Re: [Teep] Size of NONCE in QueryRequest

Mingliang Pei <mingliang.pei@broadcom.com> Sat, 04 April 2020 18:18 UTC

MIME-Version: 1.0
References: <9848943d-597d-8b11-5dd0-54beb97896a4@aist.go.jp> <2532F840-7951-441F-B635-B784BD4F7592@vigilsec.com> <A8025E55-AF43-425D-AE38-EE8E6895F35A@cisco.com> <bbf71882-5a8b-a1d1-e30d-697d74a219f3@aist.go.jp>
In-Reply-To: <bbf71882-5a8b-a1d1-e30d-697d74a219f3@aist.go.jp>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Sat, 04 Apr 2020 11:17:52 -0700
Message-ID: <CABDGos4d-On8toav9192dwWDsvHfq2aaq4HWhHvHFhps_g6Yvg@mail.gmail.com>
To: Akira Tsukamoto <akira.tsukamoto@aist.go.jp>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, Russ Housley <housley@vigilsec.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000f278d05a27b0e1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/Ph9Tsw4YlHuhV_NXy3VaDnF46GI>
Subject: Re: [Teep] Size of NONCE in QueryRequest
Precedence: list

>> Using the same type of NONCE in TEEP and RATS would make the
implementation easier and having less chance of having bug.

A compelling argument for me to take this approach. Concur on this change.
Thanks,

Ming


On Fri, Apr 3, 2020 at 7:31 PM Akira Tsukamoto <akira.tsukamoto@aist.go.jp>
wrote:

> Hi Russ, Nancy and Hannes,
>
> Thanks for your comments.
>
> I would like to use the same representative of NONCE in TEEP as EAT which
> is `bstr .size (8..64)` , minimum 8 bytes, max 64 bytes, as Hannes
> mentioned
> instead or int or uint which I mentioned earlier.
>
> The int/uint could have only up to 8 bytes maximum.
> While bstr could have variable length.
>
> 8 bytes in decimal max: 18446744073709551615
> uint .size 8 in hex is: 1B FF FF FF FF FF FF FF FF
> bstr .size 8 in hex is: 58 08 FF FF FF FF FF FF FF FF
>
> The uint representation is only one byte smaller while bstr could go up to
>
> 64 bytes in decimal max:
>
> 13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084095
>
> uint .size 64 <- not possible
> bstr .size 64 in hex is:
> 58 40
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
> FF FF FF FF FF FF FF FF
>
> Using the same type of NONCE in TEEP and RATS would make the implementation
> easier and having less chance of having bug.
>
> Now I have concrete idea of NONCE representation, thanks,
>
> -Akira
>
>
> On 4/4/2020 12:01 AM, Nancy Cam-Winget (ncamwing) wrote:
> > Hi Russ and Akira,
> > Yes the Nonce is for replay...in TEEP there was consensus to use RATs
> claims.  That said, the Nonce claim in RATS is a minimum 8bytes with a max
> of 64.  I agree that 4 is not enough....but what is the appropriate size
> for TEEP?  Perhaps 16?
> >
> >       Nancy
> >
> > On 4/3/20, 6:57 AM, "TEEP on behalf of Russ Housley" <
> teep-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:
> >
> >      What is the NONCE supposed to do here? If it is replay protection,
> 4 bytes is not enough.  For example, OCSP uses up to 32 bytes.
> >
> >      Russ
> >
> >
> >      > On Apr 3, 2020, at 4:35 AM, Akira Tsukamoto <
> akira.tsukamoto@aist.go.jp> wrote:
> >      >
> >      > Hi all,
> >      >
> >      > I would like to ask expertise in the mailing list.
> >      >
> >      > The QueryRequest has member of NONCE in representation of bstr
> >      > in teep protocol draft.
> >      >
> >      > From the feedback from the virtual hackathon last week in Japan,
> >      > I prefer using bstr less as possible and use number representation
> >      > in int or uint since it reduces the size of the teep message and
> >      > int/uint are more programing language friendly.
> >      >
> >      > Then I came across how large the integer could be to hold nonce
> >      > in the member field.
> >      >
> >      > Currently it is:
> >      >
> >      > QueryRequest = {
> >      > ....
> >      >     TOKEN : bstr,
> >      > ....
> >      >     ? NONCE : bstr,
> >      > ....
> >      > }
> >      >
> >      > and would like to suggest
> >      >
> >      > QueryRequest = {
> >      > ....
> >      >     TOKEN => uint .size 4,
> >      > ....
> >      >     ? NONCE => uint .size 4,
> >      > ....
> >      > }
> >      >
> >      > but not sure the unsigned 32bit is large enough or not.
> >      > The max of unsigned 32bit, 0x ff ff ff ff, is 4,294,967,295.
> >      > And do we expect negative numbers here, if not would like to use
> uint instead of int?
> >      >
> >      > Any comments are welcome,
> >      >
> >      > Akira
> >
> >      _______________________________________________
> >      TEEP mailing list
> >      TEEP@ietf.org
> >
> https://clicktime.symantec.com/3B9CV59AdeoPLksjdX1hMLm7Vc?u=https%3A%2F%2Fjpn01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.ietf.org%252Fmailman%252Flistinfo%252Fteep%26data%3D02%257C01%257Cakira.tsukamoto%2540aist.go.jp%257Cc51e52e8276d4717dc4408d7d7dfd8c8%257C18a7fec8652f409b8369272d9ce80620%257C0%257C0%257C637215228724902874%26sdata%3DZ26DiQp%252BxGFGWia508C3mzbemgri3pDyxrHlaLxrePg%253D%26reserved%3D0
> >
> >
>
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
>
> https://clicktime.symantec.com/32Hq3e1YQd8YgMJFEtDoneQ7Vc?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep
>

Attachment: smime.p7s

[Teep] Size of NONCE in QueryRequest Akira Tsukamoto
Re: [Teep] Size of NONCE in QueryRequest Russ Housley
Re: [Teep] Size of NONCE in QueryRequest Nancy Cam-Winget (ncamwing)
Re: [Teep] Size of NONCE in QueryRequest Dave Thaler
Re: [Teep] Size of NONCE in QueryRequest Akira Tsukamoto
Re: [Teep] Size of NONCE in QueryRequest Mingliang Pei

Re: [Teep] Size of NONCE in QueryRequest

Attachment: smime.p7s