Re: [Cfrg] Attacker changing tag length in OCB
Richard Barnes <rlb@ipv.sx> Thu, 30 May 2013 21:34 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DE621F93F0 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 14:34:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.274
X-Spam-Level:
X-Spam-Status: No, score=0.274 tagged_above=-999 required=5 tests=[AWL=-1.083, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBivF7FsLY2Q for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 14:34:48 -0700 (PDT)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id C059621F937A for <cfrg@ietf.org>; Thu, 30 May 2013 14:34:48 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wd20so1645583obb.19 for <cfrg@ietf.org>; Thu, 30 May 2013 14:34:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=GJ28/6pn8MeNMEsoIZ8Piw/NnWxeWp+se+/mHvMUCA0=; b=g8oZOV9EC7E7HZbzqyjmvfN2luCCanKDQdkDm6HKJHIoDGdhuuszooMP13z3CPtx4z HrOYiIrvliWSpR7Na7MT59IHzPFbn/5h3Vyq3t/DqViW/KkbypFY2BG0ICBfpCVqNSpH sUWBV4XxVihmEsAXf1LGbzHqwHtOHNute4K4WjKGNZdp2/zxXrsorYX+xWd25PA2sB+1 wLXxFPxV3u5jhHxzy/npzV4ipoBaAuhYxeE/vWJbtGK80DmBCBhzR4HBBbyh8xHtTmsu UEvlOCsHlG5AgzhG2x/KF/XNPQapoxg0xeet0kQQRRvOtIjTpJtWIt34e+FwR5/u12gq 2UDQ==
MIME-Version: 1.0
X-Received: by 10.60.42.237 with SMTP id r13mr5014290oel.61.1369949688193; Thu, 30 May 2013 14:34:48 -0700 (PDT)
Received: by 10.60.84.8 with HTTP; Thu, 30 May 2013 14:34:48 -0700 (PDT)
X-Originating-IP: [108.18.40.68]
In-Reply-To: <CDCD290D.15B32%uri@ll.mit.edu>
References: <51A7AFA5.6010501@gmail.com> <CDCD290D.15B32%uri@ll.mit.edu>
Date: Thu, 30 May 2013 17:34:48 -0400
Message-ID: <CAL02cgTsb9F32dAbyF3jp83zTR0=JF3qh1XgS6tBFdDaRjuCbQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="001a11c206aa8675df04ddf6440c"
X-Gm-Message-State: ALoCoQl4hONgqofQUv1k4BOiNvNHTKB8D0rf2jD5Dg5d54ixJPWB0/mf7/6reaLP3SYLBgjdZFHt
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 21:34:52 -0000
To be clear, I was not saying that we shouldn't change OCB. Just that this is not a new problem for AEAD, nor one that will go away if we fix OCB. On Thursday, May 30, 2013, Blumenthal, Uri - 0558 - MITLL wrote: > Kevin, > > You agree with Richard – and I agree with Rene and James. There's no > reason not to introduce an extra bit of (maybe unnecessary?) protection, as > justification "nobody could/would get this wrong" has failed many people > many times. > -- > Regards, > Uri Blumenthal > > From: Rene Struik <rstruik.ext@gmail.com <javascript:_e({}, 'cvml', > 'rstruik.ext@gmail.com');>> > Date: Thursday, May 30, 2013 15:59 > To: "Igoe, Kevin M." <kmigoe@nsa.gov <javascript:_e({}, 'cvml', > 'kmigoe@nsa.gov');>> > Cc: "cfrg@ietf.org <javascript:_e({}, 'cvml', 'cfrg@ietf.org');>" < > cfrg@ietf.org <javascript:_e({}, 'cvml', 'cfrg@ietf.org');>> > Subject: Re: [Cfrg] Attacker changing tag length in OCB > > Dear colleagues: > > The observation that some AEADs have the property that one can truncate > the authentication tag without affecting AEAD unsecuring operations was > brought up by Rogaway and Wagner in their 2003 "Critique on CCM" paper > (Section 3.4). It is therefore kind of interesting to see that the same > observation applies to the OCB mode. > > Whether or not it is good to build-in protection against poor policy > choices and management thereof is a matter of taste. History suggests that > lots of security vulnerabilities arise precisely because of these poor > choices (or lack of knowledge of impact of policy on security services > offered). One could shield against poor choices in various ways, e.g., by > using as key k:=Hash(K, TagLength). > > Best regards, Rene > > Ref: CCM Mode Critique (Rogaway, Wagner, IACR ePrint 2003-070) > http://eprint.iacr.org/2003/070 > > On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote: > > I agree with Richard. The implicit assumption is that the length of the > authentication tag has either been**** > > agreed upon during the handshake or was a previously agreed upon > parameter. If you change the length**** > > of the authentication tag in the live traffic, it almost certainly won’t > pass authentication tag verification**** > > by the intended recipient. Offhand, I don’t see a security problem here.* > *** > > ** ** > > ** ** > > *From:*cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] *On Behalf Of > *Richard Barnes > *Sent:* Wednesday, May 29, 2013 11:45 AM > *To:* Manger, James H > *Cc:* cfrg@ietf.org > *Subject:* Re: [Cfrg] Attacker changing tag length in OCB**** > > ** ** > > James,**** > > ** ** > > Don't most current AEAD modes have this property? Namely, that there's no > protection on the length of the authentication tag. Off the top of my > head, it seems that GCM, CCM, and SIV all have this property.**** > > ** ** > > So while it might be nice for OCB to fix this issue, implementations > processing AEAD messages will still have to enforce minimum tag lengths on > their own.**** > > ** ** > > --Richard**** > > ** ** > > ** ** > > On Tue, May 28, 2013 at 8:47 PM, Manger, James H < > James.H.Manger@team.telstra.com> wrote:**** > > > Title : The OCB Authenticated-Encryption Algorithm > > Filename : draft-irtf-cfrg-ocb-02.txt > > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02 > > OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and > 96-bit tags are simply truncated 128-bit tags. The tag length is not mixed > into the ciphertext. It never affects any input to an AES operation. > > Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 > algorithm it is trivial to produce a valid output from the > AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes. > > Is this ok? > > Another consequence is that an attacker wanting to change the additional > data (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same > plaintext only has to defeat the shortest tag a recipient accepts, > regardless of the tag applied by the originator. > > Is this ok? It doesn’t feel ok. > > Of course if a recipient accepts 64-bit tags an attacker can forge > messages with a probability of 2^-64. However, that doesn’t seem to be > exactly the same as forging a message with the same plaintext as a message > originally authenticated with a 128-bit tag. > > Would OCB be better if the algorithms with different tag lengths couldn’t > affect each other? Perhaps restricting the nonce to <126 bits (instead of > <128 bits) and encoding the tag length in 2 bits. > > -- > James Manger > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg****< > > _______________________________________________ > Cfrg mailing listCfrg@irtf.org <javascript:_e({}, 'cvml', 'Cfrg@irtf.org');>http://www.irtf.org/mailman/listinfo/cfrg > > > > -- > email: rstruik.ext@gmail.com <javascript:_e({}, 'cvml', 'rstruik.ext@gmail.com');> | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > >
- [Cfrg] I-D Action: draft-irtf-cfrg-ocb-02.txt internet-drafts
- [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Igoe, Kevin M.
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB David McGrew (mcgrew)
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown