Re: [Cfrg] GCM nonce reuse question

Jim:

RFC 5084 and RFC 6476 both show approaches to the use of authenticated encryption with CMS.  Is there some reason that JOSE is not following one of these approaches?

Russ

On Apr 2, 2013, at 11:59 AM, John Bradley wrote:

> Jim,
> 
> I don't think Mike was proposing that as a solution, but rather an attempt to characterize the issue.
> 
> Yes changing the nonce per recipient would cause the cypher text produced by GCM to change per recipient and need to be repeated, making it an array of JWE effectively, and not really anyones idea of encrypting to multiple recipients.
> 
> In a later email I asked David if we have the same or similar issue with his AES-CBC+HMAC. 
> 
> Perhaps and I think it is too early to go there, perhaps not all encryption algorithms are equally well suited to using with multiple recipients.
> 
> John B.
> 
> On 2013-04-02, at 12:48 PM, "Jim Schaad" <jimsch@augustcellars.com> wrote:
> 
>> Mike,
>>  
>> I will note that this is not going to be considered an acceptable solution for the JOSE group.  You don’t really want to increase the size of the message by n*base64 encoding where in is the number of recipients.
>>  
>> Jim
>>  
>>  
>> From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
>> Sent: Monday, April 01, 2013 5:55 PM
>> To: David McGrew (mcgrew); Jim Schaad
>> Cc: cfrg@irtf.org; John Bradley
>> Subject: RE: GCM nonce reuse question
>>  
>> Hi David,
>>  
>> In reading this thread and http://tools.ietf.org/html/draft-mcgrew-iv-gen-02, I believe that it’s OK, however if the usage is:
>>  
>> (Recipient #1 ciphertext, Recipient #1 authentication tag) = GCM(Key, Recipient #1 data, nonce #1, plain text)
>> (Recipient #2 ciphertext, Recipient #2 authentication tag) = GCM(Key, Recipient #2 data, nonce #2, plain text)
>>  
>> where nonce #1 and nonce #2 are guaranteed to be distinct?  Am I reading things correctly in that regard?
>>  
>>                                                                 Thanks,
>>                                                                 -- Mike
>>  
>> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
>> Sent: Thursday, March 28, 2013 4:15 AM
>> To: Jim Schaad
>> Cc: cfrg@irtf.org
>> Subject: Re: [Cfrg] GCM nonce reuse question
>>  
>> Hi Jim,
>>  
>> From: Jim Schaad <jimsch@augustcellars.com>
>> Date: Wednesday, March 27, 2013 6:43 PM
>> To: David McGrew <mcgrew@cisco.com>
>> Cc: "cfrg@irtf.org" <cfrg@irtf.org>
>> Subject: GCM nonce reuse question
>>  
>> David,
>>  
>> In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.
>>  
>> There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?
>>  
>>  
>> Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".
>>  
>> Specifically the current way that GCM mode is being used in JOSE is
>>  
>> Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
>> Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)
>>  
>> As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.
>>  
>>  
>> Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.
>>  
>> Many thanks for calling this out, Jim.
>>  
>> David
>>  
>> Jim
>>  
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg