Re: [Cfrg] GCM nonce reuse question
Richard Barnes <rbarnes@bbn.com> Tue, 02 April 2013 19:05 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3592821F8E6E for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 12:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.999
X-Spam-Level:
X-Spam-Status: No, score=-105.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4SPwg9pZlJv for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 12:05:39 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 4782C21F8E69 for <cfrg@irtf.org>; Tue, 2 Apr 2013 12:05:39 -0700 (PDT)
Received: from ros-dhcp192-1-51-16.bbn.com ([192.1.51.16]:50271) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1UN6WW-000JFr-BA; Tue, 02 Apr 2013 15:05:36 -0400
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <3727A8A4-FA6E-4EC2-859C-C1C40E98108E@ve7jtb.com>
Date: Tue, 02 Apr 2013 15:05:35 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1B54035F-CEA5-4433-BD4E-8D1E0FAB2E21@bbn.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com> <6BDAB42A-B894-40E7-ADB9-4DB4337A73EE@vigilsec.com> <3727A8A4-FA6E-4EC2-859C-C1C40E98108E@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: IRTF CFRG <cfrg@irtf.org>, Russ Housley <housley@vigilsec.com>, Jim Schaad <jimsch@augustcellars.com>
Subject: Re: [Cfrg] GCM nonce reuse question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 19:05:40 -0000
John, I don't think you've really answered Russ's question. You've provided a *historical* reason, but not a *technical* reason why JOSE doesn't follow the same approach as CMS. On Apr 2, 2013, at 1:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Russ, > > We are close to those approaches. However nether of those address using the Additional Authenticated Data(AAD). They mention that it exists as an input but nothing more. > > A difference between JOSE and CMS is that CMS allows non AEAD block ciphers, where JOSE requires all block cyphers to be AEAD. > That in theory allows us to use the AAD to integrity protect the envelope information including the identifier for the key wrap or key agreement. The only reason JOSE has this requirement is because the header has to be integrity-protected. So this is circular reasoning. > In CMS the recipient-info values are not normally integrity protected. > > This tends to lead to a long discussion about if there is a real requirement to integrity protect them. > > In JOSE we decided to integrity protect the recipient-info values to prevent things like backwards computability attacks. The author of the backward-compatibility attack paper himself has said on the JOSE list that header integrity protection does not prevent BC attacks. """ ... it does not matter, if he modifies an existing secure object or creates a totally new object encrypted with an insecure algorithm and appends it to the document. """ <http://www.ietf.org/mail-archive/web/jose/current/msg01881.html> Do you have some other reason for integrity-protecting the recipient-info? > This works just fine for one recipient but presents a problem using GCM for multiple recipients if the AAD is used to protect the recipient-info values. > > That is the readers digest explanation on why those RFC are not sufficient on there own to answer the question of multiple recipients with integrity protected recipient-info. > > I expect some people to chime in that we don't need to integrity protect recipient-info. <chime/> --Richard > > Regards > John B. > > On 2013-04-02, at 1:12 PM, Russ Housley <housley@vigilsec.com> wrote: > >> Jim: >> >> RFC 5084 and RFC 6476 both show approaches to the use of authenticated encryption with CMS. Is there some reason that JOSE is not following one of these approaches? >> >> Russ >> >> >> On Apr 2, 2013, at 11:59 AM, John Bradley wrote: >> >>> Jim, >>> >>> I don't think Mike was proposing that as a solution, but rather an attempt to characterize the issue. >>> >>> Yes changing the nonce per recipient would cause the cypher text produced by GCM to change per recipient and need to be repeated, making it an array of JWE effectively, and not really anyones idea of encrypting to multiple recipients. >>> >>> In a later email I asked David if we have the same or similar issue with his AES-CBC+HMAC. >>> >>> Perhaps and I think it is too early to go there, perhaps not all encryption algorithms are equally well suited to using with multiple recipients. >>> >>> John B. >>> >>> On 2013-04-02, at 12:48 PM, "Jim Schaad" <jimsch@augustcellars.com> wrote: >>> >>>> Mike, >>>> >>>> I will note that this is not going to be considered an acceptable solution for the JOSE group. You don’t really want to increase the size of the message by n*base64 encoding where in is the number of recipients. >>>> >>>> Jim >>>> >>>> >>>> From: Mike Jones [mailto:Michael.Jones@microsoft.com] >>>> Sent: Monday, April 01, 2013 5:55 PM >>>> To: David McGrew (mcgrew); Jim Schaad >>>> Cc: cfrg@irtf.org; John Bradley >>>> Subject: RE: GCM nonce reuse question >>>> >>>> Hi David, >>>> >>>> In reading this thread and http://tools.ietf.org/html/draft-mcgrew-iv-gen-02, I believe that it’s OK, however if the usage is: >>>> >>>> (Recipient #1 ciphertext, Recipient #1 authentication tag) = GCM(Key, Recipient #1 data, nonce #1, plain text) >>>> (Recipient #2 ciphertext, Recipient #2 authentication tag) = GCM(Key, Recipient #2 data, nonce #2, plain text) >>>> >>>> where nonce #1 and nonce #2 are guaranteed to be distinct? Am I reading things correctly in that regard? >>>> >>>> Thanks, >>>> -- Mike >>>> >>>> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew) >>>> Sent: Thursday, March 28, 2013 4:15 AM >>>> To: Jim Schaad >>>> Cc: cfrg@irtf.org >>>> Subject: Re: [Cfrg] GCM nonce reuse question >>>> >>>> Hi Jim, >>>> >>>> From: Jim Schaad <jimsch@augustcellars.com> >>>> Date: Wednesday, March 27, 2013 6:43 PM >>>> To: David McGrew <mcgrew@cisco.com> >>>> Cc: "cfrg@irtf.org" <cfrg@irtf.org> >>>> Subject: GCM nonce reuse question >>>> >>>> David, >>>> >>>> In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it. >>>> >>>> There are known problems with not having a unique set of values for IVs and Key pairings. Do these problems apply to having a different set of auxiliary data as well as the plain text? >>>> >>>> >>>> Yes. The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1 but apparently they are not described generally enough. They should read "plaintext or associated data values". >>>> >>>> Specifically the current way that GCM mode is being used in JOSE is >>>> >>>> Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text) >>>> Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text) >>>> >>>> As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags. >>>> >>>> >>>> Can't do that. Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical. >>>> >>>> Many thanks for calling this out, Jim. >>>> >>>> David >>>> >>>> Jim >>>> >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> http://www.irtf.org/mailman/listinfo/cfrg >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] GCM nonce reuse question David McGrew (mcgrew)
- Re: [Cfrg] [jose] FW: GCM nonce reuse question Mike Jones
- Re: [Cfrg] GCM nonce reuse question Mike Jones
- Re: [Cfrg] GCM nonce reuse question David McGrew (mcgrew)
- Re: [Cfrg] GCM nonce reuse question John Bradley
- Re: [Cfrg] GCM nonce reuse question Mike Jones
- Re: [Cfrg] GCM nonce reuse question John Bradley
- Re: [Cfrg] GCM nonce reuse question Russ Housley
- Re: [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [Cfrg] GCM nonce reuse question John Bradley
- Re: [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [Cfrg] GCM nonce reuse question Russ Housley
- Re: [Cfrg] GCM nonce reuse question John Bradley
- Re: [Cfrg] GCM nonce reuse question John Bradley
- Re: [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [Cfrg] [jose] GCM nonce reuse question Manger, James H
- Re: [Cfrg] [jose] GCM nonce reuse question Richard Barnes
- Re: [Cfrg] [jose] GCM nonce reuse question Richard Barnes