Re: [Cfrg] Attacker changing tag length in OCB
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Thu, 30 May 2013 20:08 UTC
Return-Path: <prvs=98622fc584=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F0921F8F43 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Level:
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bvk5dWJlPOwJ for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:08:08 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id E971E21F8233 for <cfrg@ietf.org>; Thu, 30 May 2013 13:08:07 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r4UK3sKH020568; Thu, 30 May 2013 16:08:05 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Rene Struik <rstruik.ext@gmail.com>, "Igoe, Kevin M." <kmigoe@nsa.gov>
Date: Thu, 30 May 2013 16:06:38 -0400
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: Ac5dcTNu2M6CS2N8SbaziWKoAsil5g==
Message-ID: <CDCD290D.15B32%uri@ll.mit.edu>
In-Reply-To: <51A7AFA5.6010501@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3452774798_10332205"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-05-30_06:2013-05-30, 2013-05-30, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1211240000 definitions=main-1305300177
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 20:08:12 -0000
Kevin, You agree with Richard and I agree with Rene and James. There's no reason not to introduce an extra bit of (maybe unnecessary?) protection, as justification "nobody could/would get this wrong" has failed many people many times. -- Regards, Uri Blumenthal From: Rene Struik <rstruik.ext@gmail.com> Date: Thursday, May 30, 2013 15:59 To: "Igoe, Kevin M." <kmigoe@nsa.gov> Cc: "cfrg@ietf.org" <cfrg@ietf.org> Subject: Re: [Cfrg] Attacker changing tag length in OCB > Dear colleagues: > > The observation that some AEADs have the property that one can truncate the > authentication tag without affecting AEAD unsecuring operations was brought up > by Rogaway and Wagner in their 2003 "Critique on CCM" paper (Section 3.4). It > is therefore kind of interesting to see that the same observation applies to > the OCB mode. > > Whether or not it is good to build-in protection against poor policy choices > and management thereof is a matter of taste. History suggests that lots of > security vulnerabilities arise precisely because of these poor choices (or > lack of knowledge of impact of policy on security services offered). One could > shield against poor choices in various ways, e.g., by using as key k:=Hash(K, > TagLength). > > Best regards, Rene > > Ref: CCM Mode Critique (Rogaway, Wagner, IACR ePrint 2003-070) > http://eprint.iacr.org/2003/070 > > On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote: >> I agree with Richard. The implicit assumption is that the length of the >> authentication tag has either been >> agreed upon during the handshake or was a previously agreed upon parameter. >> If you change the length >> of the authentication tag in the live traffic, it almost certainly won¹t pass >> authentication tag verification >> by the intended recipient. Offhand, I don¹t see a security problem here. >> >> >> >> From:cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of >> Richard Barnes >> Sent: Wednesday, May 29, 2013 11:45 AM >> To: Manger, James H >> Cc: cfrg@ietf.org >> Subject: Re: [Cfrg] Attacker changing tag length in OCB >> >> >> James, >> >> >> >> Don't most current AEAD modes have this property? Namely, that there's no >> protection on the length of the authentication tag. Off the top of my head, >> it seems that GCM, CCM, and SIV all have this property. >> >> >> >> So while it might be nice for OCB to fix this issue, implementations >> processing AEAD messages will still have to enforce minimum tag lengths on >> their own. >> >> >> >> --Richard >> >> >> >> >> >> On Tue, May 28, 2013 at 8:47 PM, Manger, James H >> <James.H.Manger@team.telstra.com> wrote: >>> > Title : The OCB Authenticated-Encryption Algorithm >>> > Filename : draft-irtf-cfrg-ocb-02.txt >>> > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02 >> >> OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 96-bit >> tags are simply truncated 128-bit tags. The tag length is not mixed into the >> ciphertext. It never affects any input to an AES operation. >> >> Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 >> algorithm it is trivial to produce a valid output from the >> AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes. >> >> Is this ok? >> >> Another consequence is that an attacker wanting to change the additional data >> (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same plaintext >> only has to defeat the shortest tag a recipient accepts, regardless of the >> tag applied by the originator. >> >> Is this ok? It doesn¹t feel ok. >> >> Of course if a recipient accepts 64-bit tags an attacker can forge messages >> with a probability of 2^-64. However, that doesn¹t seem to be exactly the >> same as forging a message with the same plaintext as a message originally >> authenticated with a 128-bit tag. >> >> Would OCB be better if the algorithms with different tag lengths couldn¹t >> affect each other? Perhaps restricting the nonce to <126 bits (instead of >> <128 bits) and encoding the tag length in 2 bits. >> >> -- >> James Manger >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.orghttp://www.irtf.org/mailman/listinfo/cfrg > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Cfrg] I-D Action: draft-irtf-cfrg-ocb-02.txt internet-drafts
- [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Igoe, Kevin M.
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB David McGrew (mcgrew)
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown