John: Are you asking for addition text in the security considerations to warn against short MACs? If so, can you provide the first draft of such text?
Russ > On Mar 12, 2021, at 3:12 AM, John Mattsson > <[email protected]> wrote: > > Hi, > > When I analysed an earlier version of Group OSCORE some years ago it had > severe security problems when used with CCM_8 + Countersignature. The attacks > were pretty bad. 64-bit offline complexity against source > authentication/availability from a different person in the group and > something slightly over 32-bit online security (collecting 2^32 messages) > against a source authentication/availability from a third party outside of > the group. The problem was that the countersignature relied on the AEAD tag > for integrity protection of the additional data. This was fixed in Group > OSCORE be adding all the additional data to the signature as well. > > The use case of Countersignatures is "Countersignatures provide a method of > having a second party sign some data." In this case I don't think CCM_8 + > Countersignature provides the expected security. Unless you can put all the > additional data to the signature as well, I think CCM_8 + Countersignature > needs to be forbidden. > > I don't really see why Group OSCORE is using countersign in the first place, > it seems like a relic from a time when it was assumed that OSCORE would be a > single COSE structure on the wire as well. > > Cheers, > John _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
