IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Thu, 30 May 2013 20:08 UTC

Return-Path: <prvs=98622fc584=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F0921F8F43 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Level:
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bvk5dWJlPOwJ for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:08:08 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id E971E21F8233 for <cfrg@ietf.org>; Thu, 30 May 2013 13:08:07 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r4UK3sKH020568; Thu, 30 May 2013 16:08:05 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Rene Struik <rstruik.ext@gmail.com>, "Igoe, Kevin M." <kmigoe@nsa.gov>
Date: Thu, 30 May 2013 16:06:38 -0400
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: Ac5dcTNu2M6CS2N8SbaziWKoAsil5g==
Message-ID: <CDCD290D.15B32%uri@ll.mit.edu>
In-Reply-To: <51A7AFA5.6010501@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3452774798_10332205"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-05-30_06:2013-05-30, 2013-05-30, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1211240000 definitions=main-1305300177
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 20:08:12 -0000

Kevin,

You agree with Richard ­ and I agree with Rene and James. There's no reason
not to introduce an extra bit of (maybe unnecessary?) protection, as
justification "nobody could/would get this wrong" has failed many people
many times.
--
Regards,
Uri Blumenthal

From:  Rene Struik <rstruik.ext@gmail.com>
Date:  Thursday, May 30, 2013 15:59
To:  "Igoe, Kevin M." <kmigoe@nsa.gov>
Cc:  "cfrg@ietf.org" <cfrg@ietf.org>
Subject:  Re: [Cfrg] Attacker changing tag length in OCB

> Dear colleagues:
> 
> The observation that some AEADs have the property that one can truncate the
> authentication tag without affecting AEAD unsecuring operations was brought up
> by Rogaway and Wagner in their 2003 "Critique on CCM" paper (Section 3.4). It
> is therefore kind of interesting to see that the same observation applies to
> the OCB mode.
> 
> Whether or not it is good to build-in protection against poor policy choices
> and management thereof is a matter of taste. History suggests that lots of
> security vulnerabilities arise precisely because of these poor choices (or
> lack of knowledge of impact of policy on security services offered). One could
> shield against poor choices in various ways, e.g., by using as key k:=Hash(K,
> TagLength).
> 
> Best regards, Rene
> 
> Ref: CCM Mode Critique (Rogaway, Wagner,  IACR ePrint 2003-070)
> http://eprint.iacr.org/2003/070
> 
> On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote:
>> I agree with Richard.  The implicit assumption is that the length of the
>> authentication tag has either been
>> agreed upon during the handshake or was a previously agreed upon parameter.
>> If you change the length
>> of the authentication tag in the live traffic, it almost certainly won¹t pass
>> authentication tag verification
>> by the intended recipient.  Offhand, I don¹t see a security problem here.
>>  
>>  
>> 
>> From:cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
>> Richard Barnes
>> Sent: Wednesday, May 29, 2013 11:45 AM
>> To: Manger, James H
>> Cc: cfrg@ietf.org
>> Subject: Re: [Cfrg] Attacker changing tag length in OCB
>>  
>> 
>> James,
>> 
>>  
>> 
>> Don't most current AEAD modes have this property?  Namely, that there's no
>> protection on the length of the authentication tag.  Off the top of my head,
>> it seems that GCM, CCM, and SIV all have this property.
>> 
>>  
>> 
>> So while it might be nice for OCB to fix this issue, implementations
>> processing AEAD messages will still have to enforce minimum tag lengths on
>> their own.
>> 
>>  
>> 
>> --Richard
>> 
>>  
>> 
>>  
>> 
>> On Tue, May 28, 2013 at 8:47 PM, Manger, James H
>> <James.H.Manger@team.telstra.com> wrote:
>>> >       Title           : The OCB Authenticated-Encryption Algorithm
>>> >       Filename        : draft-irtf-cfrg-ocb-02.txt
>>> > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02
>> 
>> OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 96-bit
>> tags are simply truncated 128-bit tags. The tag length is not mixed into the
>> ciphertext. It never affects any input to an AES operation.
>> 
>> Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128
>> algorithm it is trivial to produce a valid output from the
>> AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes.
>> 
>> Is this ok?
>> 
>> Another consequence is that an attacker wanting to change the additional data
>> (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same plaintext
>> only has to defeat the shortest tag a recipient accepts, regardless of the
>> tag applied by the originator.
>> 
>> Is this ok? It doesn¹t feel ok.
>> 
>> Of course if a recipient accepts 64-bit tags an attacker can forge messages
>> with a probability of 2^-64. However, that doesn¹t seem to be exactly the
>> same as forging a message with the same plaintext as a message originally
>> authenticated with a 128-bit tag.
>> 
>> Would OCB be better if the algorithms with different tag lengths couldn¹t
>> affect each other? Perhaps restricting the nonce to <126 bits (instead of
>> <128 bits) and encoding the tag length in 2 bits.
>> 
>> --
>> James Manger
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>  
>> 
>>  
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.orghttp://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email