Hi, When I analysed an earlier version of Group OSCORE some years ago it had severe security problems when used with CCM_8 + Countersignature. The attacks were pretty bad. 64-bit offline complexity against source authentication/availability from a different person in the group and something slightly over 32-bit online security (collecting 2^32 messages) against a source authentication/availability from a third party outside of the group. The problem was that the countersignature relied on the AEAD tag for integrity protection of the additional data. This was fixed in Group OSCORE be adding all the additional data to the signature as well.
The use case of Countersignatures is "Countersignatures provide a method of having a second party sign some data." In this case I don't think CCM_8 + Countersignature provides the expected security. Unless you can put all the additional data to the signature as well, I think CCM_8 + Countersignature needs to be forbidden. I don't really see why Group OSCORE is using countersign in the first place, it seems like a relic from a time when it was assumed that OSCORE would be a single COSE structure on the wire as well. Cheers, John _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
