Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
Russ Housley <housley@vigilsec.com> Thu, 14 December 2023 17:34 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCD5C14F61C; Thu, 14 Dec 2023 09:34:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zng_6R2osNQE; Thu, 14 Dec 2023 09:34:27 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED5AAC14F5EF; Thu, 14 Dec 2023 09:34:26 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 56749151541; Thu, 14 Dec 2023 12:34:26 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 39CF21513DB; Thu, 14 Dec 2023 12:34:26 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com>
Date: Thu, 14 Dec 2023 12:34:16 -0500
Cc: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Akira Tsukamoto <akira.tsukamoto@gmail.com>, Brendan Moran <brendan.moran.ietf@gmail.com>, suit <suit@ietf.org>, teep <teep@ietf.org>, Ken Takayama <ken.takayama.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <65A259BD-75EF-4EAE-B255-29EBD1ABC319@vigilsec.com>
References: <08f701da2d9f$c043a6c0$40caf440$@gmx.net> <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com> <843e1218-8847-48cc-ada5-9b9cc50e17cf@gmail.com> <00ba01da2e6e$81f1f910$85d5eb30$@gmx.net> <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com>
To: "lgl island-resort.com" <lgl@island-resort.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/03Bin7yqwT3dotfd-4m7rqRvjNI>
Subject: Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2023 17:34:31 -0000
Laurence: I am aware of a presentation about an attack against AES-GCM and AES-CCM: Roth, J. and F. Strenzke, "AEAD-to-CBC Downgrade Attacks on CMS", 8 November 2023, <https://datatracker.ietf.org/meeting/118/materials/slides-118-lamps-attack-against-aead-in-cms>. I am not aware of any attacks that involve AES-KW. Where can I find information about the attack you are talking about? Russ > On Dec 14, 2023, at 12:19 PM, lgl island-resort.com <lgl@island-resort.com> wrote: > > Note that there is a vulnerability in ECDH-ES + A128KW — the one that was presented in Prague. I think there are fixes, and it’s on my list to dig into it (IETF/COSE needs a full, proper and secure multi-recipient modern encryption format), but don’t have bandwidth right now. > > LL > >> On Dec 14, 2023, at 2:18 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote: >> >> Thank you all for your quick response. From the feedback it seems clear to go for ECDH-ES + A128KW >> We will update the documents accordingly. >> >> -----Original Message----- >> From: Suit <suit-bounces@ietf.org> On Behalf Of Akira Tsukamoto >> Sent: Donnerstag, 14. Dezember 2023 06:29 >> To: Brendan Moran <brendan.moran.ietf@gmail.com>; Russ Housley <housley@vigilsec.com>; Hannes Tschofenig <Hannes.Tschofenig@gmx.net> >> Cc: suit@ietf.org; teep@ietf.org; Ken Takayama <ken.takayama.ietf@gmail.com> >> Subject: Re: [Suit] [Teep] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256 >> >> Hi Brendan, >> >> I am fine changing the MTI with ECDH-ES + A128KW. >> >> Akira >> >> On 12/14/2023 12:08 AM, Russ Housley wrote: >>> I think ECDH-ES + A128KW covers more use cases. It can be used with on recipient or many recipients. So, I'd like to see that be the MTI. >>> >>> Russ >>> >>> >>>> On Dec 13, 2023, at 3:38 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote: >>>> >>>> Hi all, >>>> >>>> In the SUIT firmware encryption draft we have so far used ECDH-ES + A128KW, which is also what we implemented in t_cose to generate the examples. >>>> >>>> In a discussion with Ken today we realized that the SUIT-MTI draft has always used ECDH-ES + HKDF-256 instead. >>>> >>>> Now, the question is: Should we support both, ECDH-ES + A128KW and ECDH-ES + HKDF-256? >>>> >>>> IHMO we definitely need AES-KW for scenarios where we encrypt a firmware with a CEK once and then distribute that encrypted firmware image to many recipients. In this case, we >>>> >>>> * randomly generate a CEK, >>>> * encrypt the firmware using this CEK, >>>> * encrypt this CEK with a KEY unique per recipient with a KEK. The KEK is the result of using ECDH-ES with an KDF, as described in Section 6.4 of RFC 9053. >>>> >>>> >>>> For scenarios where we send one firmware image to one recipient we could use ECDH-ES + HKDF-256 and currently we have a little bit of overhead here by using ECDH-ES + A128KW. >>>> >>>> My preference is to leave the SUIT firmware encryption draft as is and to change the SUIT MTI draft to reference ECDH-ES + A128KW instead of ECDH-ES + HKDF-256. >>>> >>>> Thoughts? >>>> >>>> Ciao >>>> Hannes >>>> >>> >>> _______________________________________________ >>> TEEP mailing list >>> TEEP@ietf.org >>> https://www.ietf.org/mailman/listinfo/teep >> >> _______________________________________________ >> Suit mailing list >> Suit@ietf.org >> https://www.ietf.org/mailman/listinfo/suit >> >> _______________________________________________ >> Suit mailing list >> Suit@ietf.org >> https://www.ietf.org/mailman/listinfo/suit >
- [Teep] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256 hannes.tschofenig
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Russ Housley
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Akira Tsukamoto
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … hannes.tschofenig
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Russ Housley
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Hannes Tschofenig
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Hannes Tschofenig
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Michael Richardson
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … Hannes Tschofenig
- Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + … lgl island-resort.com