Re: [Cfrg] Attacker changing tag length in OCB
"David McGrew (mcgrew)" <mcgrew@cisco.com> Thu, 30 May 2013 21:05 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F2721F90CD for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 14:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCXAZ9Q8LKM5 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 14:05:16 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0C921F900C for <cfrg@ietf.org>; Thu, 30 May 2013 14:05:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16999; q=dns/txt; s=iport; t=1369947912; x=1371157512; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=oOTWUzpqYP7bv2Nnh8beaSc1v2F6aNCPGKmlwE1lLMo=; b=b+6RxDifws2XVsG2OU7SZnO5610BqDcYI4eCYX9F17ZGSea9BcBQGjpp ZkXoPb4JzKFQ1eBYOZGRpRIO65FThLbXzYCVc/rkjOALe/VpEG3aVnwRF eKwE+vdv7SL9jBTM47bZJtI8Iz4wLqOTgFz4iKB8YOzhZ7Z7je95ufCcl 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FAGK+p1GtJV2Y/2dsb2JhbABWA4JFRDC5XIg7fhZ0giMBAQEDAQEBASpBCwUNAQgOAwMBAQEBCh0oBgsUCQgCBA4FCAEWh1wDCQYMskANEIhCjDoKgRaBEQYHEwEQBgEGC4JlYQOLIAKKNoMPinSFI4MPgXE2
X-IronPort-AV: E=Sophos; i="4.87,773,1363132800"; d="scan'208,217"; a="216919358"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP; 30 May 2013 21:05:06 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r4UL55dE011676 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 30 May 2013 21:05:05 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.77]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.02.0318.004; Thu, 30 May 2013 16:04:59 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Rene Struik <rstruik.ext@gmail.com>, "Igoe, Kevin M." <kmigoe@nsa.gov>
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: AQHOXAYzU/l01yofGkG3ey8VZlpsmZkcopgAgAHO/ICAAAqZgP//zymA
Date: Thu, 30 May 2013 21:04:58 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B18458F26@xmb-rcd-x04.cisco.com>
In-Reply-To: <51A7AFA5.6010501@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B18458F26xmbrcdx04ciscoc_"
MIME-Version: 1.0
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 21:05:21 -0000
Hi Rene, From: Rene Struik <rstruik.ext@gmail.com<mailto:rstruik.ext@gmail.com>> Date: Thursday, May 30, 2013 3:59 PM To: "Igoe, Kevin M." <kmigoe@nsa.gov<mailto:kmigoe@nsa.gov>> Cc: "cfrg@ietf.org<mailto:cfrg@ietf.org>" <cfrg@ietf.org<mailto:cfrg@ietf.org>> Subject: Re: [Cfrg] Attacker changing tag length in OCB Dear colleagues: The observation that some AEADs have the property that one can truncate the authentication tag without affecting AEAD unsecuring operations was brought up by Rogaway and Wagner in their 2003 "Critique on CCM" paper (Section 3.4). It is therefore kind of interesting to see that the same observation applies to the OCB mode. Whether or not it is good to build-in protection against poor policy choices and management thereof is a matter of taste. History suggests that lots of security vulnerabilities arise precisely because of these poor choices (or lack of knowledge of impact of policy on security services offered). One could shield against poor choices in various ways, e.g., by using as key k:=Hash(K, TagLength). Agreed. The poor choice that is relevant here is the use of the same OCB secret key with two different tag lengths. If someone uses a single key in both AEAD_AES_128_OCB_TAGLEN64 and AEAD_AES_128_OCB_TAGLEN128, then it is likely that they have also not satisfied the nonce uniqueness requirements, so the tag truncation and substitution attack seems like the least of their worries. (Given two distinct nonce/associated data/plaintext tuples with identical nonces, it is easy for the attacker to craft forgeries.) In general, it should be acceptable for an AE algorithm to require that each of the keys that are used to instantiate it are independent (as well as random or pseudorandom). David Best regards, Rene Ref: CCM Mode Critique (Rogaway, Wagner, IACR ePrint 2003-070) http://eprint.iacr.org/2003/070 On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote: I agree with Richard. The implicit assumption is that the length of the authentication tag has either been agreed upon during the handshake or was a previously agreed upon parameter. If you change the length of the authentication tag in the live traffic, it almost certainly won’t pass authentication tag verification by the intended recipient. Offhand, I don’t see a security problem here. From:cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> [mailto:cfrg-bounces@irtf.org] On Behalf Of Richard Barnes Sent: Wednesday, May 29, 2013 11:45 AM To: Manger, James H Cc: cfrg@ietf.org<mailto:cfrg@ietf.org> Subject: Re: [Cfrg] Attacker changing tag length in OCB James, Don't most current AEAD modes have this property? Namely, that there's no protection on the length of the authentication tag. Off the top of my head, it seems that GCM, CCM, and SIV all have this property. So while it might be nice for OCB to fix this issue, implementations processing AEAD messages will still have to enforce minimum tag lengths on their own. --Richard On Tue, May 28, 2013 at 8:47 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote: > Title : The OCB Authenticated-Encryption Algorithm > Filename : draft-irtf-cfrg-ocb-02.txt > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02 OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 96-bit tags are simply truncated 128-bit tags. The tag length is not mixed into the ciphertext. It never affects any input to an AES operation. Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 algorithm it is trivial to produce a valid output from the AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes. Is this ok? Another consequence is that an attacker wanting to change the additional data (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same plaintext only has to defeat the shortest tag a recipient accepts, regardless of the tag applied by the originator. Is this ok? It doesn’t feel ok. Of course if a recipient accepts 64-bit tags an attacker can forge messages with a probability of 2^-64. However, that doesn’t seem to be exactly the same as forging a message with the same plaintext as a message originally authenticated with a 128-bit tag. Would OCB be better if the algorithms with different tag lengths couldn’t affect each other? Perhaps restricting the nonce to <126 bits (instead of <128 bits) and encoding the tag length in 2 bits. -- James Manger _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> http://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org>http://www.irtf.org/mailman/listinfo/cfrg -- email: rstruik.ext@gmail.com<mailto:rstruik.ext@gmail.com> | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Cfrg] I-D Action: draft-irtf-cfrg-ocb-02.txt internet-drafts
- [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Igoe, Kevin M.
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB David McGrew (mcgrew)
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown