Re: [Cfrg] Multi-recipient public key authenticated encryption

Mike Jones <Michael.Jones@microsoft.com> Thu, 07 May 2020 15:10 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43C63A078F for <cfrg@ietfa.amsl.com>; Thu, 7 May 2020 08:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0PLIyuJB43Z for <cfrg@ietfa.amsl.com>; Thu, 7 May 2020 08:10:40 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650138.outbound.protection.outlook.com [40.107.65.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13F953A0783 for <cfrg@irtf.org>; Thu, 7 May 2020 08:10:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oB9Zg6f7pec5BzbCvXopqq+PmDFdxsxW/ZnsYLPNpz+ZzZqYUxirYFigEbE6nqppihLDKNfwUCM/9lGQndwHWMi2FkabKo4su5DYzQyADvGxekc4wT8jvQw8V//2Q34KjaBzLWWyRuzZ3sKv3on3jFFZp/m4vBKbBQ0DmHxnWAc8yqS0lz8hmHbRIlELCO3KiJbKYyB5RAkWEABgus9x3S8gq2y1DJd/F8hyiffNbU0P8Qm5E3tsKdwX4VouUAATgTCHHE00Ct/nlPiX0UZxTHo3Y7BzgCvwRtnYSm34iXbGUBPTXk01Gg9QM0EDTiE79wI7kQShxC0swGxOf7PlIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+48k+7dezycZzFcTU+55DxoFXuzR7FF00PF/hODboCU=; b=RiSXxIKDOf0DO+92PvARE4rlUpQ+wG3jmi/Hrk8Nb+ab9fBOuL7XmUbyHFCcyynUCy3oZx2g8O6pnPw2tXeuMW7Zcr8igdjUZWXldeOyzz61VEAu2zZivVyCzwOo1uqEqwif/NfP+GtNKSVhtSgZwCSMKddoQBqEompLqirpKWJwrQc6aWAMyD2WFErO0Otdgp8t8m2+YJBtaAgaVHGUCZZD7hnQP40Pq9kHgo7GJ2WGQbPQSRh39lvg6FeNO4hlkJVXZlaHkczRQxAApKadOwFxvJe9p62IhVQYR2TrAJ2hf0gE/99n7LtwWnASq+oVHZBo1TVoNSN9THN83N1UNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+48k+7dezycZzFcTU+55DxoFXuzR7FF00PF/hODboCU=; b=iCxzCd+FsnHZNFpktpcBx7sqILpDJ//LbBEW0dRzSE+tmFd8xSNns7Gl7k4fqfq1gcm3x2kDcuDuRy5EFGQUVst+l8KT3hwlYilwZ8pnP4DSMSjnJ15UXeAqcrsZsT5iN68Mdgm5nZtT8yBT51+ylLNHaAFF9OtKUFJ/lgys10U=
Received: from BY5PR00MB0676.namprd00.prod.outlook.com (2603:10b6:a03:20c::15) by BYAPR00MB0456.namprd00.prod.outlook.com (2603:10b6:a03:d5::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3020.0; Thu, 7 May 2020 15:10:37 +0000
Received: from BY5PR00MB0676.namprd00.prod.outlook.com ([fe80::7d21:c7e9:3141:cf8d]) by BY5PR00MB0676.namprd00.prod.outlook.com ([fe80::7d21:c7e9:3141:cf8d%9]) with mapi id 15.20.3020.000; Thu, 7 May 2020 15:10:37 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Neil Madden <neil.e.madden@gmail.com>, "pag225@cornell.edu" <pag225@cornell.edu>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Multi-recipient public key authenticated encryption
Thread-Index: AdYkgahvDMIWBu16SJ6z6XPc4RUTrw==
Date: Thu, 7 May 2020 15:10:37 +0000
Message-ID: <BY5PR00MB067649378A2A81223287AFACF5A50@BY5PR00MB0676.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=9383f44a-435b-43b3-b7bc-0000f8b5bfa9; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-07T15:08:47Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ab8f1a9f-5ce8-4a1c-a556-08d7f298cc51
x-ms-traffictypediagnostic: BYAPR00MB0456:
x-microsoft-antispam-prvs: <BYAPR00MB0456C280E29A29260CDE5776F5A50@BYAPR00MB0456.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03965EFC76
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v2GS1QSwp7rEZSiGbA33WvFMuD2u/s6rAtxnt7gGNxoRkEqvYKCGRvi+qExmKbzLbrHDNf6k0xqueNR2DsYNVlevUsMLSUxqqy4g6bBHL++k62qH0N+KKw2BVIrP50wHhP1N7GcRKMrsUvQkIHGeWT+YWFgPrmst9175/5XGQw3XfWHg+lwegus9/XZMZZ/FKDU/8ThEV0jX8TwUVDR2v2TKhhz7ISrXwCOMOLAXZWNPi6osWoo5KZuAWbuuMEXratinDXBooxCpuU8NDq3t7QZZ8jxLhS23NPloGIPwBawwS2A/hIUTu7sgfUOfy6g8WbDEajoYgyHcHYbqqAuP2b0prK/Ouoq1fPB8np6HONssk3ANFq1WgwKLZrGMbpVLGSPdUkPegMby9BybCu96syg2eUSHpZSIe1HLb1/YjIcQs4V5pFCN6qzzIt0UqT9TkXgzS6tl+ddjUW4xXt6Vbgf/w3kku8XTckOROwF2yOk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0676.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(136003)(396003)(346002)(366004)(33430700001)(52536014)(8936002)(71200400001)(966005)(5660300002)(8990500004)(10290500003)(8676002)(9686003)(86362001)(55016002)(478600001)(110136005)(83280400001)(83320400001)(83310400001)(83300400001)(316002)(83290400001)(33440700001)(4326008)(166002)(33656002)(82950400001)(82960400001)(2906002)(7696005)(66556008)(53546011)(26005)(6506007)(186003)(66476007)(76116006)(64756008)(66946007)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 1DQUUWt8jTWNrcnl7zrVZ3schS3+pfbDf6L+CyPlP/m0DPzToHFmOfCKPTq8dQZ7joIR2tGHgIO9CKOAWmMlk4iHDcBccLF7n1ExV0wabG0Uy8HlkzElQVD5jl0lYvvEtA5CXanu0JPxuVyAv0RTEpxUOqFAuvNNOYvSwZ15eVhi2UPcfQEjc3aKd77AiBltFlVtvovdaMySJtx5sXN7VwGqzcnTjjQH81nqBAvkGCO2oTN05z6hOfI2P8YaFMPHM71QBIT6029OCI4Rq/XqXDLvZSxSrzjZm79SBbHT58s1G8xl6fVIVEknrwHMQS9EoMJFvBADa4DxBXl62PDae/jHD9vz8u91jN34NfyL2sdqkteW047i176pbyfk5eNkml1gLESrC4gOKPla6gwVJudp9kOfG4VpZFBasYDcODQsMgKMjjiQmOPmwpY0v+yBcbkNOIcNehld3+JRjAAhSY3MELuUPDOYUZZn1651P8Cq1QmDHXqPluj/43FHXKdWRx+h+OhA0b1jCyVtUlAZIoVRxrCbqyIqG7v4XLvU7AWxcmhtwNQZNF1fgLwii9uF8ZW6wCUyebpmYtk6uRx8WP/ceuEsypty/TBEirupKWKVpjgmAot4tGlUm1wh6xrOkxt/OETc+Ld8enViBH+2G99awjtxAM8C4D18C0vJbZ5yz7KadCTOOfWlnLRW5BMD5yg/OsAg/Z1bzradXRSGjCnvRqjtNQzw6N75+xxCRcFGRbEaZZRdg58Pn3XRbpZG33wDV27sTGzjeDxzBXL/YJw7wK0ulEB+pL1ZHg03keU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR00MB067649378A2A81223287AFACF5A50BY5PR00MB0676namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0676.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ab8f1a9f-5ce8-4a1c-a556-08d7f298cc51
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2020 15:10:37.1375 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RzSo/bmWrIOKfRKvx6FWwn/zEGdMpBUiV7qiC8UtrluxVhmLXSMI0d+VBewkuf6EPPGbtgN+i0qf3o0WsqFFFQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0456
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nHE43GvkS6qZzFdxZASpTcVL99M>
X-Mailman-Approved-At: Wed, 13 May 2020 08:13:05 -0700
Subject: Re: [Cfrg] Multi-recipient public key authenticated encryption
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 15:10:45 -0000

I’m confused by the statement “JOSE only supports GCM”.  There’s an IANA registry for JOSE algorithms at https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms and any additional desired algorithms can be added there.

                                                       -- Mike

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Neil Madden
Sent: Thursday, May 7, 2020 7:27 AM
To: pag225@cornell.edu
Cc: CFRG <cfrg@irtf.org>
Subject: : [Cfrg] Multi-recipient public key authenticated encryption

That is interesting, thanks. JOSE does also support AES-CBC + HMAC (EtM), so it may perhaps then be simpler to forbid the use of GCM for multi-recipient messages in this spec and save myself a lot of trouble. It seems from your papers that CBC+HMAC is one of the schemes you looked at and it would be compactly committing, so this is fortunate.


On 7 May 2020, at 14:39, pag225@cornell.edu<mailto:pag225@cornell.edu> wrote:

Oh ok, it’s too bad JOSE only supports GCM. You should be careful with using plain GCM in these multi-receiver settings - because it’s non-committing, it’s possible to craft a single ciphertext that different receivers decrypt to different plaintexts.


On May 7, 2020, at 7:28 AM, Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>> wrote:
Apologies, I forgot to respond to this. I think the ccAE approach is a nice way of solving the problem. Unfortunately, JOSE allows specifying the key exchange algorithm and AEAD cipher entirely independently so I have to have a solution that works with the AES-GCM based AEADs that are already part of the standard. But I will read these papers closely, because I do think the security notions are very similar to what I’m trying to achieve.

— Neil


On 28 Apr 2020, at 16:14, Paul Grubbs <pag225@cornell.edu<mailto:pag225@cornell.edu>> wrote:

I think you can get away without the additional hash of the ciphertext entirely if you use a compactly committing AEAD (ccAE) scheme [1]. A ccAE has a two-part ciphertext C = (C1, C2) with the property that C2 is a binding commitment to the plaintext and key. At least intuitively, then, using C2 in the KDF prevents a receiver from modifying the message. (This is morally similar to including the MAC tag in the KDF, as suggested, but sidesteps questions about MAC security and may be faster if optimal-rate schemes like HFC [2] are used.) I haven't analyzed this construction formally, though, so take this advice with a bit of salt.


[1] https://eprint.iacr.org/2017/664
[2] https://eprint.iacr.org/2019/016.pdf

On Tue, Apr 28, 2020 at 8:30 AM Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>> wrote:
Thanks, section 5 of the eprint is very useful. In that you discuss the solution of including the MAC tag in the KDF and you say that this requires collision resistance of the MAC, where I had previously assumed only 2nd preimage resistance would be enough. As I understand it, the potential attack is that if Charlie has access to an Alice-oracle by which he can get Alice to authenticate arbitrary messages to himself and Bob then he can use this to perform a collision search to find two messages with the same MAC tag (if the MAC is not collision resistant).

I think this active attack would also apply to my proposed solution using a hash of the authenticated ciphertext as input to the KDF. So my assertion that 2nd preimage is enough is only valid for passive attacks, and full collision resistance would be needed in general. That also means that if I do pick SHA-256 to be consistent with existing use in JOSE then the security against such attacks would be limited to ~128 bit level. Perhaps that’s an incentive for me to also change the KDF in the scheme from JOSE’s existing Concat-KDF to HKDF with SHA-512.

I think the same attack would also apply to saltpack [1], if I understand correctly? In saltpack a per-recipient MAC is calculated over a SHA-512 of the ciphertext.

[1] https://saltpack.org/encryption-format-v2 (scroll down to Payload Packets)

Best,

Neil


On 27 Apr 2020, at 16:19, Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>> wrote:

Hi Neil,
I too have encountered this interesting and well-known (perhaps not widely-known) problem.
See https://eprint.iacr.org/2005/056.pdf. (Section 5).
See https://tools.ietf.org/html/rfc3278#section-4.1.2 the very short “note”.

I forget the details of the various claimed past solutions, but will try to remember, maybe in a couple weeks.  Meanwhile, since the problem is fresh in your mind, and you might try to make sense the couple of old suggestions above, though I expect your knowledge has already advance past this old stuff.

Best regards,

Dan

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Neil Madden
Sent: Monday, April 27, 2020 10:12 AM
To: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: [Cfrg] Multi-recipient public key authenticated encryption

Hi all,

I am working on an enhancement to the JOSE standards and would like feedback from members of CFRG about solutions to a particular issue if any of you have time.

In JOSE currently if you wish to create a message that has both confidentiality and sender authentication using public key cryptography then the only option is to both sign and then encrypt the message. This is expensive because it involves multiple passes over the message and results in a very bulky nested message structure with two layers of base64-encoding.

Given that many uses of this sign-then-encrypt pattern do not require the strong security properties of signatures, I have proposed [1] a public key authenticated encryption mode based on NIST’s one-pass unified model from SP 800-56A. This avoids the nested structure and means that you don’t need multiple cryptographic primitives. The proposed algorithm uses two ECDH key agreements: one between the sender’s ephemeral private key and the recipient’s long-term public key; and a second between the two parties’ long term keys. The two shared secrets are concatenated and passed through a KDF along with some context arguments. For a single recipient this achieves sender authentication (subject to replay), and the single recipient case is what I am primarily concerned about.

(If you squint this is also roughly similar to the Noise framework “K” one-way pattern, but my hands are waving quite a lot here).

To support multiple recipients I copied the existing pattern used in JOSE’s ECDH-ES+A256KW algorithm family in which the message is encrypted using a random Content Encryption Key (CEK) and then the CEK is encrypted for each recipient using AES-KeyWrap with the ECDH-derived key. As I then mention in the security considerations this leads to any recipient being able to produce a forgery using that CEK and claim it came from the original sender:


   When Key Agreement with Key Wrapping is used, with the same Content

   Encryption Key (CEK) reused for multiple recipients, any of those

   recipients can produce a new message that appears to come from the

   original sender.  The new message will be indistinguishable from a

   genuine message from the original sender to any of the other

   participants.  To avoid this attack, the content SHOULD be encrypted

   separately to each recipient with a unique CEK or a nested signature

   over the content SHOULD be used.

Because I am primarily interested in single-recipient use cases, this seemed like an acceptable trade-off. However, I have since been contacted by people who would like to use this draft for multi-recipient messages and would not like to fall back on a nested signature structure.

An initial proposal was to solve this by simply including the MAC tag from the content encryption in either the per-recipient payload (encrypted using AES-KeyWrap) or as an additional context field to the KDF. But the MAC is computed using the CEK that is known to all recipients, so for this to be secure would require second preimage resistance of the MAC with a known key, which cannot be guaranteed for JOSE because it supports content encryption using AES-GCM for which second preimages can be trivially computed if you know the key.

Assuming that a per-recipient MAC is too much overhead, an alternative would be to include a collision-resistant hash of entire ciphertext (and IV and associated data) in the KDF. This is unfortunate as it requires another pass over the entire message when we’ve already encrypted and MACed, but it appears to be a solution and at least is no more inefficient than the original signed-then-encrypted approach which also needs to hash the entire message.

So two questions:

1. Is including a hash (e.g., SHA-512) of the ciphertext (assuming symmetric AE) in the per-recipient KDF calculation sufficient to prevent forgeries in the multi-recipient setting?

2. Are there more efficient alternatives that don’t assume 2nd preimage resistance of the underlying symmetric MAC?

[1]: https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dmadden-2Djose-2Decdh-2D1pu-2D03&d=DwMFaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=mf6j6fOClApRsArWE9wqI1rEGUVkfxZ0aXWmn35nK_c&m=pABr2aBl1c_ofW8vypgq6rz4tGVZWkxu0IU_RSNb_L4&s=E_agQvNgeBlLsyPF6xyJ1TFQLBAJsGTY1FJf7EK3iqs&e=>

Kind regards,

Neil Madden
________________________________
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg