Re: [Cfrg] Building a vector-input MAC by chained construction
Tony Arcieri <bascule@gmail.com> Tue, 18 December 2018 18:41 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3166A1311C1 for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 10:41:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id at8h7FSswdx6 for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 10:40:59 -0800 (PST)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A1FD1311BE for <cfrg@ietf.org>; Tue, 18 Dec 2018 10:40:59 -0800 (PST)
Received: by mail-oi1-x22d.google.com with SMTP id y23so2803082oia.4 for <cfrg@ietf.org>; Tue, 18 Dec 2018 10:40:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cbP00drh254nKGT9wdnIk+XcCaOCyrG0J/IuvZ5VW8k=; b=Ii2A6y16XHGjayBv8O6011U8imDAo2wlW0kphUYdjY7Z5gI9p15Rwmqdt36QC4eSzt Edoh5eXYHu1mW+QhvUZ5WrXK/HvoFyf9ElWZC97Z1w+0a4r2KWk26eBxeYpkdOhy2Bjy xJFRgT0eKn7px0jA2VjMx4Y3vyuOxjGH/C8KzZL1LtuQ6AbpcqQ4amMXdEOGjRzoWos5 uGKlF3eC+IV8Eyw9PErd2pVnr4DJmB6ZIb5NucqfomLmtUUL1wPmL0OJNSzs0/5WjvZE SAYTMDfVtLVWRdhZl7oUeX/C/ag3xgL7KqdXO/nMm24/IC7huXgN5uSPezZJD4i+OLCX JASA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cbP00drh254nKGT9wdnIk+XcCaOCyrG0J/IuvZ5VW8k=; b=qVRtzowQumDwUw8bUFunx0ElZwjwlaSB2LS/mYyk+wE4S2bqROiSPEVr3kjznEw3kq 4X3JDQ78OTI8TiIZJx3XHVeUua4AyG3davfgZUuTzTHoS5hOwStuMBRhQ+XlyGKoxPqc W381EC5QOewuDzKp5LsXrhYskpe0jMDuBCCrcXuV1Gx/mLQSFVnYbzKQCIDlsxV7lETq xszo/qAzlqRrumccSX/t8TB1neqyzwyHAsD6CBoG/XBSCidyRAzwykiorRWtYB3T5XKr GD/xhvu3oqu6zN4MLJlFn9jh364QQ0v2s+/tPidMocXvQf4ZAR1e+gqIMUWy5Paln/nI IfDg==
X-Gm-Message-State: AA+aEWZgofQdTlgZHLr93XPjOuJYluojERpCbhNcciTk2bw9kTP8ojjp nKlOGjybzRdkrCli0Hv1tzz9ohO2M/LJI3CDq28=
X-Google-Smtp-Source: AFSGD/WQQXyMSWzig9eVtgx/oIfNBvoVPIfgHllesv1i5hacjzNrVJMFYiFLL60w4/ghiYWS6A5LOx0OQ5aLp+PjG9M=
X-Received: by 2002:aca:bd41:: with SMTP id n62mr8839269oif.348.1545158458589; Tue, 18 Dec 2018 10:40:58 -0800 (PST)
MIME-Version: 1.0
References: <A44A80BE-030B-4D1E-9889-F727EB0BF142@gmail.com> <CACEhwkQKHkHEyLbmZ6oeDtvuvmwgifyuTUsb6Xy1CDR+4RE9PA@mail.gmail.com>
In-Reply-To: <CACEhwkQKHkHEyLbmZ6oeDtvuvmwgifyuTUsb6Xy1CDR+4RE9PA@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 18 Dec 2018 10:40:47 -0800
Message-ID: <CAHOTMVJT1oopPjZuZwCqZG3F3=woO=L3M9jbAhOhG9DcZDDo2w@mail.gmail.com>
To: Mihir Bellare <mihir@eng.ucsd.edu>
Cc: Neil Madden <neil.e.madden@gmail.com>, cfrg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000bc7c5057d503d3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/H5mbDCMRNM4UyR4InbM6gbrq1Vc>
Subject: Re: [Cfrg] Building a vector-input MAC by chained construction
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 18:41:01 -0000
On Tue, Dec 18, 2018 at 10:29 AM Mihir Bellare <mihir@eng.ucsd.edu> wrote: > I may be missing something but this does not seem secure. Given the tag > tag1 = MAC(key,x1) of a length-1 vector x1, we can compute the tag of the > length-2 vector (x1,x2) as tag = MAC(tag1,x2). > This sort of "self-inflicted length extension attack" is leveraged by the Macaroons construction by design to support an offline attenuation feature for a credential format, with the caveat that the vector is itself a vector of caveats. That is to say, in the context of Macaroons, extending the vector only reduces authority, and can therefore be used by the holder of a credential to delegate authority to a third party by passing the credential, removing the original MAC, and adding further restrictions. That said, ensuring Macaroon caveats only reduce authority, rather than amplify it, is pretty much left as an exercise to the reader. This does not seem like a desirable property in the context of a construction like S2V. -- Tony Arcieri
- [Cfrg] Building a vector-input MAC by chained con… Neil Madden
- Re: [Cfrg] Building a vector-input MAC by chained… Mihir Bellare
- Re: [Cfrg] Building a vector-input MAC by chained… Tony Arcieri
- Re: [Cfrg] Building a vector-input MAC by chained… Neil Madden
- Re: [Cfrg] Building a vector-input MAC by chained… Scott Arciszewski
- Re: [Cfrg] Building a vector-input MAC by chained… Neil Madden
- Re: [Cfrg] Building a vector-input MAC by chained… Tony Arcieri
- Re: [Cfrg] Building a vector-input MAC by chained… Neil Madden