Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS
Aanchal Malhotra <aanchal4@bu.edu> Wed, 20 March 2019 20:31 UTC
Return-Path: <aanchal4@bu.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD9691310F9 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 13:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6II8qLG59sxk for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 13:31:25 -0700 (PDT)
Received: from relay55.bu.edu (relay55.bu.edu [128.197.228.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B2BA131124 for <cfrg@irtf.org>; Wed, 20 Mar 2019 13:31:24 -0700 (PDT)
X-Envelope-From: aanchal4@bu.edu
Received: from mail-lj1-f198.google.com (mail-lj1-f198.google.com [209.85.208.198]) by relay55.bu.edu (8.14.3/8.14.3) with ESMTP id x2KKV3jT008371 for <cfrg@irtf.org>; Wed, 20 Mar 2019 16:31:04 -0400
Received: by mail-lj1-f198.google.com with SMTP id 6so818398lje.9 for <cfrg@irtf.org>; Wed, 20 Mar 2019 13:31:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RVehmGWi2MJLC2FgUrCO57FpsbUkcI2TB/XcialzQAk=; b=H3/XMzQmUF8pAsvB8BuaL0Q0V5x5Ix0TIvAyP/OdCZb+o2ZPqOHnnyRzrsOORK7NQD vj375qXBifQv/Nep8LdBZZWLA9D5Pc7kutW+t5GWQ2ZsosdqcJTzAM+CTZY3q6G/w8fx 87bYL+mc3Tlbdt77ggtjV07Kil3FSB60i7I/I7hRLdrpfZOi7MTI2ehJCsU0TVn7bRuf v7r4rymwkup7/UZ0zbCum106lriwOJHz0Xs5t01HEBVc2pnInSpBLwp1ceRcUysmCokS zZ2f9AiBYDoAdrxFfTKML2RNWaKbdYQcb4Avh8K2qu17KYJc/bzu86SkoI7jkfAdKEOK fpyA==
X-Gm-Message-State: APjAAAW1NgSrFcvuYro0x6wQzYKoNfAXY0OJn9y2HR/GMUXPhoj+jqF0 asv1qVgKo9W/dzC96HRG4z7mdZf6mYrnFtJj+MZtBXxzsaizl9Dqe4aM15an/idUIAq/aM1D+0m kaFJtsjmsCL/DzTNKEuWsBg==
X-Received: by 2002:ac2:4304:: with SMTP id l4mr16596644lfh.168.1553113863262; Wed, 20 Mar 2019 13:31:03 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwTFQHjn5lCwftvJVM7qpipIWLAo/WWcJ3jIl5i5tSNiI8qJDMocBo4JkNYLRfqF7pVyHldTdd1qlJ4XvP85e0=
X-Received: by 2002:ac2:4304:: with SMTP id l4mr16596631lfh.168.1553113862977; Wed, 20 Mar 2019 13:31:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAH3f58FsfPoLquUh-ZgQe-X4EoCgiJAF7zf5X1M_r+zEA@mail.gmail.com> <CAJm83bDnyHx+wA21xsodL+tZkXSjDceFtyqPVNAnVOLJZVgmJA@mail.gmail.com> <CAN2QdAG8szTQyCw41XkioW7de3WxF59UaWmLazk3ak4wX8ps4Q@mail.gmail.com>
In-Reply-To: <CAN2QdAG8szTQyCw41XkioW7de3WxF59UaWmLazk3ak4wX8ps4Q@mail.gmail.com>
From: Aanchal Malhotra <aanchal4@bu.edu>
Date: Wed, 20 Mar 2019 13:30:52 -0700
Message-ID: <CAMbs7ktP_pmC5x256U38L0f_MXTWh9=Xy0KZ79AH=PtROxA5pQ@mail.gmail.com>
To: Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>
Cc: Daniel Franke <dfoxfranke@gmail.com>, ntp@ietf.org, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000194ea305848c8036"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P-JWy4eWQlApwP1jZjw8MaJDRWs>
Subject: Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 20:31:28 -0000
This reference for KDM security might be useful. https://eprint.iacr.org/2010/513.pdf On Wed, Mar 20, 2019 at 1:29 PM Watson Ladd <watson= 40cloudflare.com@dmarc.ietf.org> wrote: > On Wed, Mar 20, 2019 at 1:18 PM Daniel Franke <dfoxfranke@gmail.com> > wrote: > > > > Are you certain the standard security definitions don't suffice? If > > the S2C key were directly being encrypted under itself, then a > > circular-secure cipher would be needed. Ditto if you were to encrypt > > the S2C key under the master key and also encrypted the master key > > under the S2C key. We're producing the cookie by encrypting the S2C > > key under the master key, and then for transmission we're encrypting > > the resulting ciphertext under the S2C key. But at no point does the > > master key ever get encrypted under the S2C key; the master key never > > leaves the server even as ciphertext. So I don't think we actually > > have a loop here. > > Any sort of encryption of a function of the key is a call the experts > situation. So the question for the experts: if E_K(M) is an AEAD > scheme, and K1, K2 keys > is E_{K1}(E_{K2}(K1)) a sane thing to do, or is it a problem from a > proof perspective? What if I am allowed to change the inner or outer > schemes to any AEAD scheme? > > > > > On Wed, Mar 20, 2019 at 3:34 PM Watson Ladd > > <watson=40cloudflare.com@dmarc.ietf.org> wrote: > > > > > > Dear all, > > > > > > I really apologize for sending this message so late in the process, > > > but there is a problem with NTS in draft-17. > > > > > > The cookie encrypts S2C and C2S under a key known to the server, but > > > then the response encrypts the cookie under S2C. This creates a > > > situation where we are encrypting plaintext that depends on the key, > > > which complicates the security analysis. (And by complicates I mean > > > there are contrived ciphers meeting the ordinary security notion that > > > would be completely insecure in such a protocol: one has to not use > > > generic analysis: it's a pain to deal with. see > > > https://eprint.iacr.org/2010/144.pdf) > > > > > > One solution would be for the cookie to contain the new keys which the > > > server picks at random (and of course the client strips them out > > > before sending the rest of the cookie to the server). Again, I > > > apologize for only just noticing this detail. > > > > > > Sincerely, > > > Watson Ladd > > > > > > _______________________________________________ > > > ntp mailing list > > > ntp@ietf.org > > > https://www.ietf.org/mailman/listinfo/ntp > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp >
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Watson Ladd
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Aanchal Malhotra
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Watson Ladd
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Daniel Franke
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Dan Brown