IETF Logo Mail Archive

Re: [Cfrg] AES-GCM-SIV security of the additional data

Daniel Bleichenbacher <bleichen@google.com> Fri, 24 June 2016 14:14 UTC

Return-Path: <bleichen@google.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC9512D0F1 for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 07:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.426
X-Spam-Level:
X-Spam-Status: No, score=-3.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfNTkb_kNmXR for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 07:14:45 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7712912B039 for <cfrg@ietf.org>; Fri, 24 Jun 2016 07:14:45 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id d185so152044883vkg.0 for <cfrg@ietf.org>; Fri, 24 Jun 2016 07:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UDN+bUJsnHZJU4xdbCGbHKFVAZDpSkU4khdec0eXGa8=; b=aDHFWW7lg2B8Yn/zxXY+7wDa2Fgj2qcelfJCRAEzIuzWwqIShbEWqi1PFIht/ioT5k 09pWtDzzPdk+mNybaB2owGWJs3KDeSQ7kXa2J0NSxWBLPwJsIsosNuyaUrEfbyjShzro Qt1rxZCmKRt5R+UF0g6h4mdX7HmCAS+/hwvfZ3Gdnks65tdLl64r53EzKhpBpTTrWTS3 2MWSRS8bxv7WUl6CLJzr7er3BkQnJWAmKBJCI53F0dQZloZgxAALTaf0Q/4KhYGxLQI4 rOrhBhtpfUhYQX0cqo70XQum+Vo8ZGJMLesDr+++2zFVMwQk8s8uoT6BXh97O5iHWf9y c/VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UDN+bUJsnHZJU4xdbCGbHKFVAZDpSkU4khdec0eXGa8=; b=ASGEj9T0mKZyn8mQLfBzdxo/Yb0WuauriApm1A0HLvzKVvPwAUbB88lBb+yB49XNxe 9SKpxZvRHS/JljbXjiU3il4TOty7GR1c4UdjAEnAp+s1YBUkdY6XaRuTXgsViDdFhenB rEVHqTxfXx74s4erPB7eZKgJOvBPpRmEgomXPzkWHriALisCqloQwoaYHsZ3QCIvQmk1 Ich4iSWd0fveYHwJFLVqH2FpoJ/pda4FhXOy5PkaSAh+G9hyRWR093YQGoZA7K/1FuHd yuCjxPba6ao/a3zNEvomYF0AGU764tEdYAH1Yv46XCqPvZUQh2UKvC4ngDLkE9nU/ION RtLQ==
X-Gm-Message-State: ALyK8tJSi0EDHUmEozlLGglhh6UZftbC4MOhWTBiV7BMh7jvVseJTkeia2mecPwfIXKQKmnSh8+6EPjo5UkNBNXQ
X-Received: by 10.31.56.69 with SMTP id f66mr2589088vka.135.1466777684427; Fri, 24 Jun 2016 07:14:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.147.196 with HTTP; Fri, 24 Jun 2016 07:14:42 -0700 (PDT)
In-Reply-To: <D392F7AA.6EF93%kenny.paterson@rhul.ac.uk>
References: <CAPqF7e0QsCPn_OSKEry60Hm9F2BDU6DNG6Yc2NU=ocyCU2mwFg@mail.gmail.com> <D392EEF2.6EF40%kenny.paterson@rhul.ac.uk> <A9961C08-798F-4871-96D6-5B1A989A9FDE@adobe.com> <D392F7AA.6EF93%kenny.paterson@rhul.ac.uk>
From: Daniel Bleichenbacher <bleichen@google.com>
Date: Fri, 24 Jun 2016 16:14:42 +0200
Message-ID: <CAPqF7e14X+_P+BiZ=Rxd-jw8RBLHmLWnks2w-RXA7mMgW=_HKw@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary="001a1143f0ecd8af91053606ca7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VOGXHY1h7VUGIKbjFOI5gu1Mp9I>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 14:14:49 -0000

On Fri, Jun 24, 2016 at 3:53 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk>
wrote:

> Hi Antonio,
>
> On 24/06/2016 14:40, "Antonio Sanso" <asanso@adobe.com> wrote:
>
> >hi Kenny
> >
> >On Jun 24, 2016, at 3:24 PM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk>
> >wrote:
> >
> >>
> >> In your scenario it looks like you are trying to use the shared secret S
> >> to provide authentication of the sender to the receiver, along with
> >> confidentiality for the message being delivered
> >
> >to me this seems a pretty common scenario.
> >If I am not completely wrong in my understanding is for example what JWE
> >does [0] and [1] for example
> >
> >regards
> >
> >antonio
> >
> >[0] https://tools.ietf.org/html/rfc7516#page-32
> >[1] https://tools.ietf.org/html/rfc7516#page-36
>
> Key transport via PKE using, for example RSA-OAEP, is a certainly an
> option in JWE. But what Daniel describes has an additional symmetric key
> ("S") for the purposes of authentication, I think, and does not strictly
> match anything I've seen in the JSON RFCs. But let's allow Daniel to
> answer on that one...
>
> Cheers
>
> Kenny
>

I'm not familiar with JWE so I can't comment on this protocol.
A typical scenario where S can't be used directly as key are low entropy
secrets
such as passwords.

One motivation for me  to look into this is the question whether AES-GCM-SIV
could be used as a drop-in replacement for AES-GCM without doing an
additional
security review of the resulting protocol.
So far, I'm not convinced that this can be done in all cases.


>
>
>
> >> . In this scenario, it's
> >> not clear to me why the sender and receiver would not just use S as an
> >> AES-GCM-SIV key to transport a session key K, and then use K in another
> >> instance of AES-GCM-SIV to transport the desired messages. Of course,
> >>this
> >> construction would not prevent replay attacks; for that you'd need
> >> additional mechanisms, like incorporating a counter into the AD of the
> >> key-transporting AEAD.
> >>
> >> But perhaps one should not underestimate the ingenuity of implementers
> >>in
> >> wanting to use public key encryption. Is this where you are coming from?
> >>
> >> On a related point, my view is that it is a disbenefit that the
> >> AES-GCM-SIV proposal has two separate keys (one for encryption, the
> >>other
> >> for authentication) as inputs. That's not the AEAD interface that we
> >>have
> >> raised our implementers on. I raised this point at the CFRG meeting in
> >> Vienna back in May. Simply concatenating the two keys in the current
> >> proposal into one would address this issue, but not the one you raise
> >>(if
> >> I understand it correctly).
> >>
> >> (The minutes of the meeting can be found here:
> >>
> >>
> https://www.ietf.org/proceedings/interim-2016-cfrg-01/minutes/minutes-int
> >>er
> >> im-2016-cfrg-1)
> >>
> >> Regards
> >>
> >> Kenny
> >>
> >>
> >> On 24/06/2016 12:35, "Cfrg on behalf of Daniel Bleichenbacher"
> >> <cfrg-bounces@irtf.org on behalf of bleichen@google.com> wrote:
> >>
> >>> I'm wondering what can or should be expected about the security of the
> >>> additional data.
> >>>
> >>>
> >>> In particular, I'm considering the following scenario:
> >>>
> >>>
> >>> Sender and receiver share a secret S.
> >>> The sender knows the public key of the receiver and the receiver of
> >>> course knows the private key.
> >>> They use a hybrid encryption as follows:
> >>>
> >>>
> >>> The sender chooses a new AES-GCM-SIV key, encrypts his message
> >>> and includes S as additional data. The AES-GCM-SIV key is wrapped with
> >>> the receivers public key and the wrapped key and ciphertext are sent to
> >>> the receiver.
> >>>
> >>>
> >>> Here an attacker can use that AES-GCM-SIV allows to select a key such
> >>> that the
> >>> element H used for POLYVAL is 0. In this case it would not be necessary
> >>> for the sender
> >>> to know S to construct a ciphertext that validates.
> >>> A similar attack using AES-GCM seems much harder since the value H for
> >>> the GHASH
> >>> is obtained by encrypting 0 and thus I'm not aware of a way to do the
> >>> same thing here.
> >>>
> >>>
> >>> The attack does of course not violate any of the guarantees claimed.
> >>> However, in the industry lots of ad hoc protocols are designed without
> >>> proper security reductions and hence it seems a bit scary to me to
> >>>allow
> >>> this kind of "weak" keys. And since abuse resistance is
> >>> one of the goals it might be a good idea to avoid such type of abuses.
> >>>
> >>>
> >>>
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >
>
>

v2.23.0 | Report a Bug | By Email