Re: [Cfrg] Request For Comments: OCB Internet-Draft

"Rose, Greg" <> Fri, 15 July 2011 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCF5F21F8BEB for <>; Fri, 15 Jul 2011 10:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VcsMj61VJM3z for <>; Fri, 15 Jul 2011 10:53:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3154F21F8BB5 for <>; Fri, 15 Jul 2011 10:53:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1310752385; x=1342288385; h=from:to:cc:subject:thread-topic:thread-index:date: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: x-originating-ip:content-type:content-id: content-transfer-encoding:mime-version; z=From:=20"Rose,=20Greg"=20<>|To:=20Jack =20Lloyd=20<>|CC:=20"Rose,=20Greg"=20<>,=20"<>"=20<> |Subject:=20Re:=20[Cfrg]=20Request=20For=20Comments:=20OC B=20Internet-Draft|Thread-Topic:=20[Cfrg]=20Request=20For =20Comments:=20OCB=20Internet-Draft|Thread-Index:=20AQHMQ sRp6eyaR4zlx0yk3udq5GiQtJTt8LQAgAAIyYCAABNsAIAADvKAgAADvo A=3D|Date:=20Fri,=2015=20Jul=202011=2017:51:59=20+0000 |Message-ID:=20<462E229B-F320-4431-8F7E-D5536A7386BC@qual>|References:=20<22798CA3-3D49-4652-A5DB-EC25ACCD>=0D=0A=20<2B90DB3F-327A-45B3-B1AE-C8D198>=0D=0A=20<87r55sc72o.fsf@latte.josefss>=0D=0A=20<FD9110CA-6C21-492D-9DE3-027C77A0A31F@kro>=0D=0A=20<4FB2F68A-8B84-4953-A7B1-87D3E9DCEA2D@v>=0D=0A=20<B89E1A56-0533-4420-B6C6-8B8F81BEC2CE@kr>=0D=0A=20<> |In-Reply-To:=20<> |Accept-Language:=20en-US|Content-Language:=20en-US |X-MS-Has-Attach:|X-MS-TNEF-Correlator:|x-originating-ip: =20[]|Content-Type:=20text/plain=3B=20charset =3D"us-ascii"|Content-ID:=20<5828788BD78E5F4DBF34919DF4E8>|Content-Transfer-Encoding:=20quoted-pr intable|MIME-Version:=201.0; bh=CykBZE1mhSbn9XHGxfTQls8zBAkjOgB8qi7FZ+tEyvk=; b=F1H74Ld8++e4iQQP0cpPo1mHyEkvOvNmnIRs49Znb5GNDZYxy9xquJQM VoARmatWkupRMo+9ZnseYdiheBiUeQ24xwHdGav0SS757yuSNvDAzHLnQ n9J/ZEHwUCK5Mb3bMeD+kQXPX9YuoexyJ21b0YazL0MLMc+OCMRrheudo 8=;
X-IronPort-AV: E=McAfee;i="5400,1158,6408"; a="103826051"
Received: from ([]) by with ESMTP; 15 Jul 2011 10:53:03 -0700
X-IronPort-AV: E=Sophos;i="4.65,535,1304319600"; d="scan'208";a="155106554"
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 15 Jul 2011 10:53:03 -0700
Received: from ([fe80::4d64:11bc:743c:6fdb]) by ([::1]) with mapi id 14.01.0323.000; Fri, 15 Jul 2011 10:52:00 -0700
From: "Rose, Greg" <>
To: Jack Lloyd <>
Thread-Topic: [Cfrg] Request For Comments: OCB Internet-Draft
Thread-Index: AQHMQsRp6eyaR4zlx0yk3udq5GiQtJTt8LQAgAAIyYCAABNsAIAADvKAgAADvoA=
Date: Fri, 15 Jul 2011 17:51:59 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Rose, Greg" <>, "<>" <>
Subject: Re: [Cfrg] Request For Comments: OCB Internet-Draft
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jul 2011 17:53:05 -0000

On 2011 Jul 15, at 10:38 , Jack Lloyd wrote:

> On Fri, Jul 15, 2011 at 09:45:06AM -0700, Ted Krovetz wrote:
>> In my opinion the point of the nonce-reuse warning is to impress
>> upon security engineers that catastrophe strikes if a nonce is
>> reused during encryption, and so they should make nonce reuse
>> impossible. If nonce reuse is impossible, then it is irrelevant how
>> bad the damage is when nonces are reused.
> I think part of the issue is that making something truly 'impossible'
> is quite a bit harder than it might sound, especially in the face of
> an active attacker who might well decide that the easiest way of
> breaking the system is to force it to reuse a nonce somehow (this
> seems especially likely in embedded systems, but a general system
> might well be susceptible). Some plausible failure modes, like VM
> state rollback [1], could even be attacked passively and
> opportunistically.
> Someone building or deploying a system (ie the sort of person who
> would read an i-d or RFC) might well want to understand exactly how
> fragile the system is when misused, which lets them make a realistic
> and informed judgement of the tradeoffs in choosing between different
> options.

And don't forget that the attacker gets to reuse nonces all he wants (albeit on presumably invalid packets). This is why there must be an absolute prohibition on using the decryption results of an invalid packet. I haven't had time to read the draft; I trust this is mentioned somewhere. It's particularly important for a mode like OCB where the decryption is already done before you know that the packet was bogus. The data should be cleared before returning failure.