Re: [Cfrg] Attacker changing tag length in OCB
"Igoe, Kevin M." <kmigoe@nsa.gov> Thu, 30 May 2013 19:23 UTC
Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D5A21F9079 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 12:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUUvb8g6fugs for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 12:23:27 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id EFA2321F9052 for <cfrg@ietf.org>; Thu, 30 May 2013 12:23:26 -0700 (PDT)
X-TM-IMSS-Message-ID: <7a1ae1ec00118c44@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 7a1ae1ec00118c44 ; Thu, 30 May 2013 15:21:13 -0400
Received: from MSMR-GH1-UEA02.corp.nsa.gov (10.215.227.180) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 30 May 2013 15:21:39 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA02.corp.nsa.gov ([10.215.227.180]) with mapi id 14.01.0289.001; Thu, 30 May 2013 15:21:39 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Richard Barnes' <rlb@ipv.sx>, "Manger, James H" <James.H.Manger@team.telstra.com>
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: AQHOXAYi67WiOJDq00afKvp1JwFqNJkckdQAgAGI1lA=
Date: Thu, 30 May 2013 19:21:37 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB02596AF@MSMR-GH1-UEA03.corp.nsa.gov>
References: <20130528162226.1401.91015.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com> <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com>
In-Reply-To: <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.224.46]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CAB02596AFMSMRGH1UEA03cor_"
MIME-Version: 1.0
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 19:23:32 -0000
I agree with Richard. The implicit assumption is that the length of the authentication tag has either been agreed upon during the handshake or was a previously agreed upon parameter. If you change the length of the authentication tag in the live traffic, it almost certainly won't pass authentication tag verification by the intended recipient. Offhand, I don't see a security problem here. From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of Richard Barnes Sent: Wednesday, May 29, 2013 11:45 AM To: Manger, James H Cc: cfrg@ietf.org Subject: Re: [Cfrg] Attacker changing tag length in OCB James, Don't most current AEAD modes have this property? Namely, that there's no protection on the length of the authentication tag. Off the top of my head, it seems that GCM, CCM, and SIV all have this property. So while it might be nice for OCB to fix this issue, implementations processing AEAD messages will still have to enforce minimum tag lengths on their own. --Richard On Tue, May 28, 2013 at 8:47 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote: > Title : The OCB Authenticated-Encryption Algorithm > Filename : draft-irtf-cfrg-ocb-02.txt > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02 OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 96-bit tags are simply truncated 128-bit tags. The tag length is not mixed into the ciphertext. It never affects any input to an AES operation. Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 algorithm it is trivial to produce a valid output from the AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes. Is this ok? Another consequence is that an attacker wanting to change the additional data (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same plaintext only has to defeat the shortest tag a recipient accepts, regardless of the tag applied by the originator. Is this ok? It doesn't feel ok. Of course if a recipient accepts 64-bit tags an attacker can forge messages with a probability of 2^-64. However, that doesn't seem to be exactly the same as forging a message with the same plaintext as a message originally authenticated with a 128-bit tag. Would OCB be better if the algorithms with different tag lengths couldn't affect each other? Perhaps restricting the nonce to <126 bits (instead of <128 bits) and encoding the tag length in 2 bits. -- James Manger _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I-D Action: draft-irtf-cfrg-ocb-02.txt internet-drafts
- [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Igoe, Kevin M.
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB David McGrew (mcgrew)
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown