IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

"Igoe, Kevin M." <kmigoe@nsa.gov> Thu, 30 May 2013 19:23 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D5A21F9079 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 12:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUUvb8g6fugs for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 12:23:27 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id EFA2321F9052 for <cfrg@ietf.org>; Thu, 30 May 2013 12:23:26 -0700 (PDT)
X-TM-IMSS-Message-ID: <7a1ae1ec00118c44@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 7a1ae1ec00118c44 ; Thu, 30 May 2013 15:21:13 -0400
Received: from MSMR-GH1-UEA02.corp.nsa.gov (10.215.227.180) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 30 May 2013 15:21:39 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA02.corp.nsa.gov ([10.215.227.180]) with mapi id 14.01.0289.001; Thu, 30 May 2013 15:21:39 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Richard Barnes' <rlb@ipv.sx>, "Manger, James H" <James.H.Manger@team.telstra.com>
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: AQHOXAYi67WiOJDq00afKvp1JwFqNJkckdQAgAGI1lA=
Date: Thu, 30 May 2013 19:21:37 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB02596AF@MSMR-GH1-UEA03.corp.nsa.gov>
References: <20130528162226.1401.91015.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com> <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com>
In-Reply-To: <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.224.46]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CAB02596AFMSMRGH1UEA03cor_"
MIME-Version: 1.0
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 19:23:32 -0000

I agree with Richard.  The implicit assumption is that the length of the authentication tag has either been
agreed upon during the handshake or was a previously agreed upon parameter.  If you change the length
of the authentication tag in the live traffic, it almost certainly won't pass authentication tag verification
by the intended recipient.  Offhand, I don't see a security problem here.


From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of Richard Barnes
Sent: Wednesday, May 29, 2013 11:45 AM
To: Manger, James H
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] Attacker changing tag length in OCB

James,

Don't most current AEAD modes have this property?  Namely, that there's no protection on the length of the authentication tag.  Off the top of my head, it seems that GCM, CCM, and SIV all have this property.

So while it might be nice for OCB to fix this issue, implementations processing AEAD messages will still have to enforce minimum tag lengths on their own.

--Richard


On Tue, May 28, 2013 at 8:47 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
>       Title           : The OCB Authenticated-Encryption Algorithm
>       Filename        : draft-irtf-cfrg-ocb-02.txt
> http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02

OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 96-bit tags are simply truncated 128-bit tags. The tag length is not mixed into the ciphertext. It never affects any input to an AES operation.

Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 algorithm it is trivial to produce a valid output from the AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes.

Is this ok?

Another consequence is that an attacker wanting to change the additional data (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same plaintext only has to defeat the shortest tag a recipient accepts, regardless of the tag applied by the originator.

Is this ok? It doesn't feel ok.

Of course if a recipient accepts 64-bit tags an attacker can forge messages with a probability of 2^-64. However, that doesn't seem to be exactly the same as forging a message with the same plaintext as a message originally authenticated with a 128-bit tag.

Would OCB be better if the algorithms with different tag lengths couldn't affect each other? Perhaps restricting the nonce to <126 bits (instead of <128 bits) and encoding the tag length in 2 bits.

--
James Manger
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email