IETF Logo Mail Archive

Re: [Cfrg] What Algorithm information needs to be authenticated?

Richard Barnes <rbarnes@bbn.com> Thu, 04 April 2013 19:01 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71EF521F96F4 for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2013 12:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1+QH0LTGGuoK for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2013 12:01:37 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 443D821F96B6 for <cfrg@irtf.org>; Thu, 4 Apr 2013 12:01:35 -0700 (PDT)
Received: from dhcp33-085-080.bbn.com ([128.33.85.80]:62749) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1UNpPf-000KwC-WD; Thu, 04 Apr 2013 15:01:32 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CA8CBC1EDF@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Thu, 04 Apr 2013 15:01:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <ADDCE31B-BB5D-48AE-8006-68B0F211F947@bbn.com>
References: <00ac01ce30fd$3d373350$b7a599f0$@augustcellars.com> <3C4AAD4B5304AB44A6BA85173B4675CA8B6AF16B@MSMR-GH1-UEA03.corp.nsa.gov> <011501ce3156$4bcdf3a0$e369dae0$@augustcellars.com> <3C4AAD4B5304AB44A6BA85173B4675CA8CBC1EDF@MSMR-GH1-UEA03.corp.nsa.gov>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
X-Mailer: Apple Mail (2.1503)
Cc: 'Jim Schaad' <ietf@augustcellars.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] What Algorithm information needs to be authenticated?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 19:01:38 -0000

On Apr 4, 2013, at 1:14 PM, "Igoe, Kevin M." <kmigoe@nsa.gov> wrote:

> Jim Schaad wrote:
>>> - With MACs, since the integrity keys are shorter lived than the
>> signing
>> keys,
>>>  the risk level is (in most applications) much lower than with
>> digital
>>>  signatures.
>> 
>> I wish this was a true statement.  I have seen a number of
>> circumstances
>> where MAC keys are in long lived situations on the order of years.
>> Places
>> such as routers, RADIUS servers and so forth.  Thus while we can hope
>> they
>> are shorter lived I don't believe that we can make that as an
>> assumption.
>> 
> 
> Sigh! Sadly, ! expect you are right.  Getting people to have proper 
> cryptographic "hygene" is harder than getting my kids to brush their
> teeth every night.

The current JOSE specs, however, encourage bad habits: Unlike CMS, they don't provide a mechanism for using ephemeral MAC keys.

So that is one helpful piece of feedback.  We need to add better ways to manage MAC keys.

--Richard




> 
>> -----Original Message-----
>> From: Jim Schaad [mailto:ietf@augustcellars.com]
>> Sent: Thursday, April 04, 2013 1:03 PM
>> To: Igoe, Kevin M.; cfrg@irtf.org
>> Subject: RE: [Cfrg] What Algorithm information needs to be
>> authenticated?
>> 
>> Kevin,
>> 
>>> -----Original Message-----
>>> From: Igoe, Kevin M. [mailto:kmigoe@nsa.gov]
>>> Sent: Thursday, April 04, 2013 7:48 AM
>>> To: 'Jim Schaad'; cfrg@irtf.org
>>> Subject: RE: [Cfrg] What Algorithm information needs to be
>> authenticated?
>>> 
>>> OK CFRG, Jim has given us 4 concrete issues to address.
>>> 
>>> 
>>> 1.  For signature operations, what parameters related to the
>> signature
>>> algorithm and what parameters related to a key need to be protected
>> by the
>>> signature operation to prevent real and theoretical attacks on JOSE
>> signed
>>> structures.   We would like to get the real and theoretical attacks
>>> separated with a weight on the theoretical attacks for the potential
>> to
>> become
>>> real.
>>> 
>>> 2.  For MAC operations, what parameters related to the MAC algorithm
>> and
>>> what parameters related to the key need to be protected by the MAC
>>> operation to prevent real and theoretical attacks on a JOSE MAC
>> structure.
>>> 
>>> 3.  For key management operations (how the content encryption key is
>> given
>>> to the recipient), what parameters related to the algorithms need to
>> be
>>> protected as part of the AEAD algorithm.
>>> 
>>> 4.  For content encryption, what parameter related to the AEAD
>> algorithm
>>> need to be protected by the AEAD algorithm (and are not already
>> protected)
>>> need to be included.  Is there any benefit in double protecting
>> parameters
>>> such as the IV in case a new AEAD algorithm does not directly protect
>> that
>>> value.
>>> 
>>> - A residual risk common to all of these is proper storage of secret
>> keys.
>>>  While outside the scope of JOSE, I believe this should be called
>> out in
>> the
>>>  security section as an issue implementers must address.)
>>> - Proper protection of the secret signing keys is a very real issue.
>> 
>> I agree that both of the previous issues should be addressed as
>> security
>> considerations.  I can check but I already believe they are.
>> 
>>> - With MACs, since the integrity keys are shorter lived than the
>> signing
>> keys,
>>>  the risk level is (in most applications) much lower than with
>> digital
>>>  signatures.
>> 
>> I wish this was a true statement.  I have seen a number of
>> circumstances
>> where MAC keys are in long lived situations on the order of years.
>> Places
>> such as routers, RADIUS servers and so forth.  Thus while we can hope
>> they
>> are shorter lived I don't believe that we can make that as an
>> assumption.
>> 
>>> 
>>> - ECDSA depends upon a random input k provided by the signer. This
>> input
>>>  should be uniformly distributed in the range [1, q], where q is
>>>  the size of the cryptographic subgroup of the curve (a prime).
>> NIST has
>>>  good guidance on this.  One of their DRBGs makes a good tool for
>> forming
>>>  k.  Thankfully NIST has thought long and hard about these issues.
>> We
>> need to
>>>  point folks at the proper NIST special pubs. Additional non-NIST
>> references
>>>  would be a very welcome!
>>> 
>>> - MACs don't provide non-repudiation since more than one person has
>> the
>>>  integrity key.  If non-repudiation is required (typically only
>> needed
>>>  if legal culpability might become an issue), a true signature
>> should be
>>>  used.
>> 
>> I prefer the term data-origin rather than non-repudiation since I know
>> what
>> that the former means but don't know what the latter means as a
>> technical
>> term.  This term has been argued about for the last 15 years on the
>> PKIX
>> mailing list and I don't want to get into that here.
>> 
>>> 
>>> - OK folks, does anyone have an argument as to why authentication of
>> the
>>>  AEAD IVs is required to address a concrete security issue?  I've
>> been
>>>  mulling this over & haven't come up with one yet. Keep in mind that
>> one
>>>  of the use cases for JOSE is the W3C web cryptography API, so there
>>>  are likely to use this in the future to build JOSE based
>> applications
>>>  beyond what we are currently envisioning.
>> 
>> Are you talking about inside of the algorithm or outside of the
>> algorithm
>> for doing the authentication?  In the case of the CBC/HMAC AEAD
>> algorithm,
>> as the authentication is computed on the encrypted text you cannot know
>> if
>> the unencrypted text is the correct text without knowing that the IV is
>> also
>> correct.   You end up with about a 1 in 256 chance of decrypting the
>> message
>> and getting the correct padding with the wrong IV and then assuming
>> that the
>> resulting plain text is what was sent when it isn't.
>> 
>> Jim
>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On
>> Behalf
>>>> Of Jim Schaad
>>>> Sent: Thursday, April 04, 2013 2:26 AM
>>>> To: cfrg@irtf.org
>>>> Subject: [Cfrg] What Algorithm information needs to be
>> authenticated?
>>>> 
>>>> Request for Information
>>>> 
>>>> The JOSE working group is having an internal argument about the
>> need
>>>> to protect the various header information in an encrypted or signed
>>>> message.
>>>> The quick question is which algorithm information and algorithm
>>>> parameters need to be included in integrity portion of the
>> signature
>>>> or encryption operation in order to protect those parameters.
>>>> 
>>>> There are a couple of theoretical attacks that can be launched
>> against
>>>> various algorithms that then require protection an example of such
>> a
>>>> parameter is the IV for the AES-CBC/HMAC algorithm that has been
>>>> proposed.
>>>> In this case the IV is protected by the algorithm itself and
>> therefore
>>>> does not need to be externally protected by the JOSE data
>> structures.
>>>> 
>>>> In RFC 6211, there is a new CMS attribute that was defined for
>>>> protection of the signature algorithm as I felt there was a
>> potential
>>>> attack that could be exploited.
>>>> 
>>>> Looking at the RSA v1.5 signature algorithm, one cannot change the
>>>> hash algorithm as the hash algorithm is encoded as part of the
>> padding
>>>> for the signature
>>>> 
>>>> Looking at the RSA PSS signature, there is the possibility that a
>> hash
>>>> algorithm of the same length could be substituted unless external
>>>> restrictions are applied.  Thus one could potentially substitute a
>>>> RIPEMD-160 hash on the content for a SHA-1 hash.   As long as the
>>>> hashes
>>>> match and there is no externally applied restriction that the hash
>>>> algorithm used to build the PSS internals is same as the content
>> hash
>>>> then it would verify.  It is unclear if there is an attack that
>>>> involves multiple hash algorithms that is better than a birthday
>>>> attack on a single algorithm as I don't know if this has ever been
>>>> studied.
>>>> 
>>>> CMS also defined an attribute that can be included in the signature
>>>> computation for specifying a certificate that is to be used in the
>>>> validation of the signature on the CMS object.  I.e. where to get
>> the
>>>> public key and the base restrictions for that are imposed on that
>>>> public key by the certificate issuer.
>>>> 
>>>> Questions that we would like to see discussed:
>>>> 
>>>> 1.  For signature operations, what parameters related to the
>> signature
>>>> algorithm and what parameters related to a key need to be protected
>> by
>>>> the signature operation to prevent real and theoretical attacks on
>>>> JOSE signed
>>>> structures.   We would like to get the real and theoretical attacks
>>>> separated with a weight on the theoretical attacks for the
>> potential
>>>> to become real.
>>>> 
>>>> 2.  For MAC operations, what parameters related to the MAC
>> algorithm
>>>> and what parameters related to the key need to be protected by the
>> MAC
>>>> operation to prevent real and theoretical attacks on a JOSE MAC
>>>> structure.
>>>> 
>>>> 3.  For key management operations (how the content encryption key
>> is
>>>> given to the recipient), what parameters related to the algorithms
>>>> need to be protected as part of the AEAD algorithm.
>>>> 
>>>> 4.  For content encryption, what parameter related to the AEAD
>>>> algorithm need to be protected by the AEAD algorithm (and are not
>>>> already
>>>> protected)
>>>> need to be included.  Is there any benefit in double protecting
>>>> parameters such as the IV in case a new AEAD algorithm does not
>>>> directly protect that value.
>>>> 
>>>> Looking at the key to be protected, we don't care if the recipient
>>>> cannot find the correct key or misinterprets what the key
>> identifier
>>>> is.  What we want to make sure is that an attacker would be unable
>> to
>>>> change the recipients interpretation of what key is to be used and
>>>> still get a successful validation.
>>>> 
>>>> Jim Schaad
>>>> JOSE Co-Chair
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Cfrg mailing list
>>>> Cfrg@irtf.org
>>>> http://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email