IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

Rene Struik <rstruik.ext@gmail.com> Thu, 30 May 2013 22:21 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D0F21F929F for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 15:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7xYZYQR7sfsf for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 15:21:23 -0700 (PDT)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 9DC7521F92F4 for <cfrg@ietf.org>; Thu, 30 May 2013 15:21:22 -0700 (PDT)
Received: by mail-ob0-f170.google.com with SMTP id ef5so1742332obb.29 for <cfrg@ietf.org>; Thu, 30 May 2013 15:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=9ggQ8lZd8YjaGmAsaHG9mZa2LD5i5TKw1Xs0z+0tRHE=; b=ceq4c9h5u6S/HJH9Za9CcMTOYkDBSXGF+ViT8uhKyInKaGeNbdJfo/ldu083pdkvUZ jlC960S6dWmPTCFT8f2/ZJgn9Mq/D4wDY47DII3dmGK+HYl8K64TsOIR09GpNiaXP64R hzo863AgSPZVuXczFxwCa/W95XBvqnNNkvhCmQocSLdw6LK36UsK7jYAkMUZ92uYi+rd wqGAN2geK5FV1Yf+tWbXaXkd+yqQasvmJkS/aHr9LAPdOkiRNPb1eiG+GNZUpmDW7A0S JjDuZLeaxQOtai5sXl8xglO2gle8e6Rl155aXkFVcM9Ihj7LvVmydeDjSu7E1omy/Bce E7TQ==
X-Received: by 10.60.94.212 with SMTP id de20mr5056623oeb.129.1369952481424; Thu, 30 May 2013 15:21:21 -0700 (PDT)
Received: from [192.168.1.102] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.4.27]) by mx.google.com with ESMTPSA id b5sm43405105oby.12.2013.05.30.15.21.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 May 2013 15:21:20 -0700 (PDT)
Message-ID: <51A7D0CB.4030707@gmail.com>
Date: Thu, 30 May 2013 18:20:59 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B18458F26@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B18458F26@xmb-rcd-x04.cisco.com>
Content-Type: multipart/alternative; boundary="------------030801060800000704060100"
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 22:21:30 -0000

Hi David:

Agreed, in principle. Nevertheless, defining something along the lines 
k:=Hash(K, TagLength) has the benefit that if one does not heed the 
advice, one still does not run into trouble.

BTW - There may be use cases where having a "sliding scale" authenticity 
tag without having to change the key has advantages, e.g., in scenarios 
where one wishes to save bandwidth in non-adversarial environments (or 
when one nearly runs out of batteries and is more interested in 
squeezing as much out of the remaining communications, no matter the 
loss of authenticity). In those cases, having a built-in mechanism for 
deriving a tag length based key has some merit. Of course, one could 
achieve this functionality also via other means, such as, e.g., by 
partitioning the nonce space according to authenticity tag length, 
thereby using a tag-length based nonce, rather than a tag-length based 
derived key, and without the need to pick a hash function.

Best regards, Rene

On 5/30/2013 5:04 PM, David McGrew (mcgrew) wrote:
> Hi Rene,
>
> From: Rene Struik <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>>
> Date: Thursday, May 30, 2013 3:59 PM
> To: "Igoe, Kevin M." <kmigoe@nsa.gov <mailto:kmigoe@nsa.gov>>
> Cc: "cfrg@ietf.org <mailto:cfrg@ietf.org>" <cfrg@ietf.org 
> <mailto:cfrg@ietf.org>>
> Subject: Re: [Cfrg] Attacker changing tag length in OCB
>
>     Dear colleagues:
>
>     The observation that some AEADs have the property that one can
>     truncate the authentication tag without affecting AEAD unsecuring
>     operations was brought up by Rogaway and Wagner in their 2003
>     "Critique on CCM" paper (Section 3.4). It is therefore kind of
>     interesting to see that the same observation applies to the OCB mode.
>
>     Whether or not it is good to build-in protection against poor
>     policy choices and management thereof is a matter of taste.
>     History suggests that lots of security vulnerabilities arise
>     precisely because of these poor choices (or lack of knowledge of
>     impact of policy on security services offered). One could shield
>     against poor choices in various ways, e.g., by using as key
>     k:=Hash(K, TagLength).
>
>
> Agreed.  The poor choice that is relevant here is the use of the same 
> OCB secret key with two different tag lengths.   If someone uses a 
> single key in both AEAD_AES_128_OCB_TAGLEN64 
> and AEAD_AES_128_OCB_TAGLEN128, then it is likely that they have also 
> not satisfied the nonce uniqueness requirements, so the tag truncation 
> and substitution attack seems like the least of their worries.   
> (Given two distinct nonce/associated data/plaintext tuples with 
> identical nonces, it is easy for the attacker to craft forgeries.)
>
> In general, it should be acceptable for an AE algorithm to require 
> that each of the keys that are used to instantiate it are independent 
> (as well as random or pseudorandom).
>
> David
>
>
>
>     Best regards, Rene
>
>     Ref: CCM Mode Critique (Rogaway, Wagner,  IACR ePrint 2003-070)
>     http://eprint.iacr.org/2003/070
>
>     On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote:
>>
>>     I agree with Richard.  The implicit assumption is that the length
>>     of the authentication tag has either been
>>
>>     agreed upon during the handshake or was a previously agreed upon
>>     parameter.  If you change the length
>>
>>     of the authentication tag in the live traffic, it almost
>>     certainly won’t pass authentication tag verification
>>
>>     by the intended recipient.  Offhand, I don’t see a security
>>     problem here.
>>
>>     *From:*cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] *On
>>     Behalf Of *Richard Barnes
>>     *Sent:* Wednesday, May 29, 2013 11:45 AM
>>     *To:* Manger, James H
>>     *Cc:* cfrg@ietf.org
>>     *Subject:* Re: [Cfrg] Attacker changing tag length in OCB
>>
>>     James,
>>
>>     Don't most current AEAD modes have this property?  Namely, that
>>     there's no protection on the length of the authentication tag.
>>      Off the top of my head, it seems that GCM, CCM, and SIV all have
>>     this property.
>>
>>     So while it might be nice for OCB to fix this issue,
>>     implementations processing AEAD messages will still have to
>>     enforce minimum tag lengths on their own.
>>
>>     --Richard
>>
>>     On Tue, May 28, 2013 at 8:47 PM, Manger, James H
>>     <James.H.Manger@team.telstra.com
>>     <mailto:James.H.Manger@team.telstra.com>> wrote:
>>
>>     >       Title: The OCB Authenticated-Encryption Algorithm
>>     >       Filename        : draft-irtf-cfrg-ocb-02.txt
>>     > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02
>>
>>     OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit
>>     and 96-bit tags are simply truncated 128-bit tags. The tag length
>>     is not mixed into the ciphertext. It never affects any input to
>>     an AES operation.
>>
>>     Consequently, given a valid output from the
>>     AEAD_AES_128_OCB_TAGLEN128 algorithm it is trivial to produce a
>>     valid output from the AEAD_AES_128_OCB_TAGLEN64 algorithm -- just
>>     drop the last 8 bytes.
>>
>>     Is this ok?
>>
>>     Another consequence is that an attacker wanting to change the
>>     additional data (eg from saying "TOP SECRET" to "PUBLIC") while
>>     keeping the same plaintext only has to defeat the shortest tag a
>>     recipient accepts, regardless of the tag applied by the originator.
>>
>>     Is this ok? It doesn’t feel ok.
>>
>>     Of course if a recipient accepts 64-bit tags an attacker can
>>     forge messages with a probability of 2^-64. However, that doesn’t
>>     seem to be exactly the same as forging a message with the same
>>     plaintext as a message originally authenticated with a 128-bit tag.
>>
>>     Would OCB be better if the algorithms with different tag lengths
>>     couldn’t affect each other? Perhaps restricting the nonce to <126
>>     bits (instead of <128 bits) and encoding the tag length in 2 bits.
>>
>>     --
>>     James Manger
>>     _______________________________________________
>>     Cfrg mailing list
>>     Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>>     http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>>
>>     _______________________________________________
>>     Cfrg mailing list
>>     Cfrg@irtf.orghttp://www.irtf.org/mailman/listinfo/cfrg
>
>
>     -- 
>     email:rstruik.ext@gmail.com  | Skype: rstruik
>     cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email