IETF Logo Mail Archive

Re: [Cfrg] GCM nonce reuse question

John Bradley <ve7jtb@ve7jtb.com> Tue, 02 April 2013 18:00 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D957621F8C85 for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 11:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.255
X-Spam-Level:
X-Spam-Status: No, score=-0.255 tagged_above=-999 required=5 tests=[AWL=-0.915, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1lWzrQBHUw1 for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 11:00:03 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 6006C21F8C83 for <cfrg@irtf.org>; Tue, 2 Apr 2013 11:00:03 -0700 (PDT)
Received: by mail-ob0-f179.google.com with SMTP id vb8so614421obc.38 for <cfrg@irtf.org>; Tue, 02 Apr 2013 11:00:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=wm4xSR39OGBXfQg1RPQ3f2Z5Mo2WJO2H3NxF3xHR/oQ=; b=ZkP7T7v0bgKf/OtSpmu3GWDjpI9Pw4aFNjMygZvCu9oNEbBpHpLRS1g8oDrEHw5lUR rejNwouqzkbwrz+i5rMqCkL6oq0SChwjB/LRmPeY6Wk6iM3Si6las3jGkwyOj7BSHORi zPsgLylxry/43SySswFQ9V9kFR1Glyw466PMQDHZfqs5x7PJxRC8rg5erl3bcyFwqaYK wD5pbebHo/4kxq3cCuuQuOe1P5Qm3k7AbpChtLv0TX5BHg6L9FjddxTatd4KXtjC53Xt 3L1MIPIyjFQ3UN4vmEdy9N3DKx8ZFTYarE5S4CRY03XN84Jdryn5lM3Bk7V6egHfuyTz UL4w==
X-Received: by 10.182.56.134 with SMTP id a6mr5978000obq.29.1364925602881; Tue, 02 Apr 2013 11:00:02 -0700 (PDT)
Received: from [192.168.1.34] (190-20-47-140.baf.movistar.cl. [190.20.47.140]) by mx.google.com with ESMTPS id a3sm451404oee.8.2013.04.02.10.59.57 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Apr 2013 11:00:00 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_E2657797-12F1-40EF-91D0-EE629AAB6D32"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <6BDAB42A-B894-40E7-ADB9-4DB4337A73EE@vigilsec.com>
Date: Tue, 02 Apr 2013 14:59:51 -0300
Message-Id: <3727A8A4-FA6E-4EC2-859C-C1C40E98108E@ve7jtb.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com> <6BDAB42A-B894-40E7-ADB9-4DB4337A73EE@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQkpo9tbxvLibVjno5PvMm6H5f3Kl21841fZVUk1xGVLpr25avdr+3RbvGC7DrQC8NA6yUtD
Cc: IRTF CFRG <cfrg@irtf.org>, Jim Schaad <jimsch@augustcellars.com>
Subject: Re: [Cfrg] GCM nonce reuse question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 18:00:05 -0000

Russ,

We are close to those approaches.  However nether of those address using the Additional Authenticated Data(AAD).  They mention that it exists as an input but nothing more.

A difference between JOSE and CMS is that CMS allows non AEAD block ciphers, where JOSE requires all block cyphers to be AEAD.

That in theory allows us to use the AAD to integrity protect the envelope information including the identifier for the key wrap or key agreement.

In CMS the recipient-info values are not normally integrity protected.   

This tends to lead to a long discussion about if there is a real requirement to integrity protect them.  

In JOSE we decided to integrity protect the recipient-info values to prevent things like backwards computability attacks.  

This works just fine for one recipient but presents a problem using GCM for multiple recipients if the AAD is used to protect the recipient-info values.

That is the readers digest explanation on why those RFC are not sufficient on there own to answer the question of multiple recipients with integrity protected recipient-info.

I expect some people to chime in that we don't need to integrity protect recipient-info.

Regards
John B.

On 2013-04-02, at 1:12 PM, Russ Housley <housley@vigilsec.com> wrote:

> Jim:
> 
> RFC 5084 and RFC 6476 both show approaches to the use of authenticated encryption with CMS.  Is there some reason that JOSE is not following one of these approaches?
> 
> Russ
> 
> 
> On Apr 2, 2013, at 11:59 AM, John Bradley wrote:
> 
>> Jim,
>> 
>> I don't think Mike was proposing that as a solution, but rather an attempt to characterize the issue.
>> 
>> Yes changing the nonce per recipient would cause the cypher text produced by GCM to change per recipient and need to be repeated, making it an array of JWE effectively, and not really anyones idea of encrypting to multiple recipients.
>> 
>> In a later email I asked David if we have the same or similar issue with his AES-CBC+HMAC. 
>> 
>> Perhaps and I think it is too early to go there, perhaps not all encryption algorithms are equally well suited to using with multiple recipients.
>> 
>> John B.
>> 
>> On 2013-04-02, at 12:48 PM, "Jim Schaad" <jimsch@augustcellars.com> wrote:
>> 
>>> Mike,
>>>  
>>> I will note that this is not going to be considered an acceptable solution for the JOSE group.  You don’t really want to increase the size of the message by n*base64 encoding where in is the number of recipients.
>>>  
>>> Jim
>>>  
>>>  
>>> From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
>>> Sent: Monday, April 01, 2013 5:55 PM
>>> To: David McGrew (mcgrew); Jim Schaad
>>> Cc: cfrg@irtf.org; John Bradley
>>> Subject: RE: GCM nonce reuse question
>>>  
>>> Hi David,
>>>  
>>> In reading this thread and http://tools.ietf.org/html/draft-mcgrew-iv-gen-02, I believe that it’s OK, however if the usage is:
>>>  
>>> (Recipient #1 ciphertext, Recipient #1 authentication tag) = GCM(Key, Recipient #1 data, nonce #1, plain text)
>>> (Recipient #2 ciphertext, Recipient #2 authentication tag) = GCM(Key, Recipient #2 data, nonce #2, plain text)
>>>  
>>> where nonce #1 and nonce #2 are guaranteed to be distinct?  Am I reading things correctly in that regard?
>>>  
>>>                                                                 Thanks,
>>>                                                                 -- Mike
>>>  
>>> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
>>> Sent: Thursday, March 28, 2013 4:15 AM
>>> To: Jim Schaad
>>> Cc: cfrg@irtf.org
>>> Subject: Re: [Cfrg] GCM nonce reuse question
>>>  
>>> Hi Jim,
>>>  
>>> From: Jim Schaad <jimsch@augustcellars.com>
>>> Date: Wednesday, March 27, 2013 6:43 PM
>>> To: David McGrew <mcgrew@cisco.com>
>>> Cc: "cfrg@irtf.org" <cfrg@irtf.org>
>>> Subject: GCM nonce reuse question
>>>  
>>> David,
>>>  
>>> In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.
>>>  
>>> There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?
>>>  
>>>  
>>> Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".
>>>  
>>> Specifically the current way that GCM mode is being used in JOSE is
>>>  
>>> Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
>>> Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)
>>>  
>>> As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.
>>>  
>>>  
>>> Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.
>>>  
>>> Many thanks for calling this out, Jim.
>>>  
>>> David
>>>  
>>> Jim
>>>  
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email