Re: [Teep] Size of NONCE in QueryRequest
Mingliang Pei <mingliang.pei@broadcom.com> Sat, 04 April 2020 18:18 UTC
Return-Path: <mingliang.pei@broadcom.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B9563A010D for <teep@ietfa.amsl.com>; Sat, 4 Apr 2020 11:18:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmlYoHNTCOcI for <teep@ietfa.amsl.com>; Sat, 4 Apr 2020 11:18:06 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AFFD3A00D5 for <teep@ietf.org>; Sat, 4 Apr 2020 11:18:05 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id n17so10317217lji.8 for <teep@ietf.org>; Sat, 04 Apr 2020 11:18:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F/nNq/3pRm6H3On+Zf+54E/P9roxbkBw/3G+Vnvcidg=; b=JV91JfEKsYKwbFeDV8hYRGXurEB6HGwHp7O4cP8HcTh/F77meNKEXleMk8LUV40qOe JH78/k9GbMHyBTNxTMov9YMT+fPjfwxYcSYAOjiOfES+ZHkIzAW+qmp1y9+EomlfhCn3 6AjUBkuTM1X6xOVOfmzZqRsDOecJB9CJZ7R8g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F/nNq/3pRm6H3On+Zf+54E/P9roxbkBw/3G+Vnvcidg=; b=Ndr+PHRvtsZgC0jzL25s8iB3xBRkIeWyudE/lbVjYDic8ypzd0I6D/FqF454IiUoqX 0+RANVnvpMcjQAUCz+PIHJ4cnTZr+x4zBBzF2abB3/DDqUCZO9DJ7BnEYueRgsL8v44K Z/msIPlJamj2BhsM4NkESJexsbGUWZatgk5XfaXsEHCNPfTaMK7eh6BmN2FenWs+GQxr D5D4BdjVi+sI2QEt1iqIrEodc/aC3X31sErPk3/VEe9ccE4ghip8pZIgVqeTDnZesOW7 elugnffyUtIREDqnPrVH2GteBj3lPvKQaNx/MOfVt0VgzU9Cw07UmLhosc0a0hWgYLuV eYTg==
X-Gm-Message-State: AGi0PuauhpEh1g3mNHT+SsMFE0i5vbO1BMZJCHKFNt52DWHgYbNPYtSR HBMHhJub/hx9XWhVpGfvqvAj2oruof7nOJxnxBeQ1w==
X-Google-Smtp-Source: APiQypLZTbwG8pg70eDUXWrHKvGEVcgmCHZH/HfEvE0kHCOs+k5qAnpYuMXaNPjBHxKS3TsgPdIx44mb7pVfrnqlvIk=
X-Received: by 2002:a2e:9616:: with SMTP id v22mr7557166ljh.107.1586024283872; Sat, 04 Apr 2020 11:18:03 -0700 (PDT)
MIME-Version: 1.0
References: <9848943d-597d-8b11-5dd0-54beb97896a4@aist.go.jp> <2532F840-7951-441F-B635-B784BD4F7592@vigilsec.com> <A8025E55-AF43-425D-AE38-EE8E6895F35A@cisco.com> <bbf71882-5a8b-a1d1-e30d-697d74a219f3@aist.go.jp>
In-Reply-To: <bbf71882-5a8b-a1d1-e30d-697d74a219f3@aist.go.jp>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Sat, 04 Apr 2020 11:17:52 -0700
Message-ID: <CABDGos4d-On8toav9192dwWDsvHfq2aaq4HWhHvHFhps_g6Yvg@mail.gmail.com>
To: Akira Tsukamoto <akira.tsukamoto@aist.go.jp>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, Russ Housley <housley@vigilsec.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000f278d05a27b0e1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/Ph9Tsw4YlHuhV_NXy3VaDnF46GI>
Subject: Re: [Teep] Size of NONCE in QueryRequest
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2020 18:18:08 -0000
>> Using the same type of NONCE in TEEP and RATS would make the implementation easier and having less chance of having bug. A compelling argument for me to take this approach. Concur on this change. Thanks, Ming On Fri, Apr 3, 2020 at 7:31 PM Akira Tsukamoto <akira.tsukamoto@aist.go.jp> wrote: > Hi Russ, Nancy and Hannes, > > Thanks for your comments. > > I would like to use the same representative of NONCE in TEEP as EAT which > is `bstr .size (8..64)` , minimum 8 bytes, max 64 bytes, as Hannes > mentioned > instead or int or uint which I mentioned earlier. > > The int/uint could have only up to 8 bytes maximum. > While bstr could have variable length. > > 8 bytes in decimal max: 18446744073709551615 > uint .size 8 in hex is: 1B FF FF FF FF FF FF FF FF > bstr .size 8 in hex is: 58 08 FF FF FF FF FF FF FF FF > > The uint representation is only one byte smaller while bstr could go up to > > 64 bytes in decimal max: > > 13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084095 > > uint .size 64 <- not possible > bstr .size 64 in hex is: > 58 40 > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF FF > > Using the same type of NONCE in TEEP and RATS would make the implementation > easier and having less chance of having bug. > > Now I have concrete idea of NONCE representation, thanks, > > -Akira > > > On 4/4/2020 12:01 AM, Nancy Cam-Winget (ncamwing) wrote: > > Hi Russ and Akira, > > Yes the Nonce is for replay...in TEEP there was consensus to use RATs > claims. That said, the Nonce claim in RATS is a minimum 8bytes with a max > of 64. I agree that 4 is not enough....but what is the appropriate size > for TEEP? Perhaps 16? > > > > Nancy > > > > On 4/3/20, 6:57 AM, "TEEP on behalf of Russ Housley" < > teep-bounces@ietf.org on behalf of housley@vigilsec.com> wrote: > > > > What is the NONCE supposed to do here? If it is replay protection, > 4 bytes is not enough. For example, OCSP uses up to 32 bytes. > > > > Russ > > > > > > > On Apr 3, 2020, at 4:35 AM, Akira Tsukamoto < > akira.tsukamoto@aist.go.jp> wrote: > > > > > > Hi all, > > > > > > I would like to ask expertise in the mailing list. > > > > > > The QueryRequest has member of NONCE in representation of bstr > > > in teep protocol draft. > > > > > > From the feedback from the virtual hackathon last week in Japan, > > > I prefer using bstr less as possible and use number representation > > > in int or uint since it reduces the size of the teep message and > > > int/uint are more programing language friendly. > > > > > > Then I came across how large the integer could be to hold nonce > > > in the member field. > > > > > > Currently it is: > > > > > > QueryRequest = { > > > .... > > > TOKEN : bstr, > > > .... > > > ? NONCE : bstr, > > > .... > > > } > > > > > > and would like to suggest > > > > > > QueryRequest = { > > > .... > > > TOKEN => uint .size 4, > > > .... > > > ? NONCE => uint .size 4, > > > .... > > > } > > > > > > but not sure the unsigned 32bit is large enough or not. > > > The max of unsigned 32bit, 0x ff ff ff ff, is 4,294,967,295. > > > And do we expect negative numbers here, if not would like to use > uint instead of int? > > > > > > Any comments are welcome, > > > > > > Akira > > > > _______________________________________________ > > TEEP mailing list > > TEEP@ietf.org > > > https://clicktime.symantec.com/3B9CV59AdeoPLksjdX1hMLm7Vc?u=https%3A%2F%2Fjpn01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.ietf.org%252Fmailman%252Flistinfo%252Fteep%26data%3D02%257C01%257Cakira.tsukamoto%2540aist.go.jp%257Cc51e52e8276d4717dc4408d7d7dfd8c8%257C18a7fec8652f409b8369272d9ce80620%257C0%257C0%257C637215228724902874%26sdata%3DZ26DiQp%252BxGFGWia508C3mzbemgri3pDyxrHlaLxrePg%253D%26reserved%3D0 > > > > > > _______________________________________________ > TEEP mailing list > TEEP@ietf.org > > https://clicktime.symantec.com/32Hq3e1YQd8YgMJFEtDoneQ7Vc?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fteep >
- [Teep] Size of NONCE in QueryRequest Akira Tsukamoto
- Re: [Teep] Size of NONCE in QueryRequest Russ Housley
- Re: [Teep] Size of NONCE in QueryRequest Nancy Cam-Winget (ncamwing)
- Re: [Teep] Size of NONCE in QueryRequest Dave Thaler
- Re: [Teep] Size of NONCE in QueryRequest Akira Tsukamoto
- Re: [Teep] Size of NONCE in QueryRequest Mingliang Pei