-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Christian's implementation comments #110
Conversation
…roupcomm into impl-comments-christian
draft-ietf-core-oscore-groupcomm.md
Outdated
A. and then XOR with the X least significant bits of the Common IV, where X is the length in bits of the AEAD nonce. | ||
For example, if X = 7 and the Common IV is 0x00112233445566778899aabbcc (13 bytes), then the bytes to XOR are 0x00112233445566 (7 bytes). | ||
|
||
The constructed nonce is in fact used as AEAD nonce by the AEAD Algorithm (see {{ssec-common-context-aead-alg}}) and by the Group Encryption Algorithm when this is an AEAD algorithm (see {{ssec-common-context-cs-enc-alg}}). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would remove "in fact" and just put this as:
The constructed nonce is used as AEAD nonce by the AEAD Algorithm (see {{ssec-common-context-aead-alg}}) and by the Group Encryption Algorithm when this is an AEAD algorithm (see {{ssec-common-context-cs-enc-alg}}).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 486ca64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except for my comment above it looks good to me!
draft-ietf-core-oscore-groupcomm.md
Outdated
@@ -324,6 +333,10 @@ The new parameter Group Manager Authentication Credential specifies the authenti | |||
|
|||
The new parameter Group Encryption Algorithm identifies the algorithm to use for encryption and decryption, when messages are protected in group mode (see {{mess-processing}}). This algorithm MAY provide integrity protection. If this parameter is not set, the group mode is not used in the group. | |||
|
|||
The following non-authenticated algorithms can be used as Group Encryption Algorithm: A128CBC, A192CBC, and A256CBC {{RFC9459}}. The non-authenticated algorithm ChaCha20 {{ChaCha}} is also suitable to consider, although using it will first require its registration in the "COSE Algorithms" Registry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So here we either register ChaCha20 or we skip mentioning I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed at d249213 by skipping ChaCha20.
draft-ietf-core-oscore-groupcomm.md
Outdated
@@ -324,6 +333,10 @@ The new parameter Group Manager Authentication Credential specifies the authenti | |||
|
|||
The new parameter Group Encryption Algorithm identifies the algorithm to use for encryption and decryption, when messages are protected in group mode (see {{mess-processing}}). This algorithm MAY provide integrity protection. If this parameter is not set, the group mode is not used in the group. | |||
|
|||
The following non-authenticated algorithms can be used as Group Encryption Algorithm: A128CBC, A192CBC, and A256CBC {{RFC9459}}. The non-authenticated algorithm ChaCha20 {{ChaCha}} is also suitable to consider, although using it will first require its registration in the "COSE Algorithms" Registry. | |||
|
|||
The following non-authenticated algorithms MUST NOT be used as Group Encryption Algorithm: A128CTR, A192CTR, and A256CTR {{RFC9459}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the problem with a list like this is that it's never going to be exhaustive... can we skip it? Christian only asked to add which parameter are particularly suitable...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed at d249213
draft-ietf-core-oscore-groupcomm.md
Outdated
|
||
The AEAD nonce is constructed like in OSCORE, with the difference that step 4 in {{Section 5.2 of RFC8613}} is replaced with: | ||
A. and then XOR with the X bytes from the Common IV's start, where X is the length in bytes of the nonce. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/with the X bytes/with X bytes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 486ca64
…roupcomm into impl-comments-christian
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me and aligned with our discussions yesterday
Looks good to me. |
This PR addresses the comments from Christian Amsüss archived at https://mailarchive.ietf.org/arch/msg/core/oQT5vcbEsui9fvf7P9QH4PEsX-c/
In addition to that:
Where appropriate, it replaces "AEAD nonce" with "nonce" and "AEAD key" with "key", consistent with the fact that the Group Encryption Algorithm might not be an AEAD algorithm.
For endpoints that use non-authenticated encryption, it makes A128CBC mandatory to implement as non-authenticated Group Encryption Algorithm.
It clarifies that the HKDF Algorithm must be an HMAC-based HKDF.