IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

Ted Krovetz <ted@krovetz.net> Fri, 31 May 2013 00:15 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 919FD21F9949 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 17:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgTdDV4UfpFQ for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 17:15:50 -0700 (PDT)
Received: from mail-pd0-f173.google.com (mail-pd0-f173.google.com [209.85.192.173]) by ietfa.amsl.com (Postfix) with ESMTP id B008321F9385 for <cfrg@ietf.org>; Thu, 30 May 2013 17:15:50 -0700 (PDT)
Received: by mail-pd0-f173.google.com with SMTP id v14so1255261pde.4 for <cfrg@ietf.org>; Thu, 30 May 2013 17:15:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=lhNID4RT0wMxOAkeXDPAQwUeWNXMV4uDQZHYhG1PkZg=; b=aeHra64BRVwndNTRA46aNhcH+QHiHjDL6QLTC09kTA2CV3m9sTDV5w+U4Og2gNHz2K 0yBvAM/s28zHH5ZGXpIJLu0Etrq3UFDhPaf2Fu3jK831JZI2urMVn1Ks25UnMJFd/Jls btPu3rwAfk3zuiojvmLJsFov707xdgAu6b5SkCvIPZ1uSsEGutlMRmkycgj/ClHX1Q8t +xYN/pIcUuKqJMMBCFxmxzaXDup6wi07zMbYPZAVG0Nf7MTZMaVLd4sDKoxPX1TYHCEe kE2FHT1kcYGMoeE00C9pGv27TphMJrhcp45Tsb83px4cw47PwCIEnuhRd9uZkeAOCQJn olYg==
X-Received: by 10.66.74.226 with SMTP id x2mr10843126pav.190.1369959350070; Thu, 30 May 2013 17:15:50 -0700 (PDT)
Received: from [192.168.1.162] (c-67-166-145-119.hsd1.ca.comcast.net. [67.166.145.119]) by mx.google.com with ESMTPSA id ov2sm43940046pbc.34.2013.05.30.17.15.48 for <cfrg@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 May 2013 17:15:49 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <CDCD290D.15B32%uri@ll.mit.edu>
Date: Thu, 30 May 2013 17:15:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F1616246-4F1E-4AA1-B2A5-39B5AB7B5DAF@krovetz.net>
References: <CDCD290D.15B32%uri@ll.mit.edu>
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQlzRS9dmEh7uEE6x7lsnzP6xUozodEU5znjZtsTQN1vo7QTB714GiUruMXuSnJ9dED/j9Nt
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 00:15:56 -0000

> There's no reason not to introduce an extra bit of (maybe unnecessary?) protection

There are some costs.

- Redo test vectors. All the test vectors would have to be regenerated. This is not hard, but some confidence has been built up about the current vectors by several implementors, and the confidence building would need to start over.

- Change of algorithm. The OCB algorithm has been stable for some time, and OCB is already being used in some products. Any changes to the algorithm would be problematic for these early adopters.

Without these costs I would not hesitate to agree to the change, but with them I'm inclined to keep things as they are.

v2.23.0 | Report a Bug | By Email