IETF Logo Mail Archive

Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256

Russ Housley <housley@vigilsec.com> Thu, 14 December 2023 17:34 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCD5C14F61C; Thu, 14 Dec 2023 09:34:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zng_6R2osNQE; Thu, 14 Dec 2023 09:34:27 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED5AAC14F5EF; Thu, 14 Dec 2023 09:34:26 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 56749151541; Thu, 14 Dec 2023 12:34:26 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 39CF21513DB; Thu, 14 Dec 2023 12:34:26 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com>
Date: Thu, 14 Dec 2023 12:34:16 -0500
Cc: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Akira Tsukamoto <akira.tsukamoto@gmail.com>, Brendan Moran <brendan.moran.ietf@gmail.com>, suit <suit@ietf.org>, teep <teep@ietf.org>, Ken Takayama <ken.takayama.ietf@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <65A259BD-75EF-4EAE-B255-29EBD1ABC319@vigilsec.com>
References: <08f701da2d9f$c043a6c0$40caf440$@gmx.net> <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com> <843e1218-8847-48cc-ada5-9b9cc50e17cf@gmail.com> <00ba01da2e6e$81f1f910$85d5eb30$@gmx.net> <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com>
To: "lgl island-resort.com" <lgl@island-resort.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/03Bin7yqwT3dotfd-4m7rqRvjNI>
Subject: Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2023 17:34:31 -0000

Laurence:

I am aware of a presentation about an attack against AES-GCM and AES-CCM:

	Roth, J. and F. Strenzke,
	"AEAD-to-CBC Downgrade Attacks on CMS",
	8 November 2023,
	<https://datatracker.ietf.org/meeting/118/materials/slides-118-lamps-attack-against-aead-in-cms>.

I am not aware of any attacks that involve AES-KW.

Where can I find information about the attack you are talking about?

Russ

> On Dec 14, 2023, at 12:19 PM, lgl island-resort.com <lgl@island-resort.com> wrote:
> 
> Note that there is a vulnerability in ECDH-ES + A128KW — the one that was presented in Prague. I think there are fixes, and it’s on my list to dig into it (IETF/COSE needs a full, proper and secure multi-recipient modern encryption format), but don’t have bandwidth right now.
> 
> LL
> 
>> On Dec 14, 2023, at 2:18 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>> 
>> Thank you all for your quick response. From the feedback it seems clear to go for ECDH-ES + A128KW
>> We will update the documents accordingly.
>> 
>> -----Original Message-----
>> From: Suit <suit-bounces@ietf.org> On Behalf Of Akira Tsukamoto
>> Sent: Donnerstag, 14. Dezember 2023 06:29
>> To: Brendan Moran <brendan.moran.ietf@gmail.com>; Russ Housley <housley@vigilsec.com>; Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
>> Cc: suit@ietf.org; teep@ietf.org; Ken Takayama <ken.takayama.ietf@gmail.com>
>> Subject: Re: [Suit] [Teep] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
>> 
>> Hi Brendan,
>> 
>> I am fine changing the MTI with ECDH-ES + A128KW.
>> 
>> Akira
>> 
>> On 12/14/2023 12:08 AM, Russ Housley wrote:
>>> I think ECDH-ES + A128KW covers more use cases.  It can be used with on recipient or many recipients.  So, I'd like to see that be the MTI.
>>> 
>>> Russ
>>> 
>>> 
>>>> On Dec 13, 2023, at 3:38 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> In the SUIT firmware encryption draft we have so far used ECDH-ES + A128KW, which is also what we implemented in t_cose to generate the examples.
>>>> 
>>>> In a discussion with Ken today we realized that the SUIT-MTI draft has always used ECDH-ES + HKDF-256 instead.
>>>> 
>>>> Now, the question is: Should we support both, ECDH-ES + A128KW and ECDH-ES + HKDF-256?
>>>> 
>>>> IHMO we definitely need AES-KW for scenarios where we encrypt a firmware with a CEK once and then distribute that encrypted firmware image to many recipients. In this case, we 
>>>> 
>>>> * randomly generate a CEK, 
>>>> * encrypt the firmware using this CEK, 
>>>> * encrypt this CEK with a KEY unique per recipient with a KEK. The KEK is the result of using ECDH-ES with an KDF, as described in Section 6.4 of RFC 9053. 
>>>> 
>>>> 
>>>> For scenarios where we send one firmware image to one recipient we could use ECDH-ES + HKDF-256 and currently we have a little bit of overhead here by using ECDH-ES + A128KW.
>>>> 
>>>> My preference is to leave the SUIT firmware encryption draft as is and to change the SUIT MTI draft to reference ECDH-ES + A128KW instead of ECDH-ES + HKDF-256.
>>>> 
>>>> Thoughts?
>>>> 
>>>> Ciao
>>>> Hannes
>>>> 
>>> 
>>> _______________________________________________
>>> TEEP mailing list
>>> TEEP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/teep
>> 
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit
>> 
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org
>> https://www.ietf.org/mailman/listinfo/suit
>

v2.23.0 | Report a Bug | By Email