IETF Logo Mail Archive

Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke

Julia Len <jlen@cs.cornell.edu> Thu, 10 September 2020 16:29 UTC

Return-Path: <jl3836@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2963A0E13 for <cfrg@ietfa.amsl.com>; Thu, 10 Sep 2020 09:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkyiO1DKjqaN for <cfrg@ietfa.amsl.com>; Thu, 10 Sep 2020 09:29:57 -0700 (PDT)
Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B52553A0DF7 for <cfrg@irtf.org>; Thu, 10 Sep 2020 09:29:54 -0700 (PDT)
Received: by mail-il1-f174.google.com with SMTP id f82so1567354ilh.8 for <cfrg@irtf.org>; Thu, 10 Sep 2020 09:29:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2pka+OW374LUq7kNdgL+qs9qfQoQJFA1e2baOmAUGRE=; b=TDEPjMXtqp5fx1Slq5rmLBv1t+RGVoQRiyotGEl6YzumpPIvA9A3UZgHwTDEwdshac Y/bJIYVJlDKLIutzzS5LMmMJiCwNIZ/S5TZsyRa0gJB6xWs5VSmpbVzGSg8kusW9mz6+ LcJffYmkqoiMszH3Ll/jdOYUm6PhWn9ksuEA/ZqJudb+BIlPCAX2MT77NolxMosofvY5 HJBIgTfnSdyKgwCjwCgGQIvOe84ChxJQWQBmOCtM36nbTbUKRR3jLDR4er4taQQid7X8 ela4hvqGWkV7V7BpYmspnuMMCqjumdYNVBEDsm1s1Q35MVkcumIUv7dEPBdoWNIkzZ1C 4/kw==
X-Gm-Message-State: AOAM531yi+1jiGary1Ci2tx2Ic3juteYDquMBzLUl4+xznbB7npd0/8d DH7TQG6ee7cOGsfy9oxalh2yJi+05jrsnMxoGHorz+A/aw9VJQ==
X-Google-Smtp-Source: ABdhPJwJzUjVzqukzEuI5kYYEoAB3OizDKCAQCy/lnP+oQ1tSRGsslOB8i6g46OjaxAYXOA4EOPI24rZSBjlHLr59rk=
X-Received: by 2002:a92:dd85:: with SMTP id g5mr8533979iln.210.1599755393409; Thu, 10 Sep 2020 09:29:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAK0e1DrM6MVz5vk6HV4NPtcXExB88vWdsoPFiOicUOMOest26Q@mail.gmail.com> <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
In-Reply-To: <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
From: Julia Len <jlen@cs.cornell.edu>
Date: Thu, 10 Sep 2020 12:29:42 -0400
Message-ID: <CAK0e1DrX8X=3dQ4YhwhfQRsj0qkePd-vjAGBdzFXJaBg-QmJxg@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000f3c97905aef81363"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/37-nMyuiw4aUPrdHCqaxJawwvrM>
Subject: Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 16:30:10 -0000

Karthik, I've sent you a draft separately.

The paper isn't ready currently for public distribution, so if anyone else
is interested we can send a draft to you directly.

Thanks,
Julia

On Wed, Sep 9, 2020 at 9:31 PM Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:

> Hello Julia,
>
> Thanks for this email.
>
> Could you share a draft of [LGR20] so we can study the issue?
>
> -Karthik
>
> On 2 Sep 2020, at 00:07, Julia Len <jlen@cs.cornell.edu> wrote:
>
> The HPKE PSK-based sender authentication scheme could be vulnerable to
> what we call a partitioning oracle (PO) attack (the paper [LGR20] is in
> preparation -- drafts are available upon request).
>
> Partitioning oracle attacks against HPKE target authenticated encryption
> with associated data (AEAD) schemes that are non-committing, meaning
> attackers can construct ciphertexts that decrypt without error under more
> than one key. HPKE only supports GCM and ChaCha20/Poly1305 for AEAD, both
> of which are non-committing.
>
> If decryption failures are observable to the sender of an HPKE ciphertext,
> a partitioning oracle attack can recover the PSK from a set of possible
> keys S as follows. An attacker can split S into two sets S0 and S1. It can
> then run the KEM with the receiver’s public key to get the DH shared
> secret, and then derive the set of AEAD keys K for each key in S0. A
> ciphertext can be computed so that it decrypts correctly for all keys in K.
> The attacker must then be able to determine whether decryption succeeds. If
> the ciphertext is decrypted correctly, the correct PSK must be in S0, and
> if the ciphertext does not decrypt, the correct PSK must be in S1. The
> attacker can then repeat the above steps, setting S appropriately to S0 or
> S1, until it finds the correct PSK. This attack enables the adversary to
> recover the PSK in time logarithmic in the size of the original set S.
>
> The draft anticipates a decryption oracle being used to attempt to learn
> the PSK. The authors observe that with “access to an oracle that allows to
> distinguish between a good and a wrong PSK, [the sender] can perform a
> dictionary attack on the PSK”. However, because the AEADs are
> non-committing, a PO attack can potentially give an exponential speed-up
> over a naive dictionary attack, making remote PSK recovery more feasible.
> Furthermore, while the scheme specifies it is not suitable for use with
> passwords, it does permit short PSKs. (Section 8.4 currently says ‘Using a
> PSK shorter than "Nh" bytes is permitted.’, where Nh is the output size of
> the key derivation function.)
>
> Our recommended mitigation is changing the HPKE PSK sender auth
> construction to use a committing AEAD scheme. For example,
> Encrypt-then-HMAC type schemes can be made committing. Unfortunately we are
> unaware of any standard that specifies a committing AEAD scheme. A less
> disruptive mitigation is to strengthen the language in the HPKE
> specification, warning about partitioning oracle attacks and requiring PSKs
> to have sufficient min-entropy (say, 128 bits) to make PSK extraction via
> partitioning oracle infeasible. Example text for consideration is below:
>
> The second paragraph of Section 8.4 could be modified to say the following:
>
> HPKE is specified to use HKDF as key derivation function. HKDF is not
>> designed to slow down dictionary attacks, see [RFC5869
>> <https://www.ietf.org/id/draft-irtf-cfrg-hpke-05.html#RFC5869>]. Thus,
>> HPKE's PSK mechanism is not suitable for use with a low-entropy password as
>> the PSK: in scenarios in which the adversary knows the KEM shared secret
>> shared_secret and has access to an oracle that allows to distinguish
>> between a good and a wrong PSK, it can perform PSK-recovering attacks. This
>> oracle can be the decryption operation on a captured HPKE ciphertext or any
>> other recipient behavior which is observably different when using a wrong
>> PSK. The adversary knows the KEM shared secret shared_secret if it knows
>> all KEM private keys of one participant. In the PSK mode this is trivially
>> the case if the adversary acts as sender.
>
>
>> To recover a lower entropy PSK, an attacker in this scenario can
>> trivially perform a dictionary attack. Given a set S of possible PSK
>> values, the attacker generates an HPKE ciphertext using each value in S,
>> and submits the resulting ciphertexts to the oracle to learn which PSK is
>> being used by the receiver. Further, because HPKE uses AEAD schemes that
>> are not key-committing, an attacker can mount a partitioning oracle attack
>> [LGR20] which can recover the PSK from a set of S possible PSK values, with
>> |S| = m*k, in roughly m + log k queries to the oracle using ciphertexts of
>> length proportional to k, the maximum message length in blocks. The PSK
>> must therefore be chosen with sufficient entropy so that m + log k is
>> prohibitive for attackers (e.g., 2^128).
>
>
> [LGR20] Len, J., Grubbs, P., Ristenpart, T. Partitioning Oracle Attacks.
> In preparation, 2020.
>
> Regards,
> Julia Len, Paul Grubbs, and Tom Ristenpart
>
>
>> > Dear CFRG participants,
>> >
>> > This message starts a second 2-week RGLC on "Hybrid Public Key
>> > Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See
>> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ for the latest
>> > version of the draft.
>> >
>> > We are having the second RGLC because we didn't have much feedback
>> during
>> > the first RGLC and because we have obtained two new Crypto Panel
>> reviews:
>> >
>> >
>> https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/
>> > https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/
>> >
>> > Please send your comments, as well as expression of support to publish
>> as
>> > an RFC (or possible reasons for not doing so) in reply to this message
>> or
>> > directly to CFRG chairs.
>> >
>> >
>>
>> > Regards,
>> > Stanislav, Nick and Alexey
>> > _______________________________________________
>> > Cfrg mailing list
>> > Cfrg@irtf.org
>> > https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
>

v2.23.0 | Report a Bug | By Email