IETF Logo Mail Archive

Re: [Cfrg] possibly dumb question about the opus codec and padding

David McGrew <mcgrew@cisco.com> Fri, 08 June 2012 14:41 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D60621F8505 for <cfrg@ietfa.amsl.com>; Fri, 8 Jun 2012 07:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRg7H0IMuf1q for <cfrg@ietfa.amsl.com>; Fri, 8 Jun 2012 07:41:41 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 45B7D21F8503 for <cfrg@irtf.org>; Fri, 8 Jun 2012 07:41:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=2400; q=dns/txt; s=iport; t=1339166501; x=1340376101; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=m8PJOAG3ZFj/lV70Dq1JgvV2Tce1FhJZgZ8UY4dLLl4=; b=jdpxzDWZT2bbsze4bl/vyaL2IW02jq1FtFRNJUjRBSJgAEoevSJ1uodr OQscmkyhKDN5sgxn2HMCNeOUhXXbgZM9TTKoNLpMgms5nvK8uwlDEIsM6 NuIMczysGY0dTF5SZGpDUExkJEVnwyrM+kT31Zo1nVZ6utNNgMuLxqP+P 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAHQO0k+tJV2c/2dsb2JhbABEAbROgQeCGAEBAQMBAQEBDwEnNAsQCzECEycwBhMJGYdkBQuZL59uiyaCeAGDBwOVHo4VgWaCfA
X-IronPort-AV: E=Sophos;i="4.75,738,1330905600"; d="scan'208";a="90762952"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-7.cisco.com with ESMTP; 08 Jun 2012 14:41:41 +0000
Received: from rtp-mcgrew-8912.cisco.com (rtp-mcgrew-8912.cisco.com [10.117.10.227]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q58EfeOE015966; Fri, 8 Jun 2012 14:41:40 GMT
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: David McGrew <mcgrew@cisco.com>
In-Reply-To: <20A54183-2245-4EA9-A7F2-7B2FAE6B00B5@callas.org>
Date: Fri, 08 Jun 2012 10:41:40 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D0BE34E4-9C5B-4A7B-97E7-29631532760D@cisco.com>
References: <4FCF6F34.1040302@cs.tcd.ie> <610BE690-1A25-45A6-A1AE-65F569992484@vigilsec.com> <EE0C2F9E065E634B84FC3BE36CF8A4B209A3D498@xmb-sjc-23e.amer.cisco.com> <CACM7c-ba_buqHUriX1dJASHM0ihZSBxterzpDCLSbHCVi5FB-A@mail.gmail.com> <4FCFF292.2050009@cs.tcd.ie> <20A54183-2245-4EA9-A7F2-7B2FAE6B00B5@callas.org>
To: Jon Callas <jon@callas.org>
X-Mailer: Apple Mail (2.1278)
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] possibly dumb question about the opus codec and padding
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 14:41:42 -0000

Hi Jon,

On Jun 6, 2012, at 9:25 PM, Jon Callas wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I might need to clarify my remarks a bit.
> 
> I don't think a few bits of known plaintext is a serious issue. I mean heck, pick just about any XML document and it's got an entire *block* of known plaintext in it via its XML/DTD header.
> 
> On the other hand, there are a number of problems including the Mister/Zuccherato attack on OpenPGP and the Paterson et al. attack on SSH that boiled down to known plaintext. Add to that the PKCS1 attacks, and any number of padding oracles, it can't just be waved away.

This is a good point: known plaintext can make chosen-ciphertext attacks easier, even if the underlying block cipher resists exabytes of known plaintext.  I think the main lesson from this is: use authenticated encryption.   But I think it is reasonable to say that avoiding known plaintext is a good idea if it is not possible to ensure that encryption uses AE.

David

> 
> Back to the first hand, zeroing out a field isn't a serious issue, and I don't mean to imply that it is.
> 
> But moving on to the third hand, worrying about a few bytes of covert channel is equally as daft.
> 
> My larger point was that saying you MUST zero a field to stop a covert channel is no more (nor less) sensical than saying you MUST NOT zero it to stop known plaintext. It's sort of, "I'll see your paranoia and raise you one." Especially when that MUST for zeroing is followed up with a MUST accept non-zero. 
> 
> That's why I opined that changing the MUST to a SHOULD is a good idea. I truly believe that one SHOULD zero all unused bits because of cleanliness. It's just a good idea. 
> 
> If you don't like changing that MUST to a SHOULD on zeroing, then at least change the MUST accept to MUST reject. If you're going to legislate, have a backbone about your legislation.
> 
> 	Jon
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.2.0 (Build 1672)
> Charset: us-ascii
> 
> wj8DBQFP0AMRsTedWZOD3gYRArMAAKDOj78r2s+05WDeO6cWDvdPAeYz1QCeNbOO
> oZm9XwLUmxpOFzPI0+SDSq4=
> =fqjl
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.38.3 | Report a Bug | By Email | System Status