IETF Logo Mail Archive

[Suit] Manifest authentication field ordering

Brendan Moran <Brendan.Moran@arm.com> Mon, 25 November 2019 12:11 UTC

Return-Path: <Brendan.Moran@arm.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A08120170 for <suit@ietfa.amsl.com>; Mon, 25 Nov 2019 04:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=JosAq/Yy; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=j3ZFHz9n
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wvqj80TI1E9O for <suit@ietfa.amsl.com>; Mon, 25 Nov 2019 04:11:09 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10085.outbound.protection.outlook.com [40.107.1.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B5D12001A for <suit@ietf.org>; Mon, 25 Nov 2019 04:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RhcA9bH8Pa5E6U4IokWkauH2zvAFGHECa8UPpGhHutw=; b=JosAq/YyLZGu3qMWyGbZx6sBmk9XsZI80MTJJwWbhzwYHGKt0piJlUdcsHDF7Scfim+mFPVj16oFFSyqB/0oEEXxXFeRv0ZoXMmOTaJLFpUkRguJb/yvzCJuzkMb4RptRJpy27E+81a007rDf4j29uws1UUP6Sw5cDgrGbdaYSw=
Received: from VI1PR08CA0247.eurprd08.prod.outlook.com (2603:10a6:803:dc::20) by HE1PR0802MB2618.eurprd08.prod.outlook.com (2603:10a6:3:d4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Mon, 25 Nov 2019 12:11:05 +0000
Received: from VE1EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::202) by VI1PR08CA0247.outlook.office365.com (2603:10a6:803:dc::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.16 via Frontend Transport; Mon, 25 Nov 2019 12:11:05 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT017.mail.protection.outlook.com (10.152.18.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17 via Frontend Transport; Mon, 25 Nov 2019 12:11:04 +0000
Received: ("Tessian outbound 512f710540da:v33"); Mon, 25 Nov 2019 12:11:04 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 313f892ecb3eb2cc
X-CR-MTA-TID: 64aa7808
Received: from f2a1013ba2ed.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.55]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3C9FF604-AA5E-46F6-84CD-51DDA7B8BC00.1; Mon, 25 Nov 2019 12:10:59 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2055.outbound.protection.outlook.com [104.47.4.55]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f2a1013ba2ed.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 25 Nov 2019 12:10:59 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=niodKCHqqmrBWljwfR0BgFkVhMs/XgBtQLtg4zNs/AN+zpPhloDaFFyT1hX2/A87+pbgvcJ2Y0RgGUyABVJa5rpVZz37E7pgXmIIKpbY9/Ea9c2cSLDEmAxAt0Qms5UUk3fYFRJ/Gv7q/Zpbifqr4cBh4tFB0mcnHoO4FPDHueuN5+na+mF0GJH8tnLuGsAFMeQv2bmURCkYePac8IaTFAizLXTUiMVHi6pQDvc65I9Rrx/jk5g4fqjVCvteNr0IbD2yvS4dr5WGr/t8SDbqq+o8TyjAnd1fhhLWh8tqIvTAehA3uDUjb52ewZ8Jn7RIPbDcmkGsvWMnzs1NUkT/Kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hc6lKMGPkoHah5IsJpqpI5wBoHKFZGJG1tITOQ0Rl1M=; b=ZjxXNeh5MjZ/1vrsqd7qt5xOJQcyNBLe4j6kbcbNTJ7Yu8T0GjqvhlEf0AvmC8h47jr7fyw7ufdU01T0chsonEIP6Cma35OpyivWA77cFpuXR73yQj6vbJO4YzOJBemsj0Z0csjKrol3VikCDskmD+2kciX/w3qIqjmOtiInjykUPQ0mjJD8C+XU920NxYzAS/miAiCs+XqKmw0dzt3lrz3ChCpsJU8rX2NbyiESnnuHP0kEMkC0rCh2r06c/71VYgE20vLF6mIJfeIp0V9V5NK76xO/GH3nrUjqaZ5LOdttFXji1cRYOnC+jaUnpz8gm9ta43zNWiCm8eXEdRr6QA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hc6lKMGPkoHah5IsJpqpI5wBoHKFZGJG1tITOQ0Rl1M=; b=j3ZFHz9n6tSH8GsdJDfuqlXjOOlACKXbHQ23rMy7gL86fWWOVRHGx+y1b7lqHpiXJfWzbrr/ihz+XJFti7Qu8aUONuQQ7FKPfImZG4PeOz0/R+VGW1wqRlHCfLCzuwjtx3kTUzmEo8pemzqtAcTRhuRObnoGTFp0yjow9PAlGHQ=
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com (10.168.84.137) by DB6PR0801MB2024.eurprd08.prod.outlook.com (10.168.85.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.23; Mon, 25 Nov 2019 12:10:58 +0000
Received: from DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::81c3:481c:2371:9637]) by DB6PR0801MB1879.eurprd08.prod.outlook.com ([fe80::81c3:481c:2371:9637%9]) with mapi id 15.20.2474.023; Mon, 25 Nov 2019 12:10:58 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: suit <suit@ietf.org>
Thread-Topic: Manifest authentication field ordering
Thread-Index: AQHVo4llzfG0bidX2E2Q5Gz2MBPIdA==
Date: Mon, 25 Nov 2019 12:10:57 +0000
Message-ID: <5C60D5E3-28FC-4554-AF39-BD80487EF9B5@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3601.0.10)
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
x-originating-ip: [217.140.106.51]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 4e0dbf4f-c38f-42ae-fff7-08d771a08bad
X-MS-TrafficTypeDiagnostic: DB6PR0801MB2024:|HE1PR0802MB2618:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Antispam-PRVS: <HE1PR0802MB26189D7AEF237257151B580AEA4A0@HE1PR0802MB2618.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0232B30BBC
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(366004)(346002)(396003)(136003)(189003)(199004)(81156014)(81166006)(256004)(86362001)(33656002)(14444005)(25786009)(66066001)(6306002)(6486002)(186003)(316002)(236005)(99286004)(6512007)(54896002)(7736002)(36756003)(6506007)(966005)(6916009)(3846002)(6116002)(66556008)(64756008)(8676002)(66476007)(76116006)(91956017)(66446008)(2616005)(102836004)(26005)(6436002)(606006)(2906002)(5660300002)(71200400001)(71190400001)(14454004)(478600001)(8936002)(3480700005)(66946007)(50226002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0801MB2024; H:DB6PR0801MB1879.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: F6zo1wUooFHCWumOfq9ljHYUhqGv2Ou8cgDFxJlprGyLEJ3on3tD0KvpdIMdX1d9J/QVAm55cRpXfwAKW7W+EDzcpoHDDuo1302vblXVp92d7Xf7oaoGLGqg4ZuOxIw2YmDA/93DGjN+S6a2lstQ8VvBt1I64hI82krA+6YP4AzWN69G+MAeMGDzVLj7Nd3+CF+wLpMNjx/SmH+Qy3KbxUWyIlSGHOd6NiIq/rHRkszv23dTd6jcl4nRNTqcu0B4yPLh5nsnJQ4RY/qewI0rBh6SmnipnyNPN2WS3xenGd2ileQiJqA6baOcJQ0p/qQBXgy22HXeg2LcVN8+UaaED3XDdKNItEUbM5HPklvwBUK7SSn87T09LTow381CilLd2KHMUi3drbAchLtCtgmE/cqhEcNxhqHEAHXqOYxSQ5ZHQH6Oy4A6UCS6VWhDO5cUGXXrwhKXyrXwVklTuKDj9f2/b5vxmV8LeW/iQ1uozuo=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_5C60D5E328FC4554AF39BD80487EF9B5armcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2024
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Brendan.Moran@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT017.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(346002)(136003)(396003)(199004)(189003)(40434004)(30436002)(26826003)(966005)(14454004)(6916009)(25786009)(22756006)(6116002)(45080400002)(3846002)(6512007)(4546004)(606006)(186003)(54896002)(26005)(6306002)(478600001)(2616005)(102836004)(76130400001)(5660300002)(6506007)(3480700005)(2906002)(33964004)(66066001)(70206006)(71190400001)(7736002)(70586007)(5024004)(14444005)(106002)(36906005)(50226002)(356004)(316002)(99286004)(16586007)(8936002)(36756003)(336012)(236005)(33656002)(19627235002)(6486002)(86362001)(8676002)(81166006)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0802MB2618; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: ff41c6ca-e7ea-4520-1255-08d771a087a8
X-Forefront-PRVS: 0232B30BBC
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ldk7bXaPwokeBC5I6tjiVC/oWolLKI2q3j0b9KlQI4i0AKTnJxRyk3IWDKQiRnvSiwmNINM6RUKLHZ2YUuQPBYlulg1D3FXrPL5hhiTeq8RAhjXowFPQyZbATpXE4YHtIDnPm1X2wcBygQ0N74gUrdxqsmaHSryZbEG+Bhh4bFoEoqgJcL9eDm0iWh9as5H90jyD74dSZWDOXgDg4x/XJxQ3vtoNRfMmIuDt5I+kI+6BzLStgpaXZCc1Tbq59pil0oJjOK5yP6eQGIjC4g/5otwIkY3tGb3c17dO+zQpT/NHZ23trq9IpligfbEqcrCqV5OWl5cS+hDuLm2+A12kAwc2KdK0jM1fJRXTzDo5lQ/UBkOZTTwPij8/N5X1EHik34CXunxZkkqCuIq/MatU/pyK6VPA3ox1vMYi/CQsVkStfQjkyNdeiI/BGDau14Vp0yH3xeryUWS3yZI9K+65FiwfqDGoSEaZtPzSL88xL5g=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2019 12:11:04.6785 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e0dbf4f-c38f-42ae-fff7-08d771a08bad
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2618
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/DsTWu6PDS5QuHhvK62p71mSkXdg>
Subject: [Suit] Manifest authentication field ordering
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 12:11:13 -0000

I’ve been looking at PQC authentication primitives, particularly HSS/LMS [1]  and XMSS [2]. These signature schemes require the processing of quite large signature blocks: I expect a Winternitz parameter of w=8 to be common, which makes the signature size 1088 bytes just for the Winternitz signature, without the Merkle tree components.

These large signatures can easily cause the manifest to violate REQ.SEC.MFST.CONST if the authentication section and the manifest are treated as a single unit, specifically:

the manifest MUST fit within an internal memory or a secure memory, such as encrypted memory

However, I think we should apply a slightly more relaxed approach here: Only the manifest itself, not the authentication wrapper, needs to fit in internal memory. Conveniently, most of these signature schemes can support a modular processing scheme, where the whole signature does not need to be loaded into RAM at once in order to validate a signature, with no loss of security.

The issue I see here is that a manifest that uses this approach faces an implementation challenge. The manifest would need to be processed in this order:


  1.  Parse COSE_Sign/COSE_Sign1 object
  2.  Construct & digest the Sig_structure
  3.  Validate the Sig_structure digest with the COSE_Signature object

1 can be processed up to the COSE_Signature without difficulty (consumed data can be discarded).
2 requires a “seek” past the, potentially large, COSE_Signature, then retention of that manifest in order to satisfy REQ.SEC.MFST.CONST.
3 can be processed gradually, storing or discarding the components of the signature that are consumed.

Currently, any key claim CWTs come after the manifest as well. This causes further “seek” actions.

Eliminating seek operations is important for two reasons:

  1.  Some designs may discard the signature after verification and replace it with a local MAC for re-verification
  2.  It limits the RAM requirements for writing only verified data to non-volatile storage


We could move the CWTs to the start, so that a validated public key is resident in memory when the COSE_Sign block is encountered. This does not resolve the manifest, however. We could move the manifest to prevent the seek, however this would just mean that the manifest must be held in memory during signature validation in order to fulfil REQ.SEC.MFST.CONST.

Both the manifest and any data extracted from it MUST be held immutable between its authenticity verification (time of check) and its use (time of use).

There is another option, but it inflates the size of the authentication wrapper by one digest: instead of using COSE_Sign in detached mode, we place a digest in the COSE_Sign as the payload. That digest is, in turn, the digest of the manifest.

My recommendation is to make two changes:


  1.  Order of fields:
     *   CWT List
     *   List of COSE_Sign/COSE_Sign1/COSE_Mac
     *   Manifest
  2.  COSE_Sign contains a SUIT_Digest of the Manifest.

This would allow seek-free, fully modular processing of the manifest, without the need to hold both the manifest and any signature primitives in RAM at the same time.

Best Regards,
Brendan

[1]: https://tools.ietf.org/html/draft-ietf-cose-hash-sig-07
[2]: https://tools.ietf.org/html/rfc8391
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email