Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256

"lgl island-resort.com" <lgl@island-resort.com> Fri, 15 December 2023 03:14 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF7FC14F736; Thu, 14 Dec 2023 19:14:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVg2JyZO2Asb; Thu, 14 Dec 2023 19:14:06 -0800 (PST)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2129.outbound.protection.outlook.com [40.107.100.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCE67C14F684; Thu, 14 Dec 2023 19:14:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bxs3ghnto7lYrzJN2ZI4lCDnjKz4gHK7tqpigukZcru6+oDKrx2HOg7/Hq00RGYqWhXLtLySOIIPvLbtCnQRu4r35+XSTbAo8FEyJKpzvzXGlNgtuzW/NIUeP3kEGNgkKf4BAw/Ka3B1mbtc3yd7sJ2jJjhYDFI1uw1WlZSSXC+S2tRa7KqEYU91gZy2BYVA/EpdEtze+HcgUD2URFxJpmInP3sZIj8yBO7tBxLzVIKMEF3RHE5HABcwO5OzWverl+QNd8UXf2LAgYt23b97IpEX+Nz8gZ1KbVOd5gsBQ5plW7UM4YE49itTT/5s/j840oz5/mE0wPPSaAILthLd8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BoPfY2obdw1GMUsiAzBJ7H6VOUvUIZAprMd4sOwJdTE=; b=i23MVboNEyZe6/TNSKLgnCLDaZV6Qb2l5ZyY4TgZZxm7qEUQ2sA68lpkLFonaJkKP1p19cqzEV0r3VOOsMejh5IFOxL2G3Y2sVC8MlkLRIk/7+Ih13rP4pmf0MQC2R94/PItkQLarCkIwrcyWqpPIW3snYi2HMNgsDkOnDzFaGZbRnzahaDpCj9j+uQeRL9b1bJIGG4zu/8DYqdCHKQwWh8kbtfEWWbmNzbLsHjFLrGMCh062hXKEOhQcIkE1quzy8J/Y+lBli23VVhNW6W+mcLFUL8H0xainsg6PknhH499IpAJLVu0THOjkgr3Q+iZF6TVhM+veVOzaZyT6/13Uw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by BLAPR22MB2209.namprd22.prod.outlook.com (2603:10b6:208:274::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.29; Fri, 15 Dec 2023 03:14:01 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::353a:75f1:88a7:5f90]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::353a:75f1:88a7:5f90%6]) with mapi id 15.20.7091.028; Fri, 15 Dec 2023 03:14:01 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Russ Housley <housley@vigilsec.com>
CC: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Akira Tsukamoto <akira.tsukamoto@gmail.com>, Brendan Moran <brendan.moran.ietf@gmail.com>, suit <suit@ietf.org>, teep <teep@ietf.org>, Ken Takayama <ken.takayama.ietf@gmail.com>
Thread-Topic: [Suit] [Teep] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
Thread-Index: AQHaLk6FzTOtncVILU6UQX13eV71VrCogGWAgACGYYCAAAQiAIAAofkA
Date: Fri, 15 Dec 2023 03:14:00 +0000
Message-ID: <5E005DCF-86C5-4359-929D-A60DD1C703E1@island-resort.com>
References: <08f701da2d9f$c043a6c0$40caf440$@gmx.net> <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com> <843e1218-8847-48cc-ada5-9b9cc50e17cf@gmail.com> <00ba01da2e6e$81f1f910$85d5eb30$@gmx.net> <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com> <65A259BD-75EF-4EAE-B255-29EBD1ABC319@vigilsec.com>
In-Reply-To: <65A259BD-75EF-4EAE-B255-29EBD1ABC319@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|BLAPR22MB2209:EE_
x-ms-office365-filtering-correlation-id: fa30ce45-03f7-4bb1-3c2d-08dbfd1be28e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CmePnY+aC8Ja5DaT0z09yywBeHUfbt/YAj9GjI6X8kI1N0jq6PQUAgFfge2qB3sYbhtFI9w6i6X+x90QNjqp4gZb020HOPwHXMzy97UPjfN775w01W5R3seN3qHTEIjWhn0W9en+FK4rgKYwu+bBPUYFF8Po8/L9WQAXccNyuSBZG2Tbc2MCt1wkqoskDcADOaFUblOnFjyzb5p5rmABdhS5tz48jqyWmqrQVyWAJqPH6Gc+4ZOcrZh0GrpW0bSuvhWqxGe6bM2mzBXJzUdcm55tFggpXLFocNk8WFAqbJuVQpmOurzSW6bQIiuOw/0A3UBixR/6EgLviFY2lm9r1tD64VRCg38L5YKsJZyq/Wch79TBLf+EWg54cIaeri/rAM215Rbq1oSMp+epyFv73+0VL2HefuWqrQQ4zgqeOfLnHbNofIK04yHccJEd2tQu6pAoNfcGxzOGGLjTKXQNynNO1jSPIxEIsg5T+12fcHu+8x//QmguD40JUQisdjYdSkD66JMv8uWecLo7PPGzLqQrTegvC3C0SqePieQPC7yBrVVLs2hx31GtJseJd/c/qKhSBPn129JE+81l06s1TI967vw2gBa75FpvDezuUGsxQPARgdjYytq0CpO0bbgNuQ7cFdb0oP9FP5Ecp3I5gw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(39830400003)(396003)(346002)(376002)(230922051799003)(186009)(64100799003)(1800799012)(451199024)(2616005)(26005)(6512007)(6506007)(71200400001)(86362001)(36756003)(33656002)(38070700009)(38100700002)(5660300002)(8936002)(8676002)(4326008)(83380400001)(53546011)(122000001)(66446008)(54906003)(6916009)(66946007)(66556008)(64756008)(76116006)(478600001)(6486002)(966005)(41300700001)(2906002)(316002)(66476007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +J5WlaJwO4MAJa0sXSzUiql2TmWG9SWODiEkem5NVdd1LaioqifNjXJg899dvhp8gNvrapmTWBuxQgOc3cVSaCmbA+EmFERPX9htp1bgDZBh15DOofAG3ceFNDIl4exMIk+x4xmRYn6PD2xJO/ZWKB86pnhNBuLRgBhelONaARFA2sZ7P0jSPliYLiYHpYBU9DZ65QhJv3p9yD6EsrEFmRckFOdfwcIzWusQucKxLO3MZWcuBbc2dVnKA/lVZnNsxmxvdkvrr5mhxGlkc1VdT1rfnQYISEHmX+AmRjiOyEOgu/QBAy55eIe8thHG/6fbazhb2dO2FXNKy9/29eAlxjKnzQFb+gszXddyVYaiCfGsMYYaNU81ggWoh1Km25rV5Pc8XH4K1zcXT1bJpvGlobD4GafLaZ4CYgJwYn9lUZLlVnPvY6tloPT0r0X/W02o7KB0jtv5lj1qEYdnTC6NGWAkrrRX3hyueFxL+CrkjmdZ2pT0Uw+/zq947Vwp7U5EUNJi6q1bYKYrn6Nk3gR7PiYcYvezckI+/pfSq8Fl/wE+8/U+Jgbdd7t0Zj7Uyvdtx/Orwv1qf9/i4MG78hKVWMBX395CradRMmVnF6ny3GMyJWCJT8UHOONZ9Pf5tes21C1sElN5sBiut5ILN0ig8qwB1vEZXJKmD1UoYgrQvyAupokQoScMRo2zouBdzMDvF1zd0V5qcI2eNBs86cemeX3hkgaQyRs5dabvOONA44oPgPWJ/EhTpTiXP1KGk7vDC1CwtJO2dE1+i8bfP3/ynWmZSopXRGSN4mc96naglfkurJSXOvGCDrFjtJJYcNGqUGK9u2HfrGMw2G7vdrdPwmJ0SlPghBgKI9TZu93ZZGZcmufc56wEtefXlY8741xAAL1wrnIHwOefvq/YD9P8Nv/CEAJhBw00mX8mbxLAVgU8a18QleZCjYS0TcOSWefFyggpq9R9yQLsH8Y7ZCBGkebFBh27AHstV0UTVjpjftwXg6sBKbdepRS2sSLShCFGd7F13+2DEKUAg9TOYQ/HF052LoRUy8WfxOv6fJrzDUA1Iu25bu7suHhtfYWYO1iaFc4Rpw73x6m7YsiXGA0NoH7DNqlvLueRgJIask2bGmVMOZ7oZM8aaq7BKqQdbLAq48HQ8n0JIzWglbtsbIwTr6jQYaJ2fGMeQG6K8k09QRkg8/n1/1rttPlzE6wJWGqCYny0uU4SflFpjUnemR1UGcaMnJkFaHe+qAaEkjejGEw5yaU1t2BzCYuqhbzbqwWmZYTtH1ORn9vxY3RwPHngwdZ0X67tkz58nWlmWdmmB3av4goOjDOT8OL6Uf64Klx2977dVxfuQI1lRhXJZDeRJYzpB9awXG19aBOM6LOTtk95lK9osKv6RvqieH/+KlSOFX7dkSeCVINrMglf+6QCAb2ocQUm6vN1oNMusRJ/nFqa72ZMf1YKvu8F/2VODpeQZvTzGaFCogLsYg5gATKh49b5m+gOa2ZUdOs9Ve/IU3nTHDB3cXJgsLt1GBIkGuH/SmQsB7gGPoRbt3k7DV3cOwgEvcAQpCtLfVOQthV63dNfBx7zxF3k0is5mQivpWUfyb91LOCdC62g0XiBw5iLDw==
Content-Type: text/plain; charset="utf-8"
Content-ID: <A0A525B1435CBC4E886774C0ABEE40ED@namprd22.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fa30ce45-03f7-4bb1-3c2d-08dbfd1be28e
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2023 03:14:00.9448 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 11FpPGGMdUaK6brWiSwbiqvTEHmjNbMkRWRWQmywY27+rxOVmWwq8RKt5lKsHKNe1Krsdf2e4wn/I1RhEPGSRg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR22MB2209
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/7KyK3NaK67itxsYN4oPpasmQHF0>
Subject: Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 03:14:10 -0000

Maybe I’m wrong here (hope so), but AES-GCM is used with ECDH-ES + A128KW for the bulk payload encryption and the algorithm ID identifying it is not mixed in with the KDF context so the alg ID is not really protected.

Will look at the referenced paper some more.

LL


> On Dec 14, 2023, at 10:34 AM, Russ Housley <housley@vigilsec.com> wrote:
> 
> Laurence:
> 
> I am aware of a presentation about an attack against AES-GCM and AES-CCM:
> 
> 	Roth, J. and F. Strenzke,
> 	"AEAD-to-CBC Downgrade Attacks on CMS",
> 	8 November 2023,
> 	<https://datatracker.ietf.org/meeting/118/materials/slides-118-lamps-attack-against-aead-in-cms>.
> 
> I am not aware of any attacks that involve AES-KW.
> 
> Where can I find information about the attack you are talking about?
> 
> Russ
> 
>> On Dec 14, 2023, at 12:19 PM, lgl island-resort.com <lgl@island-resort.com> wrote:
>> 
>> Note that there is a vulnerability in ECDH-ES + A128KW — the one that was presented in Prague. I think there are fixes, and it’s on my list to dig into it (IETF/COSE needs a full, proper and secure multi-recipient modern encryption format), but don’t have bandwidth right now.
>> 
>> LL
>> 
>>> On Dec 14, 2023, at 2:18 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>>> 
>>> Thank you all for your quick response. From the feedback it seems clear to go for ECDH-ES + A128KW
>>> We will update the documents accordingly.
>>> 
>>> -----Original Message-----
>>> From: Suit <suit-bounces@ietf.org> On Behalf Of Akira Tsukamoto
>>> Sent: Donnerstag, 14. Dezember 2023 06:29
>>> To: Brendan Moran <brendan.moran.ietf@gmail.com>; Russ Housley <housley@vigilsec.com>; Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
>>> Cc: suit@ietf.org; teep@ietf.org; Ken Takayama <ken.takayama.ietf@gmail.com>
>>> Subject: Re: [Suit] [Teep] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
>>> 
>>> Hi Brendan,
>>> 
>>> I am fine changing the MTI with ECDH-ES + A128KW.
>>> 
>>> Akira
>>> 
>>> On 12/14/2023 12:08 AM, Russ Housley wrote:
>>>> I think ECDH-ES + A128KW covers more use cases.  It can be used with on recipient or many recipients.  So, I'd like to see that be the MTI.
>>>> 
>>>> Russ
>>>> 
>>>> 
>>>>> On Dec 13, 2023, at 3:38 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>>>>> 
>>>>> Hi all,
>>>>> 
>>>>> In the SUIT firmware encryption draft we have so far used ECDH-ES + A128KW, which is also what we implemented in t_cose to generate the examples.
>>>>> 
>>>>> In a discussion with Ken today we realized that the SUIT-MTI draft has always used ECDH-ES + HKDF-256 instead.
>>>>> 
>>>>> Now, the question is: Should we support both, ECDH-ES + A128KW and ECDH-ES + HKDF-256?
>>>>> 
>>>>> IHMO we definitely need AES-KW for scenarios where we encrypt a firmware with a CEK once and then distribute that encrypted firmware image to many recipients. In this case, we 
>>>>> 
>>>>> * randomly generate a CEK, 
>>>>> * encrypt the firmware using this CEK, 
>>>>> * encrypt this CEK with a KEY unique per recipient with a KEK. The KEK is the result of using ECDH-ES with an KDF, as described in Section 6.4 of RFC 9053. 
>>>>> 
>>>>> 
>>>>> For scenarios where we send one firmware image to one recipient we could use ECDH-ES + HKDF-256 and currently we have a little bit of overhead here by using ECDH-ES + A128KW.
>>>>> 
>>>>> My preference is to leave the SUIT firmware encryption draft as is and to change the SUIT MTI draft to reference ECDH-ES + A128KW instead of ECDH-ES + HKDF-256.
>>>>> 
>>>>> Thoughts?
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> TEEP mailing list
>>>> TEEP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/teep
>>> 
>>> _______________________________________________
>>> Suit mailing list
>>> Suit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/suit
>>> 
>>> _______________________________________________
>>> Suit mailing list
>>> Suit@ietf.org
>>> https://www.ietf.org/mailman/listinfo/suit
>> 
>