IETF Logo Mail Archive

Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 31 December 2023 09:48 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74043C14F696; Sun, 31 Dec 2023 01:48:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.803
X-Spam-Level:
X-Spam-Status: No, score=-2.803 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHGpEqVpMlHf; Sun, 31 Dec 2023 01:48:34 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C50C14F680; Sun, 31 Dec 2023 01:48:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1704016104; x=1704620904; i=hannes.tschofenig@gmx.net; bh=Xnthiy6C4jX+r0lwqmGkvOcoLit8NYa6B0IWiJDXKt8=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=fqEdxVYDNfzr1POW7VgW9VkQuuzIi1SptLxUF+qH0Cnc2HLaknv44R1+gCRlFQIn SZHqNs6EeTkl0TKyeHesekTb+nvXiu8qTXss5Iitkb0NOX9wLnDr5PCLmktozpmNe 0iVnfphRqRuw7R/5p5Tt0RHY3yXDvzQoguIfkv5w2a0wBqNZVD6BbZ6kf+OkAVcJw ohGWh0nXxKhU7TBP2GVzTnlipW6MadJ7AblGqZjeN7ZSrYVF8ddCgIRCl4MDQR6Y3 94+bfS6s9eRiezjHeFrR+z5waVdSwCuDsMbDFslKLg/C+P47WAJsfNEEiGqHvSZ// 1+F7+KzsEOl+rYIXHQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MCsUC-1rSdr60v56-008ow8; Sun, 31 Dec 2023 10:48:24 +0100
Content-Type: multipart/alternative; boundary="------------4EoRziP7OuNhEyiA6dTG6lbc"
Message-ID: <cb729c84-869f-4afa-b4d1-56b32cf923d5@gmx.net>
Date: Sun, 31 Dec 2023 10:48:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "lgl island-resort.com" <lgl@island-resort.com>
Cc: Russ Housley <housley@vigilsec.com>, Akira Tsukamoto <akira.tsukamoto@gmail.com>, Brendan Moran <brendan.moran.ietf@gmail.com>, suit <suit@ietf.org>, teep <teep@ietf.org>, Ken Takayama <ken.takayama.ietf@gmail.com>
References: <08f701da2d9f$c043a6c0$40caf440$@gmx.net> <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com> <843e1218-8847-48cc-ada5-9b9cc50e17cf@gmail.com> <00ba01da2e6e$81f1f910$85d5eb30$@gmx.net> <9F676C9F-1573-4DBE-A12A-A9A63BC77014@island-resort.com> <65A259BD-75EF-4EAE-B255-29EBD1ABC319@vigilsec.com> <5E005DCF-86C5-4359-929D-A60DD1C703E1@island-resort.com> <731ab283-e078-4186-ae60-0725d0bf1356@gmx.net> <76B7A923-CC43-45DC-B8BF-D03D95542874@island-resort.com> <06e13dea-6e69-4ef6-a496-ced908cfd982@gmx.net> <3506EFA4-3956-4EB2-9174-3F20222267C0@island-resort.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <3506EFA4-3956-4EB2-9174-3F20222267C0@island-resort.com>
X-Provags-ID: V03:K1:31W/uyR3zOfBLeVKMsqGgGTmouvce6AZtI6lh3FECpOdYauU8qv FZFkY/SQ2/fkXTP2j7yv7nwSQA+o/3DCCK4nu90oSqBUqptYh62u5VwnLZXg1T5q5YbMDjx hUdf6mKsymfYrOXv2tJqtX55EXym108UpsQnESlJBx+scE4pPsNsqZR9Jt2avzBjB4fFD7O 84shxe/SdmDY1mWiTkUQg==
UI-OutboundReport: notjunk:1;M01:P0:SDwcGVOfmPQ=;DFtCqgq/widpTpu0ND7a+N+0aPO jEKlbKOIccvUnKQYV16KNadcQNmH7fBBK0EEcbNFrzADVeON+NkfWUcTH14dVr0HNiha5NbzF 2RS6CbJ5z3UNrs87UdCvVhGtA+2baqsKj6OmgHkoLxaYDZKsSuy7VECi6dHXy9XY2YLo9AUof S1TqrYTy580Im+UuzwvUbcdB7Fhzq5ZWdFKwGvhE0AAverB9fjqBKhX8O4cLTf6Egpw1FDCuG Dyh8VtTlE0mJ/7XMMbAcTZtBo33p+WL17rQRhWRTFD4Iorfp2ba95tcJgRY09z2tyv5gXfeIk FpYRnzDQM5+7wu+NNFd5YH0soXdVe9dE3+QkiMvZzJd6B539b5Lzse8RlUMLBpm4oqAHHdebZ 177b3VwxJ/gF5/0DjTxx6BGPGGWRFZ/nlRUYEB+82+/1IqGYlxaybFrYf/O+7clgz6kV55P+R rZIFQ/Mp5lUeFgPRYM61yHDWDY8rscBdhyqIGmMFHyAyniSyrb4w810j3rsA75Va2VrvZcLmR 8/3RnRntY1imFo6HhhZ1ceUI4OBsjP6JhsGKkgNB9bFDH7XJ9yk4eMdhxOWhJUyVTXSYnPPqC Vn76IqC+H8RsximrAWxswxqxDDLn/TXSbVHhYXDZjRuPHQja67nHFsOWetQc9qwfYAtopqYTB 3XOqcpHIQwFonVBA/tMXI1epVJE5+FgfL16gWy4jhT8VXFlRqmcGwGNPmZtUOJlJdqPTwXCWr MNaQ781K3ZhxIHDVJ0JJF7I+b2smAxLmWgORllPtfuLiejUqSriEqTAn9EmTAid1X01Vg29Uv Na1kiobZe3Gsw0QnExe7c23WE+cwYm54kwhc/+TGVdVWdb6Gmp5WwZB7HUbRy+wlLaokQjQoO ZiT556HKjuhsiPv5nEGwtrVrxo/gQhvKSGD7anhIoW0rU4qfa0ZL0M8Dhfi+0Y55UJrR6QSbh 317fB0a5YIooCCTH8j8tumPyf4Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/GCaT8j2NDUTOsdWA6BKbnUohnII>
Subject: Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Dec 2023 09:48:38 -0000

Hi Laurence,


comments below.


Am 28.12.2023 um 18:58 schrieb lgl island-resort.com:
>
>
>> On Dec 24, 2023, at 5:19 AM, Hannes Tschofenig
>> <Hannes.Tschofenig@gmx.net> wrote:
>>
>> Hi Laurence, Hi all,
>>
>> In draft-ietf-suit-firmware-encryption we use a two-layer approach,
>> which means that there is
>>
>> - a content encryption layer, and
>>
>> - the recipient layer
>>
>>
>> For the content encryption layer we have included the protected
>> headers in the Enc_structure structure with AEAD ciphers. The
>> protected header may contain the algorithm identifier. In COSE, it is
>> not mandatory to include the algorithm identifier in the protected
>> header. For non-AEAD ciphers, the Enc_structure structure is not used.
>>
> Looks to me that all you have to do change the algorithm ID in the
> protected header from AES-GCM to AES. If the receiver is capable of
> processing messages with plain AES content encryption it will happily
> do so not knowing that it was AES-GCM in the original message. Since
> plain AES provides no data authentication the receiver won’t notice
> that the algorithm ID was modified. The protected headers aren’t
> really protected.
>
> I haven’t thought this through deep enough to know how big a hole this is.


The attack you are describing is to change the algorithm id from AES-GCM
to AES-CBC. If you do so, this change would be detected by the signature
covering the entire SUIT manifest.

Furthermore, the recipient will check whether the use of AES-CBC is an
allowed algorithm. Finally, for the attack to work as presented in LAMPS
the recipient then has to try to decrypt the payload and return the
result back to the sender.

None of this is realistic but nevertheless worth describing in the draft.


>
>> The delivery of firmware images is a one-shot message, if we ignore
>> the possibility for conveying errors using SUIT report. The SUIT
>> report, at least in my reading, would not give an adversary the
>> information necessary for performing the attack outlined at
>> https://datatracker.ietf.org/meeting/118/materials/slides-118-lamps-attack-against-aead-in-cms.
>> It does not hurt to add a paragraph to the SUIT report draft saying
>> that the returned information must not include decrypted payloads in
>> case of a failure. In general, however, SUIT reports behaves like an
>> oracle since it will give different responses depending on the
>> success or failure of the SUIT manifest processing. It might be
>> worthwhile to think about how to mitigate such attacks.
>>
> Yes, encryption for SUIT may be a use case safe from this attack, but
> COSE encryption should be safe regardless of the use case.

I agree but the use of AES-CBC is limited to special use cases and the
use case envisioned was firmware encryption. For other use cases, a
receipient receiving a payload encrypted with AES-CBC has to fail
because there is no use for algorithms other than AEAD ciphers. In
general, one has to store algorithm information alongside the key and
not let attackers switch algorithms.


>
>> COSE-HPKE was mentioned in the mails below, although we do not use it
>> in the SUIT firmware encryption draft. In the COSE-HPKE draft we use
>> a one-layer and a two-layer approach. For the two layer approach, the
>> situation is very similiar to my description above. The algorithm
>> identifier is not included in the KDF at the recipient layer but it
>> is instead included in the Enc_structure structure since the current
>> version of the algorithm id is mandatory in the protected header.
>> (See also the request to make it optional
>> https://github.com/cose-wg/HPKE/issues/39).
>>
> I realize you can’t use HPKE for SUIT for a few reasons. I mention
> HPKE, because its design seems intrinsically immune. I think that is
> partly because of the design and validation process it used. Seems
> like COSE didn’t use as good a process.


You can use HPKE for SUIT but we haven't specified it. In the above
paragraph I am observing that HPKE in the two layer approach is not
necessarily immune to the attack.


>
>> So, what should we do? We could follow the approach Russ presented at
>> IETF#118 and later described in
>> https://datatracker.ietf.org/doc/draft-housley-lamps-cms-cek-hkdf-sha256/
>>
>> His approach applies a KDF to the CEK and an algorithm id. The result
>> is a new CEK, namely CEK'. CEK' is subsequently used for content
>> encryption. This approach is generic but, on the other hand, a point
>> solution to the specific attack presented to LAMPs. In his
>> presentation Russ mentioned that we should/could include other
>> information into the KDF but his write-up ultimately didn't contain
>> that approach.
>>
>> Alternatively, we could also include the algorithm id from the
>> content encryption layer into the KDF already used for ES-DH and
>> HPKE. This approach would not work for AES-KW.
>>
>>
>> Here is the part that worries me a bit: We keep changing the KDFs on
>> a frequent basis and the KDFs used for the different algorithms are
>> not well aligned across the different protocols and "container"
>> formats. I have dropped a mail to Paul Van Oorschot asking him for
>> feedback since he was the first one to come up with the class of
>> attacks we are talking about here.
>>
> For me, the next step would be a document that is much more
> prescriptive on the use of KDF’s in COSE encryption. It probably will
> need to have something new to say how all algorithm IDs in all the
> COSE layers are input to the KDF. It might be standards track.
>
> Then we need to review and debate and revise thoroughly to be sure we
> really got it right.
>
> IMO, it is unfortunate, particularly for SUIT, that COSE encryption
> published in 9052 and 9053 isn’t quite complete in this area.

In SUIT we luckilly have a dedicated document that explains how to use
encryption properly. At the start, we thought we just have to reference
COSE_Encrypt from the COSE specification and to be done with it. As we
know, it turned out to be quite different.


Ciao

Hannes


>
> LL
>
>
>
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email