IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 31 May 2013 05:48 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D1421F93E1 for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 22:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.241
X-Spam-Level:
X-Spam-Status: No, score=-1.241 tagged_above=-999 required=5 tests=[AWL=-0.340, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGnqhPr2gFEE for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 22:48:22 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id BE9E421F92C5 for <cfrg@ietf.org>; Thu, 30 May 2013 22:48:21 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.87,776,1363093200"; d="scan'208";a="131821424"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 31 May 2013 15:48:20 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7091"; a="85647631"
Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcani.tcif.telstra.com.au with ESMTP; 31 May 2013 15:48:19 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Fri, 31 May 2013 15:48:19 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>, "cfrg@ietf.org" <cfrg@ietf.org>, Dan Brown <dbrown@certicom.com>
Date: Fri, 31 May 2013 15:48:18 +1000
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: AQHOXAYzU/l01yofGkG3ey8VZlpsmZkcopgAgAHO/ICAAAqZgP//zymAgABqjhA=
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151ADD45D0@WSMSG3153V.srv.dir.telstra.com>
References: <51A7AFA5.6010501@gmail.com> <747787E65E3FBD4E93F0EB2F14DB556B18458F26@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B18458F26@xmb-rcd-x04.cisco.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 05:48:28 -0000

David McGrew said
> Agreed.  The poor choice that is relevant here is the use of the same OCB secret key with two different tag lengths.   If someone uses a single key in both AEAD_AES_128_OCB_TAGLEN64 and AEAD_AES_128_OCB_TAGLEN128, then it is likely that they have also not satisfied the nonce uniqueness requirements, so the tag truncation and substitution attack seems like the least of their worries.   (Given two distinct nonce/associated data/plaintext tuples with identical nonces, it is easy for the attacker to craft forgeries.)


Only a sender has to ensure nonces are unique. Even if a sender is completely diligent with nonces and only uses a fixed tag length with any given key, the problem of variable-length tags remains. What matters is whether a *recipient* accepts shorter tags than the sender uses.

It is good crypto hygiene only to use a given key with a single algorithm. It wasn't obvious to me whether different tag lengths for the same algorithm counted as a "single algorithm". Nor whether this hygiene was "nice" or "crucial" in this situation.

I agree with Peter Gutmann that it is a case of "when" not "if" the first misuse occurs. In many systems it is not easy to specify one algorithm at the same point where you provide the key.

Mixing the tag length into the ciphertext might even be a nice selling point for adopting OCB over other AEAD algorithms ;-)

At an absolute minimum, could a warning be added to draft-irtf-cfrg-ocb stating that any given key MUST only be used with one tag length. Probably in the 2nd-last paragraph of section 3 "OCB Global Parameters", and also in section 5 "Security Considerations".


Dan Brown said:
> 2) I'm uncertain whether modifying the message and substituting a shorter tag, per Rogaway and Wagner, [is an attack] because the authenticity is determined by the tag length, at least in CCM. In other words, calling this is an attack is conferring some level if authentication to the symmetric cipher.  That's a classic mistake. Any proposed fixes to this alleged problem had better not make this mistake.

It might not be an attack on an algorithm, but can we call it an attack on a system that implements a suite of algorithms?

--
James Manger

v2.23.0 | Report a Bug | By Email