Brendan.Moran@arm.com>, Russ Housley <housley@vigilsec.com>
CC: suit <suit@ietf.org>
Thread-Topic: [Suit] draft-housley-suit-cose-hash-sig
Thread-Index: AQHUA0IRLifED7szcUiGqpElu04r7qRei+EAgAxR0ACAAAjvgIAABWsAgAABKWA=
Date: Thu, 21 Jun 2018 16:08:10 +0000
Message-ID: <DM5PR2101MB0805F9D2D2372C4AEE2C7E5BA3760@DM5PR2101MB0805.namprd21.prod.outlook.com>
References: <31676.1528913351@localhost> <04f401d40349$33a58b10$9af0a130$@augustcellars.com> <0CDB8D05-0214-4749-9907-5A1B0B4A2191@arm.com> <697B1DC9-B1DE-48BA-ADC6-EF936208AFCE@vigilsec.com> <9906B2BC-BFC2-4F83-A0F6-FFCC81912237@arm.com>
In-Reply-To: <9906B2BC-BFC2-4F83-A0F6-FFCC81912237@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-06-21T16:08:10.3570651Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [73.59.106.235]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2101MB1064; 7:f2lHBp2SnW6JMrcb+SWDS6QcK2x6oRvt5+7FiHsBZ2V63sHAHkrGpjkpR0uRJjimhrWtsfDgkQBYjK3kgF7vv/evC2aZ7DhlAR8u3UdD7BxqHprQhT/VKepG0IWaIq9vvslB2dA0ivPxYvZnX4vGfX957ee78bAmk+s/VXVSvtlBagMO6HaJVME9Lp3biY+rV6uBXzNHeBK6KkVCvlAmpnACNSsgovJCXbJhaExW3rV8TZEdwPVkl7yIlW51UvjS
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b950eb35-a5d7-4d25-52b8-08d5d7912f9a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989088)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(48565401081)(2017052603328)(7193020); SRVR:DM5PR2101MB1064;
x-ms-traffictypediagnostic: DM5PR2101MB1064:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR2101MB106404E86B373D3CCAD738EDA3760@DM5PR2101MB1064.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(180628864354917)(189930954265078)(219752817060721)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(2018427008)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM5PR2101MB1064; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2101MB1064;
x-forefront-prvs: 07106EF9B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(39380400002)(366004)(346002)(39860400002)(51914003)(199004)(189003)(13464003)(40434004)(316002)(478600001)(7736002)(966005)(105586002)(229853002)(106356001)(110136005)(790700001)(6116002)(3846002)(33656002)(74316002)(19609705001)(10290500003)(476003)(14454004)(68736007)(8936002)(606006)(11346002)(446003)(486006)(81166006)(81156014)(86362001)(86612001)(8676002)(53936002)(3660700001)(25786009)(26005)(186003)(59450400001)(2906002)(236005)(3280700002)(76176011)(7696005)(99286004)(5660300001)(5250100002)(5890100001)(2900100001)(22452003)(97736004)(55016002)(6436002)(93886005)(53546011)(6246003)(4326008)(102836004)(66066001)(6506007)(10090500001)(54896002)(6306002)(9686003)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR2101MB1064; H:DM5PR2101MB0805.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: L9yA+NAX4ZMNk82S3tx096DaOKvKR121T2kT+tNWYxD9kdRM/s9KFbOIcv+68Fe1TRc5m0vOSCHyRltWfbDDJ3nmxMwxhVpQMuQIEEXHWxuUsjM7EoHV1ARaqiMP2aPjX4oybDf7DPNSYqWHWUIqSLZ7DFbstmXh5rbPpMEmACbBBeS1NPsgK24u+aiAkSQnoQCCn7ShKKF2VoWRPZ5u+5S6Jgjk/GYcS/fd6AgqSF51V20lbpcyo0HbuUkxO+9Rm0tIXBeN9mEOA5cJhDkCrXmNL/nU/iJXlzJLzCeDZUyYMW/8SOaD7py0Re+FZrtQTyAncImI1xTJfUeCSa/TCg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR2101MB0805F9D2D2372C4AEE2C7E5BA3760DM5PR2101MB0805_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b950eb35-a5d7-4d25-52b8-08d5d7912f9a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 16:08:11.0655 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB1064
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/J3SQeLSuObBAv7xc2Sd07QJGrBY>
Subject: Re: [Suit] draft-housley-suit-cose-hash-sig
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 16:08:18 -0000

This is similar to a question I asked as well, whether the IETF only needs LMS or whether LMS is just an instance in a larger class that might be needed, and what the scope of the draft should be.

If the draft is not SUIT-only (e.g., allowing use in OSCORE, etc.) then it sounds like we might need the ability to support more than LMS for some use cases.

Dave

From: Suit <suit-bounces@ietf.org> On Behalf Of Brendan Moran
Sent: Thursday, June 21, 2018 9:03 AM
To: Russ Housley <housley@vigilsec.com>
Cc: suit <suit@ietf.org>
Subject: Re: [Suit] draft-housley-suit-cose-hash-sig

Hi Russ,
Thanks for the clarification. I agree that a larger signature is not what we need in SUIT. However, for the COSE draft, would it not make sense to provide for both LMS and XMSS? I don’t pretend to understand all COSE use cases.

Thanks,
Brendan


On 21 Jun 2018, at 16:43, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:

Brendan:

Yes, there are two CFRG algorithms for hash-based signatures.  I prefer the one McGrew's document, mostly because it is more straightforward.  There is some speed improvement for the additional complexity in XMSS at the cost of a larger signature value.  To me, the speed improvement is not big enough to justify the larger signature size.  Your mileage may vary.

This paper describes the difference between the two:

https://eprint.iacr.org/2017/349.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2017%2F349.pdf&data=02%7C01%7Cdthaler%40microsoft.com%7C302d0f10626b454a732308d5d7907359%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636651937771383092&sdata=zDGqR2NskjJzyVVcCEg8suPo3Lt9b6xLI1lxaYlWrbQ%3D&reserved=0>

Russ



On Jun 21, 2018, at 11:11 AM, Brendan Moran <Brendan.Moran@arm.com<mailto:Brendan.Moran@arm.com>> wrote:

I see that there are two current drafts for hash-based signatures:
https://tools.ietf.org/html/draft-mcgrew-hash-sigs-11<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-mcgrew-hash-sigs-11&data=02%7C01%7Cdthaler%40microsoft.com%7C302d0f10626b454a732308d5d7907359%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636651937771393097&sdata=CTRx3BW3duXIREYxP4CyR%2BQY63qYgi2vqjnUM9uKqQM%3D&reserved=0>
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-irtf-cfrg-xmss-hash-based-signatures-12&data=02%7C01%7Cdthaler%40microsoft.com%7C302d0f10626b454a732308d5d7907359%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636651937771393097&sdata=pii%2Boa8SkTt7PLarq0P%2FKXL4WBVpNwLzGSIxEgZG5YU%3D&reserved=0>

I see that you have referenced the mcgrew draft rather than the IRTF/CFRG draft. Could you please explain what the difference is between these two drafts and why the mcgrew draft was a better choice than XMSS?

Thanks,
Brendan



On 13 Jun 2018, at 20:03, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:




-----Original Message-----
From: Suit <suit-bounces@ietf.org<mailto:suit-bounces@ietf.org>> On Behalf Of Michael Richardson
Sent: Wednesday, June 13, 2018 11:09 AM
To: suit <suit@ietf.org<mailto:suit@ietf.org>>
Subject: [Suit] draft-housley-suit-cose-hash-sig


I have read the -01 draft today.
I have not read [HASHSIG] yet.
I thought I'd try reading this first, to see what questions I had.

I have implemented COSE Sign1 with ECDSA in Ruby, so I have a grasp of
what we are trying to plug hash-sig *into*.


Suggestions:
1) would the structure show in section 3 be easier if it was described by
  CDDL?  I'm rather unclear about this.

No - this are not CBOR structures they are pure binary strings



2) I din't understand section 4, where it says:
     o  If the 'key_ops' field is present, it MUST include 'sign' when
                creating a hash-based signature.

     o  If the 'key_ops' field is present, it MUST include 'verify'
                when verifying a hash-based signature.

Clearly this is not something that travels over the network.  Is this
somehow

indicating how to understand if one is dealing a public (verify) key or a
private

(sign) key?

The key_ops field can be considered to potentially be transported over a
network.  It is part of the COSE_Key object rather than part of the
COSE_Sign1 object.



3) the variations: LMS_SHA256_M32_H20, and LMOTS_SHA256_N32_W2,
etc. are
  listed, but I don't know if they need to be carried in the signature
  structure somehow.

See the [HASHSIG] draft.  It is encoded into the signature structure and the
key type is in the public key structure.



4) I thought that perhaps we'd need CBOR or COSE specific way to transport
  the signatures.  I guess I shall read HASHSIG to find out what the
  signatures look like.

We have that.  This is looking at a signature just like ECDSA would produce.
This is a different "ECDSA" replacement.



I understand draft-mcgrew-hash-sigs-11 is being advanced by CFRG.
I believe that SUIT should adopt this document, and should do so in the
current state.

I would like to have some examples in CBOR/COSE worked out with private
keys available in the appendices.

Always a good thing to have.

Jim



--
]               Never tell me the odds!                 | ipv6 mesh
networks [

]   Michael Richardson, Sandelman Software Works        | network
architect  [

]     mcr@sandelman.ca<mailto:mcr@sandelman.ca>  http://www.sandelman.ca/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sandelman.ca%2F&data=02%7C01%7Cdthaler%40microsoft.com%7C302d0f10626b454a732308d5d7907359%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636651937771403102&sdata=M7Tnkm9SzFy0ImJTiHRTBVDGfi3pR1vFixMCWskWmOo%3D&reserved=0>        |   ruby on rails
[


--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works
-= IPv6 IoT consulting =-



_______________________________________________
Suit mailing list
Suit@ietf.org<mailto:Suit@ietf.org>
https://www.ietf.org/mailman/listinfo/suit<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsuit&data=02%7C01%7Cdthaler%40microsoft.com%7C302d0f10626b454a732308d5d7907359%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636651937771403102&sdata=AKEzjOXtE%2FPSc%2FbwKUP0ctCmYNL4CLWNuF9hh7IzOxE%3D&reserved=0>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.