IETF Logo Mail Archive

Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Mon, 14 September 2020 12:03 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 462EA3A093A for <cfrg@ietfa.amsl.com>; Mon, 14 Sep 2020 05:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AF5iG_uWMuby for <cfrg@ietfa.amsl.com>; Mon, 14 Sep 2020 05:03:37 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D33F3A0936 for <cfrg@irtf.org>; Mon, 14 Sep 2020 05:03:36 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id z19so13134644lfr.4 for <cfrg@irtf.org>; Mon, 14 Sep 2020 05:03:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MKOANZ0/ExmIZvDNSeVjHYgA8gOvTNFbV+v4EFooadU=; b=r1JeikD+IaAkSS0gYhUur6J0hCcEWIh/sT43C3vJ+KA5TggH0VLc7MJ6b282/0N6ga mvYENaa1PlstLj0OIye2NnjG1jek3PY51LLM5fc4wVTDoyGmuqCjS0SFfdoISsEy7RwF AdklTCbVt97LFLkfhVNr2z0O5pXQ0m8AvBmtzAYg9N24Dkc51+P2dlVAUN16z5mTg4K1 4HleGrmdWe+nS2TnATpGelPdCK5TtxdQfP1F951IRa08c7+eNhCEkFwSw4ZxXTGn0Sle T+CAmoVvVuS7oYSZTqRrFNcsrstxf5kQqZvjLpEfCuO6BuznhnorkWze2IsfJ+SJpbdg WOWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MKOANZ0/ExmIZvDNSeVjHYgA8gOvTNFbV+v4EFooadU=; b=CNzvo08ukg+FhucsoxVm0Lq+eb6Hg7l1tZs2wOgQv1UHOgdIe6D5lVpDh77sZiptHB 13PXI4L/FOMI9cBQCwNnCyBbtfZBlHWUFNdWxrAdc7BUdHqticUCFjy5JWoyFCj1BUWN 6OfrpUnx7oJFYzMZy0OZvpuyn7OsITl8UsZxjg8AaG1obvIYR8zfuQoiyhk9kqGedwl3 o2XKxOSYdf3d8ex5uVx1EtHyVZ3VGc1nyzIeVhXaxhbXYS6zrHpB6UVcy3HVHlXoom4c MzYyJhx41d1UqCLRDAQaYJtlZacmxkusZ34ki6n4fIT1jjJD/Agz+C2ZoohG7KTmU30y bqCA==
X-Gm-Message-State: AOAM531y7op2a+rH440/c8mQEGM3MA59kAjqXG6etUVK2uCrHvQXOAQ6 zhM0wgr/KaRiC4d/8bi51kBk00ZoR8DjAw==
X-Google-Smtp-Source: ABdhPJyWQ4wl9yE7Edw/SganddMJ6smlSl3wwHsC7rZe2ydX5IFgqci9xPGq7WdlzuyBKO84XAdfrQ==
X-Received: by 2002:a19:4251:: with SMTP id p78mr5212048lfa.154.1600085014657; Mon, 14 Sep 2020 05:03:34 -0700 (PDT)
Received: from wifi-pro-82-136.paris.inria.fr (wifi-pro-82-136.paris.inria.fr. [128.93.82.136]) by smtp.gmail.com with ESMTPSA id k10sm4009635lja.112.2020.09.14.05.03.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Sep 2020 05:03:34 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <69E63AC4-15B1-4B93-96C3-C346DB02D829@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_18D28EFA-8C30-4439-A37B-4CF48BFE0625"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Mon, 14 Sep 2020 14:03:32 +0200
In-Reply-To: <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
Cc: cfrg@irtf.org
To: Julia Len <jlen@cs.cornell.edu>
References: <CAK0e1DrM6MVz5vk6HV4NPtcXExB88vWdsoPFiOicUOMOest26Q@mail.gmail.com> <01F5178D-5308-417A-B1BC-E189C1422FE1@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DkzVZmESj8E_pDbuEQMc1FnTxZg>
Subject: Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 12:03:39 -0000

Hi Julia,

After going through the paper, we better understand the attack.

One of your proposed countermeasures was to require that the PSK should be a random value with sufficient entropy.
If we were to change the wording in the spec to require that the PSK must be (at least) a 32 byte random value,
that would sufficiently reduce the advantage in the PO attack, yes?

Best regards,
Karthik

> On 10 Sep 2020, at 03:31, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> wrote:
> 
> Hello Julia,
> 
> Thanks for this email.
> 
> Could you share a draft of [LGR20] so we can study the issue?
> 
> -Karthik
> 
>> On 2 Sep 2020, at 00:07, Julia Len <jlen@cs.cornell.edu <mailto:jlen@cs.cornell.edu>> wrote:
>> 
>> The HPKE PSK-based sender authentication scheme could be vulnerable to what we call a partitioning oracle (PO) attack (the paper [LGR20] is in preparation -- drafts are available upon request). 
>> 
>> Partitioning oracle attacks against HPKE target authenticated encryption with associated data (AEAD) schemes that are non-committing, meaning attackers can construct ciphertexts that decrypt without error under more than one key. HPKE only supports GCM and ChaCha20/Poly1305 for AEAD, both of which are non-committing.
>> 
>> If decryption failures are observable to the sender of an HPKE ciphertext, a partitioning oracle attack can recover the PSK from a set of possible keys S as follows. An attacker can split S into two sets S0 and S1. It can then run the KEM with the receiver’s public key to get the DH shared secret, and then derive the set of AEAD keys K for each key in S0. A ciphertext can be computed so that it decrypts correctly for all keys in K. The attacker must then be able to determine whether decryption succeeds. If the ciphertext is decrypted correctly, the correct PSK must be in S0, and if the ciphertext does not decrypt, the correct PSK must be in S1. The attacker can then repeat the above steps, setting S appropriately to S0 or S1, until it finds the correct PSK. This attack enables the adversary to recover the PSK in time logarithmic in the size of the original set S. 
>> 
>> The draft anticipates a decryption oracle being used to attempt to learn the PSK. The authors observe that with “access to an oracle that allows to distinguish between a good and a wrong PSK, [the sender] can perform a dictionary attack on the PSK”. However, because the AEADs are non-committing, a PO attack can potentially give an exponential speed-up over a naive dictionary attack, making remote PSK recovery more feasible. Furthermore, while the scheme specifies it is not suitable for use with passwords, it does permit short PSKs. (Section 8.4 currently says ‘Using a PSK shorter than "Nh" bytes is permitted.’, where Nh is the output size of the key derivation function.)
>> 
>> Our recommended mitigation is changing the HPKE PSK sender auth construction to use a committing AEAD scheme. For example, Encrypt-then-HMAC type schemes can be made committing. Unfortunately we are unaware of any standard that specifies a committing AEAD scheme. A less disruptive mitigation is to strengthen the language in the HPKE specification, warning about partitioning oracle attacks and requiring PSKs to have sufficient min-entropy (say, 128 bits) to make PSK extraction via partitioning oracle infeasible. Example text for consideration is below:
>> 
>> The second paragraph of Section 8.4 could be modified to say the following:
>> 
>> HPKE is specified to use HKDF as key derivation function. HKDF is not designed to slow down dictionary attacks, see [RFC5869 <https://www.ietf.org/id/draft-irtf-cfrg-hpke-05.html#RFC5869>]. Thus, HPKE's PSK mechanism is not suitable for use with a low-entropy password as the PSK: in scenarios in which the adversary knows the KEM shared secret shared_secret and has access to an oracle that allows to distinguish between a good and a wrong PSK, it can perform PSK-recovering attacks. This oracle can be the decryption operation on a captured HPKE ciphertext or any other recipient behavior which is observably different when using a wrong PSK. The adversary knows the KEM shared secret shared_secret if it knows all KEM private keys of one participant. In the PSK mode this is trivially the case if the adversary acts as sender.  
>> 
>> To recover a lower entropy PSK, an attacker in this scenario can trivially perform a dictionary attack. Given a set S of possible PSK values, the attacker generates an HPKE ciphertext using each value in S, and submits the resulting ciphertexts to the oracle to learn which PSK is being used by the receiver. Further, because HPKE uses AEAD schemes that are not key-committing, an attacker can mount a partitioning oracle attack [LGR20] which can recover the PSK from a set of S possible PSK values, with |S| = m*k, in roughly m + log k queries to the oracle using ciphertexts of length proportional to k, the maximum message length in blocks. The PSK must therefore be chosen with sufficient entropy so that m + log k is prohibitive for attackers (e.g., 2^128).
>> 
>> [LGR20] Len, J., Grubbs, P., Ristenpart, T. Partitioning Oracle Attacks. In preparation, 2020.
>> 
>> Regards,
>> Julia Len, Paul Grubbs, and Tom Ristenpart
>> 
>> 
>> > Dear CFRG participants,
>> >
>> > This message starts a second 2-week RGLC on "Hybrid Public Key
>> > Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See
>> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ <https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/> for the latest
>> > version of the draft.
>> >
>> > We are having the second RGLC because we didn't have much feedback during
>> > the first RGLC and because we have obtained two new Crypto Panel reviews:
>> >
>> > https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/ <https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/>
>> > https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/ <https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/>
>> >
>> > Please send your comments, as well as expression of support to publish as
>> > an RFC (or possible reasons for not doing so) in reply to this message or
>> > directly to CFRG chairs.
>> >
>> >
>> 
>> > Regards,
>> > Stanislav, Nick and Alexey
>> > _______________________________________________
>> > Cfrg mailing list
>> > Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>> > https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>_______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email