Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00: unsafe to optionally hash A's length
David Wagner <daw@cs.berkeley.edu> Wed, 13 June 2012 17:46 UTC
Return-Path: <daw@cs.berkeley.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8CC121F8567 for <cfrg@ietfa.amsl.com>; Wed, 13 Jun 2012 10:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_31=0.6, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtF3bX3YRCYj for <cfrg@ietfa.amsl.com>; Wed, 13 Jun 2012 10:46:22 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (taverner.CS.Berkeley.EDU [128.32.153.193]) by ietfa.amsl.com (Postfix) with ESMTP id 5A75E21F855F for <cfrg@irtf.org>; Wed, 13 Jun 2012 10:46:22 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (localhost.localdomain [127.0.0.1]) by taverner.cs.berkeley.edu (8.14.2/8.14.2) with ESMTP id q5DHkLLg021821 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Jun 2012 10:46:21 -0700
Received: (from daw@localhost) by taverner.cs.berkeley.edu (8.14.2/8.14.2/Submit) id q5DHkL8C021819; Wed, 13 Jun 2012 10:46:21 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <201206131746.q5DHkL8C021819@taverner.cs.berkeley.edu>
To: cfrg@irtf.org
Date: Wed, 13 Jun 2012 10:46:21 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00: unsafe to optionally hash A's length
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 17:46:22 -0000
Manger, James H wrote:
>I am not certain that the way the length of the additional data (A) is
>optionally hashed is safe.
>
>1. Legitimate user sends A and C = S || T, where T = HMAC(A || S || len(A)).
>
>2. Attacker intercepts & rearranges the message, sending an empty A' and
>C' = A || S || len(A) || T.
>
>3. Recipient verifies T' = HMAC(S'), since len(A) = 0 = MIN_LEN_A so AL
>is empty.
> T' = HMAC(S') = HMAC(A || S || len(A)) = T
>The verification passes! Yikes! The recipient now gets garbage from the
>decryption.
Doesn't the length field take care of this concern?
The recipient will try to verify whether T' = HMAC(A' || S' || len(A')),
I presume. [not T' = HMAC(S'), as you wrote]
Note that
HMAC(A' || S' || len(A'))
= HMAC(A' || S' || 0)
= HMAC(S' || 0)
= HMAC(A || S || len(A) || 0)
which is not the same as HMAC(A || S || len(A)), i.e., it is not the
same as T'. So the recipient's MAC check fail, and the recipient will
reject the message.
In short, the format looks fine to me. Have I misunderstood something
somewhere?
- Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00… David Wagner
- Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00… David Wagner