Re: [Cfrg] Attacker changing the tag length in OCB
Dan Brown <dbrown@certicom.com> Tue, 04 June 2013 18:27 UTC
Return-Path: <prvs=9867ab276d=dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C3BD21F9473 for <cfrg@ietfa.amsl.com>; Tue, 4 Jun 2013 11:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTdqZsWjFS1J for <cfrg@ietfa.amsl.com>; Tue, 4 Jun 2013 11:27:15 -0700 (PDT)
Received: from mhs061cnc.rim.net (mhs061cnc.rim.net [208.65.73.35]) by ietfa.amsl.com (Postfix) with ESMTP id BA28421F9630 for <cfrg@irtf.org>; Tue, 4 Jun 2013 10:49:14 -0700 (PDT)
X-AuditID: 0a412830-b7fa06d00000178b-c0-51ae2893ffd5
Received: from XCT101CNC.rim.net (xct101cnc.rim.net [10.65.161.201]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by mhs061cnc.rim.net (SBG) with SMTP id 6D.EB.06027.3982EA15; Tue, 4 Jun 2013 12:49:07 -0500 (CDT)
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.2.328.9; Tue, 4 Jun 2013 13:49:06 -0400
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT114CNC.rim.net ([::1]) with mapi id 14.02.0328.009; Tue, 4 Jun 2013 13:49:06 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'rogaway@cs.ucdavis.edu'" <rogaway@cs.ucdavis.edu>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Attacker changing the tag length in OCB
Thread-Index: AQHOYJPbnXZbZtjC00iwK3PY8xL9p5kl0Bmg
Date: Tue, 04 Jun 2013 17:49:06 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF518BD79@XMB111CNC.rim.net>
References: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
In-Reply-To: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0088_01CE612A.47CE5BB0"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJJsWRmVeSWpSXmKPExsXC5bjwpO5kjXWBBu37lS26fxxksrh+cAub A5PHu1s97B6TNx5mC2CKkrdJSiwpC85Mz9O3s0lJzcksSy1CZiXIZxz/v4mt4JFfxdODF1ga GI96dTFyckgImEgcWtvLCmGLSVy4t56ti5GLQ0ignUmibUobI4SzglHiyd7ZUM5sRokdEx6w gLSwCahK3D96jhnEFhGIkXix+yTQKA4OYQFriXuXLCDCNhLdN38wQthGEmuufgQrZxFQkXj+ +x87iM0r4Cbx8X0rWFxIwEGi599CJhCbU8BR4sHvfWA2o4CsxO6z18FsZgFxiVtP5jNBXC0i 8fDiaTYIW1Ti5eN/UN8oSpxYtoINor6XUWJDhyXELkGJkzOfsEDsUpC4cn0fywRGsVlIxs5C 0jILScssoM+YBfQk2jYyQpTIS2x/O4cZwraV2H91JZStKDGl+yE7hG0q8froR8YFjByrGAVz M4oNzAyT85L1ijJz9fJSSzYxgiNYw2AH4/v3FocYBTgYlXh4N75fGyjEmlhWXJl7iFEFaMaj DasvMEqx5OXnpSqJ8CpfA0rzpiRWVqUW5ccXleakFh9i/MwIDNGJzFLcyfnAtJNXEm9sYEAs RxTGMTSyNDe0NDM2MzUxNBs8wkrivHzBkwKFBNITS1KzU1MLUotg3mbi4DzEKMHBJSVSnJqX klqUWFqSEQ/KCfHFwKwg1cDo++CupvQnswtMy31dN6yR0Poy4bn0jrye+GfnF/Mmt/b2BdSV S+y/JDLJv3HbKRuzykWzdM5eD5/9671YbdDBkNf86m6GP8TPf1hqMIvLNKHDd73dnAcRG6Vq b6bWtIl9kni/933m+SyP73Xe5md4J3l+nK5v+27ChanzLW3W1bg9P7ft0e19SizFGYmGWsxF xYkAFYz879wDAAA=
Subject: Re: [Cfrg] Attacker changing the tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 18:27:20 -0000
> -----Original Message----- > Phillip Rogaway > Sent: Monday, June 03, 2013 3:42 PM > To: cfrg@irtf.org > (-3) I worry that trying to engineer things so that one can safely > use varying tag lengths with a single key might send a message that > this is an OK thing to do, contradicting the spec. Someone might [DB] Perhaps mistakenly (*), I interpreted some of the emails on this thread as saying that the spec allows one to vary tag lengths with a single key. If the intent of the OCB spec is not to allow variable tag lengths, then I think the spec needs greater emphasis, especially in view of some IETF common practices and viewpoints (**). So, the spec should somewhere say that "a single key MUST not be used with multiple parameter sets" and "a decryptor MUST reject a ciphertext if it uses different parameters than for the key indicated". (*) I may have taken the emails out of context (i.e. without studying the spec first): maybe the emails meant that somebody might contradict the spec. (**) For example, TLS allows one public key per multiple different cipher suites (not sure if it allows pre-shared key with different cipher suites). For another example, PKIX did not accept proposals that allowed, as optional, detailed algorithm restrictions in certificates. > even think it appropriate to accept a ciphertext with _any_ provided > tag length, as long as the ciphertext is deemed valid. For most > contexts, that would be disastrous.
- Re: [Cfrg] Attacker changing the tag length in OCB Phillip Rogaway
- Re: [Cfrg] Attacker changing the tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing the tag length in OCB David McGrew
- Re: [Cfrg] Attacker changing the tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing the tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing the tag length in OCB Jack Lloyd
- [Cfrg] WG last call on latest OCB draft. Igoe, Kevin M.
- Re: [Cfrg] WG last call on latest OCB draft. Ted Krovetz
- Re: [Cfrg] WG last call on latest OCB draft. David Jacobson