Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
Julia Len <jlen@cs.cornell.edu> Thu, 10 September 2020 16:29 UTC
Return-Path: <jl3836@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2963A0E13 for <cfrg@ietfa.amsl.com>; Thu, 10 Sep 2020 09:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkyiO1DKjqaN for <cfrg@ietfa.amsl.com>; Thu, 10 Sep 2020 09:29:57 -0700 (PDT)
Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B52553A0DF7 for <cfrg@irtf.org>; Thu, 10 Sep 2020 09:29:54 -0700 (PDT)
Received: by mail-il1-f174.google.com with SMTP id f82so1567354ilh.8 for <cfrg@irtf.org>; Thu, 10 Sep 2020 09:29:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2pka+OW374LUq7kNdgL+qs9qfQoQJFA1e2baOmAUGRE=; b=TDEPjMXtqp5fx1Slq5rmLBv1t+RGVoQRiyotGEl6YzumpPIvA9A3UZgHwTDEwdshac Y/bJIYVJlDKLIutzzS5LMmMJiCwNIZ/S5TZsyRa0gJB6xWs5VSmpbVzGSg8kusW9mz6+ LcJffYmkqoiMszH3Ll/jdOYUm6PhWn9ksuEA/ZqJudb+BIlPCAX2MT77NolxMosofvY5 HJBIgTfnSdyKgwCjwCgGQIvOe84ChxJQWQBmOCtM36nbTbUKRR3jLDR4er4taQQid7X8 ela4hvqGWkV7V7BpYmspnuMMCqjumdYNVBEDsm1s1Q35MVkcumIUv7dEPBdoWNIkzZ1C 4/kw==
X-Gm-Message-State: AOAM531yi+1jiGary1Ci2tx2Ic3juteYDquMBzLUl4+xznbB7npd0/8d DH7TQG6ee7cOGsfy9oxalh2yJi+05jrsnMxoGHorz+A/aw9VJQ==
X-Google-Smtp-Source: ABdhPJwJzUjVzqukzEuI5kYYEoAB3OizDKCAQCy/lnP+oQ1tSRGsslOB8i6g46OjaxAYXOA4EOPI24rZSBjlHLr59rk=
X-Received: by 2002:a92:dd85:: with SMTP id g5mr8533979iln.210.1599755393409; Thu, 10 Sep 2020 09:29:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAK0e1DrM6MVz5vk6HV4NPtcXExB88vWdsoPFiOicUOMOest26Q@mail.gmail.com> <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
In-Reply-To: <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
From: Julia Len <jlen@cs.cornell.edu>
Date: Thu, 10 Sep 2020 12:29:42 -0400
Message-ID: <CAK0e1DrX8X=3dQ4YhwhfQRsj0qkePd-vjAGBdzFXJaBg-QmJxg@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000f3c97905aef81363"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/37-nMyuiw4aUPrdHCqaxJawwvrM>
Subject: Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 16:30:10 -0000
Karthik, I've sent you a draft separately. The paper isn't ready currently for public distribution, so if anyone else is interested we can send a draft to you directly. Thanks, Julia On Wed, Sep 9, 2020 at 9:31 PM Karthikeyan Bhargavan < karthik.bhargavan@gmail.com> wrote: > Hello Julia, > > Thanks for this email. > > Could you share a draft of [LGR20] so we can study the issue? > > -Karthik > > On 2 Sep 2020, at 00:07, Julia Len <jlen@cs.cornell.edu> wrote: > > The HPKE PSK-based sender authentication scheme could be vulnerable to > what we call a partitioning oracle (PO) attack (the paper [LGR20] is in > preparation -- drafts are available upon request). > > Partitioning oracle attacks against HPKE target authenticated encryption > with associated data (AEAD) schemes that are non-committing, meaning > attackers can construct ciphertexts that decrypt without error under more > than one key. HPKE only supports GCM and ChaCha20/Poly1305 for AEAD, both > of which are non-committing. > > If decryption failures are observable to the sender of an HPKE ciphertext, > a partitioning oracle attack can recover the PSK from a set of possible > keys S as follows. An attacker can split S into two sets S0 and S1. It can > then run the KEM with the receiver’s public key to get the DH shared > secret, and then derive the set of AEAD keys K for each key in S0. A > ciphertext can be computed so that it decrypts correctly for all keys in K. > The attacker must then be able to determine whether decryption succeeds. If > the ciphertext is decrypted correctly, the correct PSK must be in S0, and > if the ciphertext does not decrypt, the correct PSK must be in S1. The > attacker can then repeat the above steps, setting S appropriately to S0 or > S1, until it finds the correct PSK. This attack enables the adversary to > recover the PSK in time logarithmic in the size of the original set S. > > The draft anticipates a decryption oracle being used to attempt to learn > the PSK. The authors observe that with “access to an oracle that allows to > distinguish between a good and a wrong PSK, [the sender] can perform a > dictionary attack on the PSK”. However, because the AEADs are > non-committing, a PO attack can potentially give an exponential speed-up > over a naive dictionary attack, making remote PSK recovery more feasible. > Furthermore, while the scheme specifies it is not suitable for use with > passwords, it does permit short PSKs. (Section 8.4 currently says ‘Using a > PSK shorter than "Nh" bytes is permitted.’, where Nh is the output size of > the key derivation function.) > > Our recommended mitigation is changing the HPKE PSK sender auth > construction to use a committing AEAD scheme. For example, > Encrypt-then-HMAC type schemes can be made committing. Unfortunately we are > unaware of any standard that specifies a committing AEAD scheme. A less > disruptive mitigation is to strengthen the language in the HPKE > specification, warning about partitioning oracle attacks and requiring PSKs > to have sufficient min-entropy (say, 128 bits) to make PSK extraction via > partitioning oracle infeasible. Example text for consideration is below: > > The second paragraph of Section 8.4 could be modified to say the following: > > HPKE is specified to use HKDF as key derivation function. HKDF is not >> designed to slow down dictionary attacks, see [RFC5869 >> <https://www.ietf.org/id/draft-irtf-cfrg-hpke-05.html#RFC5869>]. Thus, >> HPKE's PSK mechanism is not suitable for use with a low-entropy password as >> the PSK: in scenarios in which the adversary knows the KEM shared secret >> shared_secret and has access to an oracle that allows to distinguish >> between a good and a wrong PSK, it can perform PSK-recovering attacks. This >> oracle can be the decryption operation on a captured HPKE ciphertext or any >> other recipient behavior which is observably different when using a wrong >> PSK. The adversary knows the KEM shared secret shared_secret if it knows >> all KEM private keys of one participant. In the PSK mode this is trivially >> the case if the adversary acts as sender. > > >> To recover a lower entropy PSK, an attacker in this scenario can >> trivially perform a dictionary attack. Given a set S of possible PSK >> values, the attacker generates an HPKE ciphertext using each value in S, >> and submits the resulting ciphertexts to the oracle to learn which PSK is >> being used by the receiver. Further, because HPKE uses AEAD schemes that >> are not key-committing, an attacker can mount a partitioning oracle attack >> [LGR20] which can recover the PSK from a set of S possible PSK values, with >> |S| = m*k, in roughly m + log k queries to the oracle using ciphertexts of >> length proportional to k, the maximum message length in blocks. The PSK >> must therefore be chosen with sufficient entropy so that m + log k is >> prohibitive for attackers (e.g., 2^128). > > > [LGR20] Len, J., Grubbs, P., Ristenpart, T. Partitioning Oracle Attacks. > In preparation, 2020. > > Regards, > Julia Len, Paul Grubbs, and Tom Ristenpart > > >> > Dear CFRG participants, >> > >> > This message starts a second 2-week RGLC on "Hybrid Public Key >> > Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See >> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ for the latest >> > version of the draft. >> > >> > We are having the second RGLC because we didn't have much feedback >> during >> > the first RGLC and because we have obtained two new Crypto Panel >> reviews: >> > >> > >> https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/ >> > https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/ >> > >> > Please send your comments, as well as expression of support to publish >> as >> > an RFC (or possible reasons for not doing so) in reply to this message >> or >> > directly to CFRG chairs. >> > >> > >> >> > Regards, >> > Stanislav, Nick and Alexey >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org >> > https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > >
- [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Stanislav V. Smyshlyaev
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Watson Ladd
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Joseph Salowey
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Christopher Patton
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Richard Barnes
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Christopher Patton
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Julia Len
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Karthikeyan Bhargavan
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Julia Len
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Karthikeyan Bhargavan
- Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke Julia Len