0008168: Unclear and/or misleading wording in the ECC Amendment - SignOnly does never use the InitializationVector

ID	Project	Category	View Status	Date Submitted	Last Update

0008168	10000-006: Mappings	Spec	public	2022-07-28 11:51	2023-01-17 17:21

Reporter	Bernd Edlinger	Assigned To	Randy Armstrong
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.05.03 RC1

Summary	0008168: Unclear and/or misleading wording in the ECC Amendment - SignOnly does never use the InitializationVector
Description	I refer to this document: https://reference.opcfoundation.org/src/v104/Core/docs/Amendment4/readme.htm In Chapter "6.8.2 Secure Channel Handshake", this is written: "The ClientInitializationVector is used when the Client encrypts or signs and the ServerInitializationVector is used when the Server encrypts or signs." But that is not true, when the Channel is SignOnly we never use the Initialization Vector. This could however be misunderstood to mean that the Poly1305 signature is implemented using ChaCha20-Poly1305(SignatureKey, InitializationVector XOR mask) with 0 bytes of Encryption, and the complete packet as Additional Data. Suggested fix: Change the spec, or add an Errata, which says that the InitializationVector is never used in SignOnly mode.
Tags	No tags attached.

Commit Version
Fix Due Date

Randy Armstrong 2022-08-03 15:49 administrator ~0017222	First update: this text needs to state that it only applies to Authenticated Encryption: In addition, a unique InitializationVector is needed for each Message. This value contructed from the ClientInitializationVector or ServerInitializationVector where the first 8 bytes are replaced by the values in Table 62 encoded as described in 5.2.2.2. This paragraph only applies to authenticated encryption: When using Sign mode it is necessary to have a SigningKey that is unique and unpredictable for each message. The transformation defined for the InitializationVector is applied to the ClientSigningKey (when the Client signs) or the ServerSigningKey (when the Server signs). After applying the transformation, a hash is computed using the Hash function specified by the KeyDerivationAlgorithm. If the hash length is greater than or equal to the SigningKey length then the first SigningKey length bytes from the hash are used. If the hash length is less than the SigningKey length then the first hash length bytes of the SigningKey are replaced with the hash.

Randy Armstrong 2022-12-29 15:45 administrator ~0018372	Removed statement that InitializationVector is used for signing in 6.8.2.

Jim Luth 2023-01-17 17:21 administrator ~0018533	Agreed to changes in web meeting,

Date Modified	Username	Field	Change
2022-07-28 11:51	Bernd Edlinger	New Issue
2022-07-28 11:51	Bernd Edlinger	Status	new => assigned
2022-07-28 11:51	Bernd Edlinger	Assigned To	=> Randy Armstrong
2022-07-28 12:05	Randy Armstrong	Project	Specifications => 10000-006: Mappings
2022-07-28 12:30	Randy Armstrong	Status	assigned => new
2022-08-03 15:49	Randy Armstrong	Note Added: 0017222
2022-08-03 15:49	Randy Armstrong	Status	new => assigned
2022-12-29 15:45	Randy Armstrong	Status	assigned => resolved
2022-12-29 15:45	Randy Armstrong	Resolution	open => fixed
2022-12-29 15:45	Randy Armstrong	Fixed in Version	=> 1.05.03 RC1
2022-12-29 15:45	Randy Armstrong	Note Added: 0018372
2023-01-17 17:21	Jim Luth	Status	resolved => closed
2023-01-17 17:21	Jim Luth	Note Added: 0018533