IETF Logo Mail Archive

Re: [Teep] Use of AES-CTR in TEEP?

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Wed, 11 October 2023 08:39 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A770DC14CF0C; Wed, 11 Oct 2023 01:39:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAXH4nurlTFx; Wed, 11 Oct 2023 01:39:49 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2076.outbound.protection.outlook.com [40.107.22.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0E1FC15108A; Wed, 11 Oct 2023 01:39:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O2tgtkhbSWVbGu2Jhx13dJeYZYtCGnwRg4rlJckumvg+KreehkUcGdRDltlEqd3L67V4aDLkUldsMpb1C4i9VRGFt1pFVqeiUlogJQU4nIoKkL31Yc/SGTIlrpTUtKGvIhNgbRCwmy9xlAkqr61kNv7CIcQduxCLGVQYqbnWxJW0uSS9cYgyMC+oPNN4cEj9x7vhG3viEDZrVDdfrUSvFcaw8t4muAs9yDIzXBU/FsBGE0rtwVtFIINJAdFlPAzbF0t4ZzQYMa9MMY3Ld+z6GiImhAxr7ANJ1oIi9jVWFUEtsTY1wJdVQlFIvBAmqd83UL7sW64eHpgk4hXCVzlUMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kWz5PV4ow5REeuAY0pZhX2WDCYLpD/YK0rr6sd5JeBY=; b=jL50iqQOvdsbGZCIFrrsj8ANkYtxFl2JTpkcZQmVj0zwNOqOCcnY2RPJ0XEhUcD8T5G/e1YNVD6ZId1wlLuXTZJwR1HqXxiADRyGBSD5wgfUbdxIjPIMtK7/h9hESORyybCahket3KeR3dwXAPQIf62X6osR6Z9m6KaMtrvKtDeLJU2Zch5mO4AiNMSA2PhzVYV2VUQErjBOQvqUik/nGhE0SJDfgSO9pBDwFOk2ovm3vtYwqJaXJiFUp6kMpTtV0K2MGsqCJbvsPa/jHS7x82zTG3woD5KzlX9lnGfrzD+WGCXJ4N0eEHR1zzRlhh56dMYYKt9P1znz0s+NtXWFYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kWz5PV4ow5REeuAY0pZhX2WDCYLpD/YK0rr6sd5JeBY=; b=l8RWo+hjnGEr7w/4Gk73FtwSahYNN5+pDvbSSrYy0u43PLWT9FynzvR6xTxpN41eGTIViATPmwnaSQHsbO7JR59m/euNHBJoB3dKUFzCCiduUavvNcb2+ZAZ4fwIER1WiDxsLnjmWeKpjWFeE/J2kT11GXLOerEhx2H5LLE/21IBAjkFci+hBqrYcfLWtGmjmTngyS9dpXsUrHx5Tq9HyadTROGt8Qjyi14528XnutgnfJB0L4MQKO804G7e4rc8R0FxHUgm5f52+LHEgQMXJbio+E2iIZR18tP/N4TgmX3ZMR1l0AWltl4p6vjJhK/0vJO1DQvVwDqAqGpDflTHDA==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by PA4PR10MB5658.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:263::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.36; Wed, 11 Oct 2023 08:39:46 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::7f30:84aa:6bf8:4cdf]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::7f30:84aa:6bf8:4cdf%7]) with mapi id 15.20.6838.033; Wed, 11 Oct 2023 08:39:46 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "teep@ietf.org" <teep@ietf.org>, "suit@ietf.org" <suit@ietf.org>
Thread-Topic: [Teep] Use of AES-CTR in TEEP?
Thread-Index: AQHZ+6iy52xc/uCpwES1ylL8RvJv2bBEQrZg
Date: Wed, 11 Oct 2023 08:39:46 +0000
Message-ID: <AS8PR10MB74273BFE98E73F945178E498EECCA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <PH7PR21MB3878F05953BAF6113F429396A3C9A@PH7PR21MB3878.namprd21.prod.outlook.com> <488eb665-30fc-4be9-832d-0ccc8409db36@gmx.net> <PH7PR21MB387889BB6C524006BD889B07A3CEA@PH7PR21MB3878.namprd21.prod.outlook.com> <02e701d9fb3a$9bf15660$d3d40320$@gmx.net> <PH7PR21MB3878C1969D2493B0FAF140D9A3CDA@PH7PR21MB3878.namprd21.prod.outlook.com> <034801d9fba3$8b38d960$a1aa8c20$@gmx.net> <PH7PR21MB38789801F26D624F00EB588EA3CDA@PH7PR21MB3878.namprd21.prod.outlook.com>
In-Reply-To: <PH7PR21MB38789801F26D624F00EB588EA3CDA@PH7PR21MB3878.namprd21.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=20f9f108-748c-4421-a10b-9a1166bb46ad;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-10-11T08:29:13Z;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c345a887-b59b-4ba3-9620-6b7d0cf2e643;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-10-10T18:01:37Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|PA4PR10MB5658:EE_
x-ms-office365-filtering-correlation-id: 6598cf0d-351a-4fe8-e2dd-08dbca359fba
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qmoL31QvRN5L+vzmwIM/IXT+qthG3uFsAvHlIAcQyimCLOhzTqUq70EIV2lCDKzkBWcXCi0W+0yH8nj00sb0UltjDfemIjBoZE1NbKzzkDuCsqNniMREl/RSHWCItTfgV452j6SJVmjysFZ8A8S+mFstV1z2GNQNoIgwLo/FS8teDm7IBv8Yg549p15WdKra9a4btZb2+TlOzQj2ZcdixDFBeHafELhEMk2I8AEQYQOe0OGiZKKzF7A/FZLdA3r15SZCFsIITRtTv+MN9Rj8yJYQHYKLz9WjAw0NAdJfeXHQZaJ5+g3Ksk8b5J9OLmEcn1DSrq8m/wwGpGuMW88OTKyLKl0zM70SA5RhOKe4yXbtggZbzeflBeJIT3GQ4Uk5pyE6BRdJ/Co8xL8Y2BbAGP6imr8ijwNZPFnQelXNLMV6DeSYrYYLb24b+xsp1CV8jqvVZfQqesOmB2L2wCP0sztb6VXK/lssEiA27XH9e2deegYaiYKallcZaE1v2KsGzhYFcOF9Csl9XagPhp60642Utv/0fN7Dc+qU2HJ1LUwTw4/oweJFqXOFnhtYw4s0VrEo+LyNZUmznYk7Gdfn9npKJ7iy8cj9MwOGDhCA5Kg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(346002)(396003)(366004)(39860400002)(376002)(230922051799003)(64100799003)(451199024)(186009)(1800799009)(82960400001)(38070700005)(38100700002)(86362001)(122000001)(33656002)(2906002)(55016003)(478600001)(9686003)(966005)(7696005)(53546011)(71200400001)(41300700001)(52536014)(5660300002)(6506007)(45080400002)(8936002)(8676002)(83380400001)(64756008)(316002)(66476007)(66556008)(76116006)(66446008)(66946007)(110136005)(66574015)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 92VmeMDaxq5+Ravu/2500eGsU69CZLBZQT7ZJ9vHWCp0SNnAlmOHkB5TaIIkFZbpq4dRhxFOrpizQwWiA6bdCslbszaIimSVi9n3e8Nw+h/7IwYX1Bsi3l0WOyKuvI1iYh7EgqPpSBPH909pt9r9m2QkccrGECbNKlPli+O8Tf0HwZN69T5EMX+rBkow+4mZWCTZoBOADN9HuZpxoHA+JZqzD5bYolgdkjRZMp4UyhAy/0INzN2j//X2A1FYDxvcGhth+4URjl7oiY/urpZ9hDjyBuzaqe5aCQ1dd/HHoLTbFnkTRIu3ipqrXuRm2xT94c9A8vN32vQo1ZYb5gyNG4OQkEFOkrrzQq0vZ5P6dNKlYzP9IO35LuUbnpMYp2hASa8a5LutN98rMvizD+RXnOTXSQUI5ZCZ9nHr3BPHusjxnWwK/TUJ9u5aYQror1VeqIdjGprs8I++m47dh/R12i0mQ8M6J8THlCuTzKpVF1Okj6puF2LesKcBMi4BCsou9hi/cF2OrLJ+L4RQcdnR6nPiKkcD0z2dm0IC3lHznlScswmyG40CfADPvb1Tm6TKSj2925p8cMuprt3zZ70UsjJpvo3R8Cy27SDFWfNYQfFbOgE+lFpty43VuP2c7TsMogZwEh/TcEyXSW4qZH9ft45B+1GeB4flJjVQbHSrWPtDIP8cnjAZhoSLqpU1W+q4tuBMJMUSU1CPWUgtMWeMzoiwyGVN8pPoA4HbfykgNMRE7RCdfzCEbconMvB4qruuKitAngYNisczIFr/WkWX+8POkI0QLgXtrDx7/1FhvEOhf4GuIJAYxRAa+AOSK3EQxDAIlv1sVLy7/zaiLrNPXII4Wvp+tWcS9v7Sswx6hc7o+xpk0loJ9XCgdIKjIY1L5rvF/bUAC1A8apq/2Tw0a4Ic7K2s8k7cLBnX/eFcmchSQqZnmBB8l5sEe0yItGsBL5eHDdoji/ePF5MoFvCL0KOAWddEOg0qfB/9UG+zQCugD4M0ELK9wrQUgNHOqPvyF/WfpSAgQD1A0xbOdadVJl06yV4SGlqGonryGZ5bkhjemjLZOiJatgJKp7HIvjJjcLD14N1ilK6o+LGmbK4xe2fE4jf+R36nxC4PwzIdWTQgNbI/d2DBnpaUfoVYw6exrXfHAjiIl9BmGctFUrYYAcR5DFK6F9fDAHzyyY8EbVMeQJh6ga7c/CeGuVtAyl0Gt6MWbRIXwz0N/B49kVMd57xgK9kFbHTQeWb2g4NagnLIdR3YpTmzYmIIAhcOGBc5MzEmTKY692kfDYl7VbW3ejPv+xV6oYZMcEban9hpwT5ggaM0OR8x8oYhpU8fuQUhD7c3KNHX/MlrJ0zhMWOjNHx49U9QS9969fdbivINDcctNY0p6ftuOOoiEjEwYjxsVDyT0LycnegOOVBpvhvGGeB0H9t8wAi/9IwHKzhAYc4Wd0Y+VDejxjHJUNzhkH/HYqOVh3WYN4Yddt34YwwO+6pYjITI1V1A8SE5CYpIm380gHpAlh0UsIjL0zjEDR3Jdm1CvAmrWOL9yd+Ex5sNjax5Mi7W0yKarpOuKI2C1otBgvx9Gmi2aOxap0BrGvyC2qMgCj4oc0fSITMPKlpORQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6598cf0d-351a-4fe8-e2dd-08dbca359fba
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2023 08:39:46.4879 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vjM7vwWWUJK8LuUwLqaN5Sg0xSPzDWi5W9Fy08z69I2N5B+fS8n9K6hXrKIlB/yaFyJdRnG3Gwndl5mRij2M7lD+XCHzlsy7VXqJbRBpUdI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR10MB5658
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/x0tJZAW6KvwTcdl42u29ZqSQVgQ>
Subject: Re: [Teep] Use of AES-CTR in TEEP?
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2023 08:39:54 -0000

Hi Dave,

in my view TAMs are not going to manage firmware updates on constrained IoT devices, like microcontrollers, and hence they don't need to support algorithms that are specifically designed to take issues of those constrained IoT devices into account. Of course, I would be interested to hear whether someone is planning to do this.

I am wondering whether it is better to create a new draft that lists the algorithms for use with TEEP (to avoid confusion with the classical SUIT use cases). The algorithms in draft-ietf-suit-mti are fine for the IoT use case. I am not arguing about that.

I hope it is clear what I try to avoid. I dont' want developers to use AES-CTR (or AES-CBC) for use cases it was not designed for. If you can use an AEAD cipher, you should do it. Here is what RFC 9459 says on this topic:

"
   This document specifies AES-CTR and AES-CBC for COSE, which are not
   AEAD ciphers.  The use of the ciphers is limited to special use
   cases, such as firmware encryption, where integrity and
   authentication is provided by another mechanism.
"


Ciao
Hannes

-----Ursprüngliche Nachricht-----
Von: Suit <suit-bounces@ietf.org> Im Auftrag von Dave Thaler
Gesendet: Dienstag, 10. Oktober 2023 20:36
An: hannes.tschofenig@gmx.net; teep@ietf.org; suit@ietf.org
Betreff: Re: [Suit] [Teep] Use of AES-CTR in TEEP?

TEEP requires TAMs to support all MTI algorithms and allows Agents to pick among MTI algorithms and may be constrained or not, support crypto offload or not, etc. hence the allowing of choice.

If I understand correctly, you're arguing that a TAM must support both CTR and GCM, and an Agent can pick either one, and the suit-mti draft should specify both profiles, did I get that right?

Dave


> -----Original Message-----
> From: hannes.tschofenig@gmx.net <hannes.tschofenig@gmx.net>
> Sent: Tuesday, October 10, 2023 11:00 AM
> To: Dave Thaler <dthaler@microsoft.com>; teep@ietf.org; suit@ietf.org
> Subject: RE: [Teep] Use of AES-CTR in TEEP?
>
> Sorry for the confusion, Dave. I have hit the "send" button a bit too fast.
>
> It should, of course, read "This adds no new requirements to
> constrained IoT devices."
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: TEEP <teep-bounces@ietf.org> On Behalf Of Dave Thaler
> Sent: Dienstag, 10. Oktober 2023 19:41
> To: hannes.tschofenig@gmx.net; teep@ietf.org; suit@ietf.org
> Subject: Re: [Teep] Use of AES-CTR in TEEP?
>
> Hannes wrote, regarding draft-suit-mti::
> > I would like to have a new profile added that defines
> > suit-sha256-es256-ecdh- a128gcm for use with TEEP.
> > This should be the default profile for use in TEEP.
> >
> > This adds new requirements to constrained IoT devices. Constrained
> > IoT devices should use one of the other 5 profiles already defined.
>
> Did I read that right, you want new requirements for _constrained_ devices?
> Your last two sentences seem to contradict each other, so either
> there's a typo or I'm not understanding.
>
> Dave
>
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www/.
> i%2F&data=05%7C01%7Channes.tschofenig%40siemens.com%7C345c31b461654c65
> e7bf08dbc9bfd29d%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C63832559
> 7948766603%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hB93IuYuqpSRS1GW
> Op9zCxAxzhwR7vhGXuRvKbW%2BCCU%3D&reserved=0
> etf.org%2Fmailman%2Flistinfo%2Fteep&data=05%7C01%7Cdthaler%40micros
> oft.com%7C71df398b41a948f442ec08dbc9baab47%7C72f988bf86f141af91ab
> 2d7cd011db47%7C1%7C0%7C638325575811642807%7CUnknown%7CTWFpb
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C3000%7C%7C%7C&sdata=z%2BA0%2FHZQ7v%2Bi97e4R%2Bz7H
> qXwLE9q%2Bq93mb%2BNTXLtF%2F4%3D&reserved=0

_______________________________________________
Suit mailing list
Suit@ietf.org
https://www.ietf.org/mailman/listinfo/suit

v2.23.0 | Report a Bug | By Email