IETF Logo Mail Archive

Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

David Jacobson <dmjacobson@sbcglobal.net> Tue, 20 November 2012 04:59 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E81821F8807 for <cfrg@ietfa.amsl.com>; Mon, 19 Nov 2012 20:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_25=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAo9Bs27YhmN for <cfrg@ietfa.amsl.com>; Mon, 19 Nov 2012 20:59:38 -0800 (PST)
Received: from nm15.access.bullet.mail.mud.yahoo.com (nm15.access.bullet.mail.mud.yahoo.com [66.94.237.216]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE2821F8804 for <cfrg@irtf.org>; Mon, 19 Nov 2012 20:59:38 -0800 (PST)
Received: from [66.94.237.127] by nm15.access.bullet.mail.mud.yahoo.com with NNFMP; 20 Nov 2012 04:59:37 -0000
Received: from [68.142.198.207] by tm2.access.bullet.mail.mud.yahoo.com with NNFMP; 20 Nov 2012 04:59:37 -0000
Received: from [127.0.0.1] by smtp111.sbc.mail.mud.yahoo.com with NNFMP; 20 Nov 2012 04:59:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1353387577; bh=N7CmV9TVhbHdB00FTGO/zbLY4jZAL9z7ZSTdWBtU7xY=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type; b=FlM5bNNo1qt3YHaHKBJhYDZQ1eC6z9MY1YcGVh14dgZCvsP1QaQbPSY3oP5bHltem1skbPmsvORjr1B8h3s85BYN3XxPPBar8IufmYrE/fSC0HO+qHExUfE805yvUGRhldWSr23oRM16RBpL/Bj3b4t1GTWOtqvJiqiLPXhq5+w=
X-Yahoo-Newman-Id: 772578.97549.bm@smtp111.sbc.mail.mud.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: WcvZtEsVM1nHGcmVxRikrugDfrqFuRa7leClJ4b2RmTTLwY hWokEuuEFL_hVuuJyg8m6HkKaa6k_dd8G5HFXHOmxL3SVnnKzTfsCxX8f7AE xx5q_gU7HknbWvmdbjyXmheBZI38nOqyHJnu_91N5MCxYHMvurobnbqULIHz 5zHPGlEOmXAf4GborLOmGtFodTiozlvPAhClUplbaMxy4Bciro5WhqJEFKog rRzL_zo.LYv_gwS0tqL.kDk.m9GzY30cWXaHL3m9NtBgPcAGbKgWuUNo6Z6u YFOU_GLuhliyyHHEXFxP2JOmLSQqTq4aTiquJ_xWKlgSV3H_zJfhd4AMSG1C KhzJZPUdxIUOvF8Do.zAuw23qxYfkivKzPPFReFOkb0aGaca2hIpB0rQBfuc X.1UZaouEaN7vaiFVBHARQD7GH2beXqQisD2gsIfsXaIG3HplD3uqHMeECz3 BHhK0dDR9BF3xLDZkQ.caea3a3taUwg--
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Received: from [192.168.1.73] (dmjacobson@99.120.98.171 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 19 Nov 2012 20:59:37 -0800 PST
Message-ID: <50AB0E38.9050700@sbcglobal.net>
Date: Mon, 19 Nov 2012 20:59:36 -0800
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: cfrg@irtf.org
References: <747787E65E3FBD4E93F0EB2F14DB556B0F50A96C@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943668B026C@TK5EX14MBXC283.redmond.corp.microsoft.com> <FE2BC73F-41FA-4B5B-900C-117749CEEBAC@vigilsec.com> <003801cdc5bc$ce464e50$6ad2eaf0$@att.net>
In-Reply-To: <003801cdc5bc$ce464e50$6ad2eaf0$@att.net>
Content-Type: multipart/alternative; boundary="------------060401070801050705070309"
Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2012 04:59:41 -0000

I think I'd argue the other way on continuing on on when the MAC fails.

One big advantage of encrypt-then-MAC is that the receiving end does 
MACverify-then-decrypt.  If the message has been tampered with, the MAC 
fails to verify and we never even enter the decryption stuff, thus there 
is never even the possibility of padding oracles, timing attacks, etc.  
If you go ahead with the decryption, you risk revealing something.

    --David



On 11/18/2012 10:44 AM, Tolga Acar wrote:
>
> Quick feedback on the draft
>
> ·Page 5, item 3, padding string PS. Please \cite PKCS#5 so it is clear 
> this is not new, but a reuse of an existing padding scheme.
>
> ·Section 2.2, step 3. When MAC verification fails, the draft 
> recommends halting the operation before CBC decryption. We have seen 
> timing and error-code based attacks against TLS' MAC-then-Encrypt 
> scheme. I realize that the draft is prescribing E-t-M. Nonetheless, 
> considering a potential flaw in HMAC-SHA2 series (I don't know of any, 
> but ...), I'd suggest not halting the operation even after MAC check 
> fails, but continuing on to CBC decryption, and then returning an 
> error that doesn't distinguish between a MAC and a decryption (pad 
> check) error. Yes, this would consume more CPU cycles only to waste 
> them **under an attack**, which is not necessarily bad.
>
> ·Section 2.2, step 5. Unspecified error case of invalid padding (link 
> to my comment above).
>
> Best,
>
> -Tolga
>
> *From:*cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] *On Behalf 
> Of *Russ Housley
> *Sent:* Sunday, November 18, 2012 4:45 AM
> *To:* Mike Jones
> *Cc:* IRTF CFRG; jose@ietf.org
> *Subject:* Re: [Cfrg] Authenticated Encryption with AES-CBC and 
> HMAC-SHA, version 01
>
> Have you looked at the algorithm in RFC 6476?  While the discussion is 
> CMS-specific, the algorithm could be used with another syntax.
>
> Russ
>
> On Nov 12, 2012, at 1:55 PM, Mike Jones wrote:
>
>
>
> As background, if there was a version of this spec that did not assume 
> that the parameters would be concatenated together in a specific way, 
> but left them as independent inputs and outputs, as AES GCM and AES 
> CTR do, it would be a better match for JOSE's use case.
>
> -- Mike
>
> *From:*cfrg-bounces@irtf.org 
> <mailto:cfrg-bounces@irtf.org>[mailto:cfrg-bounces@irtf.org]*On Behalf 
> Of*David McGrew (mcgrew)
> *Sent:*Monday, November 12, 2012 10:21 AM
> *To:*cfrg@irtf.org <mailto:cfrg@irtf.org>;jose@ietf.org 
> <mailto:jose@ietf.org>
> *Subject:*[Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, 
> version 01
>
> Hi,
>
> There is a new version of "Authenticated Encryption with AES-CBC and 
> HMAC-SHA", and I would appreciate your review.   It is online at 
> <https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1> 
> <https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1%3e> 
>  The diff between the current and the previous version is available at 
> <http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01> 
> <http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01%3e>
>
> This draft has been proposed for use in the JOSE WG 
> <http://datatracker.ietf.org/wg/jose/> 
> <http://datatracker.ietf.org/wg/jose/%3e> , where its adoption would 
> allow the working group to omit "raw" unauthenticated encryption, e.g. 
> AES-CBC, and only include authenticated encryption.   Thus I am asking 
> for your help in making
>
> John Foley generated test cases that correspond to the current version 
> of the draft, but I didn't include these in the draft because I did 
> not yet get confirmation from a second independent implementation.   
> With hope, there will not be any need for any normative changes, and I 
> will include these after I get confirmation.
>
> Thanks,
>
> David
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> http://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email