From 9ba133b4fc6a13badbdc12ced0691a558681b869 Mon Sep 17 00:00:00 2001 From: John Mattsson Date: Thu, 13 May 2021 13:57:50 +0200 Subject: [PATCH 1/3] Security considerations regarding short tags --- draft-ietf-cose-countersign.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/draft-ietf-cose-countersign.xml b/draft-ietf-cose-countersign.xml index a365264..2b71f39 100644 --- a/draft-ietf-cose-countersign.xml +++ b/draft-ietf-cose-countersign.xml @@ -521,6 +521,9 @@ array to avoid confusion. Analysis of the size of encrypted messages can provide information about the plaintext messages. This specification does not provide a uniform method for padding messages prior to encryption. An observer can distinguish between two different messages (for example, 'YES' and 'NO') based on the length for all of the content encryption algorithms that are defined in . This means that it is up to the applications to specify how content padding is to be done to prevent or discourage such analysis. (For example, the text strings could be defined as 'YES' and 'NO '.) + + Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature. +
From 47ee53f1e7c48389c60959bbd9a67cf2227757b2 Mon Sep 17 00:00:00 2001 From: John Mattsson Date: Fri, 14 May 2021 10:09:03 +0200 Subject: [PATCH 2/3] Added this this applies to group keys --- draft-ietf-cose-countersign.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-cose-countersign.xml b/draft-ietf-cose-countersign.xml index 2b71f39..8ab2410 100644 --- a/draft-ietf-cose-countersign.xml +++ b/draft-ietf-cose-countersign.xml @@ -522,7 +522,7 @@ array to avoid confusion. Analysis of the size of encrypted messages can provide information about the plaintext messages. This specification does not provide a uniform method for padding messages prior to encryption. An observer can distinguish between two different messages (for example, 'YES' and 'NO') based on the length for all of the content encryption algorithms that are defined in . This means that it is up to the applications to specify how content padding is to be done to prevent or discourage such analysis. (For example, the text strings could be defined as 'YES' and 'NO '.) - Countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature. + When used together with with symmetrical group keys, countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature.
From 1efb4236bdc25c451770da4409df339c97bb86c0 Mon Sep 17 00:00:00 2001 From: John Mattsson Date: Wed, 19 May 2021 04:11:26 +0200 Subject: [PATCH 3/3] Change according to comment and change request from Russ --- draft-ietf-cose-countersign.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-ietf-cose-countersign.xml b/draft-ietf-cose-countersign.xml index 8ab2410..9242365 100644 --- a/draft-ietf-cose-countersign.xml +++ b/draft-ietf-cose-countersign.xml @@ -521,8 +521,10 @@ array to avoid confusion. Analysis of the size of encrypted messages can provide information about the plaintext messages. This specification does not provide a uniform method for padding messages prior to encryption. An observer can distinguish between two different messages (for example, 'YES' and 'NO') based on the length for all of the content encryption algorithms that are defined in . This means that it is up to the applications to specify how content padding is to be done to prevent or discourage such analysis. (For example, the text strings could be defined as 'YES' and 'NO '.) - - When used together with with symmetrical group keys, countersignatures of COSE_Encrypt and COSE_Mac with short tags and non-empty external_aad do not at all give the security properties normally associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 only gives 64-bit security and a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 only gives 32-bit security. Another solution is to provide the same external_aad used in the COSE_Encrypt and COSE_Mac to the countersignature algorithm, but this external_aad is typically not available to the party performing or verifying the countersignature. + + When either COSE_Encrypt and COSE_Mac is used and more than two parties share the key, data origin authentication is not provided. Any party that knows the message-authentication key can compute a valid authentication tag; therefore, the contents could originate from any one of the parties that share the key. + + Countersignatures of COSE_Encrypt and COSE_Mac with short authentication tags do not provide the security properties associated with the same algorithm used in COSE_Sign. To provide 128-bit security against collision attacks, the tag length MUST be at least 256-bits. A countersignature of a COSE_Mac with AES-MAC 256/128 provides at most 64 bits of integrity protection. Similarly, a countersignature of a COSE_Encrypt with AES-CCM-16-64-128 provides at most 32 bits bits of integrity protection.