IETF Logo Mail Archive

Re: [Cfrg] What Algorithm information needs to be authenticated?

Mike Jones <Michael.Jones@microsoft.com> Fri, 05 April 2013 22:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F1821F98E0 for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2013 15:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnh5al-H4z4l for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2013 15:02:59 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id 0185821F98AD for <cfrg@irtf.org>; Fri, 5 Apr 2013 15:02:58 -0700 (PDT)
Received: from BY2FFO11FD015.protection.gbl (10.1.15.202) by BY2FFO11HUB029.protection.gbl (10.1.14.114) with Microsoft SMTP Server (TLS) id 15.0.664.0; Fri, 5 Apr 2013 22:00:32 +0000
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD015.mail.protection.outlook.com (10.1.14.131) with Microsoft SMTP Server (TLS) id 15.0.664.0 via Frontend Transport; Fri, 5 Apr 2013 22:00:32 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0318.003; Fri, 5 Apr 2013 22:00:29 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ben Laurie <ben@links.org>, Jim Schaad <ietf@augustcellars.com>
Thread-Topic: [Cfrg] What Algorithm information needs to be authenticated?
Thread-Index: Ac4w8b10meAP4tSuRQOj77FabgFZwwBVqt8AAAAQoGA=
Date: Fri, 05 Apr 2013 22:00:28 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675BA791@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <00ac01ce30fd$3d373350$b7a599f0$@augustcellars.com> <CAG5KPzwUi3kXN1TZuNWtizEML_nLYfbRgDz2nbwi=vRHbdg7Gw@mail.gmail.com>
In-Reply-To: <CAG5KPzwUi3kXN1TZuNWtizEML_nLYfbRgDz2nbwi=vRHbdg7Gw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(51704002)(377454001)(24454001)(80022001)(69226001)(51856001)(63696002)(79102001)(5343655001)(23726001)(59766001)(74662001)(20776003)(65816001)(47776003)(54356001)(55846006)(50986001)(53806001)(15202345001)(81342001)(50466001)(74502001)(33656001)(46102001)(77982001)(49866001)(56776001)(76482001)(81542001)(47736001)(5343635001)(46406002)(44976002)(66066001)(47446002)(31966008)(4396001)(56816002)(47976001)(16406001)(54316002)(563064005); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB029; H:TK5EX14HUBC102.redmond.corp.microsoft.com; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08076ABC99
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] What Algorithm information needs to be authenticated?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 22:03:00 -0000

> Why even discuss these? What is wrong with the answer "all parameters should be protected"?

Indeed, "all parameters should be protected" is the security posture taken in the current JOSE specifications.  Some want to change that.

				-- Mike

-----Original Message-----
From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of Ben Laurie
Sent: Friday, April 05, 2013 2:56 PM
To: Jim Schaad
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] What Algorithm information needs to be authenticated?

On 4 April 2013 07:25, Jim Schaad <ietf@augustcellars.com> wrote:
> Request for Information
>
> The JOSE working group is having an internal argument about the need 
> to protect the various header information in an encrypted or signed message.
> The quick question is which algorithm information and algorithm 
> parameters need to be included in integrity portion of the signature 
> or encryption operation in order to protect those parameters.
>
> There are a couple of theoretical attacks that can be launched against 
> various algorithms that then require protection an example of such a 
> parameter is the IV for the AES-CBC/HMAC algorithm that has been proposed.
> In this case the IV is protected by the algorithm itself and therefore 
> does not need to be externally protected by the JOSE data structures.
>
> In RFC 6211, there is a new CMS attribute that was defined for 
> protection of the signature algorithm as I felt there was a potential 
> attack that could be exploited.
>
> Looking at the RSA v1.5 signature algorithm, one cannot change the 
> hash algorithm as the hash algorithm is encoded as part of the padding 
> for the signature
>
> Looking at the RSA PSS signature, there is the possibility that a hash 
> algorithm of the same length could be substituted unless external 
> restrictions are applied.  Thus one could potentially substitute a
> RIPEMD-160 hash on the content for a SHA-1 hash.   As long as the hashes
> match and there is no externally applied restriction that the hash 
> algorithm used to build the PSS internals is same as the content hash 
> then it would verify.  It is unclear if there is an attack that 
> involves multiple hash algorithms that is better than a birthday 
> attack on a single algorithm as I don't know if this has ever been studied.
>
> CMS also defined an attribute that can be included in the signature 
> computation for specifying a certificate that is to be used in the 
> validation of the signature on the CMS object.  I.e. where to get the 
> public key and the base restrictions for that are imposed on that 
> public key by the certificate issuer.
>
> Questions that we would like to see discussed:
>
> 1.  For signature operations, what parameters related to the signature 
> algorithm and what parameters related to a key need to be protected by 
> the signature operation to prevent real and theoretical attacks on JOSE signed
> structures.   We would like to get the real and theoretical attacks
> separated with a weight on the theoretical attacks for the potential 
> to become real.
>
> 2.  For MAC operations, what parameters related to the MAC algorithm 
> and what parameters related to the key need to be protected by the MAC 
> operation to prevent real and theoretical attacks on a JOSE MAC structure.
>
> 3.  For key management operations (how the content encryption key is 
> given to the recipient), what parameters related to the algorithms 
> need to be protected as part of the AEAD algorithm.
>
> 4.  For content encryption, what parameter related to the AEAD 
> algorithm need to be protected by the AEAD algorithm (and are not 
> already protected) need to be included.  Is there any benefit in 
> double protecting parameters such as the IV in case a new AEAD 
> algorithm does not directly protect that value.

Why even discuss these? What is wrong with the answer "all parameters should be protected"?

> Looking at the key to be protected, we don't care if the recipient 
> cannot find the correct key or misinterprets what the key identifier 
> is.  What we want to make sure is that an attacker would be unable to 
> change the recipients interpretation of what key is to be used and 
> still get a successful validation.
>
> Jim Schaad
> JOSE Co-Chair
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email