IETF Logo Mail Archive

Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?

Bryan Ford <brynosaurus@gmail.com> Fri, 04 December 2015 10:53 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2411B2FDC for <cfrg@ietfa.amsl.com>; Fri, 4 Dec 2015 02:53:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoXoNwbf1-lC for <cfrg@ietfa.amsl.com>; Fri, 4 Dec 2015 02:53:06 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D6C1B2FDA for <Cfrg@irtf.org>; Fri, 4 Dec 2015 02:53:06 -0800 (PST)
Received: by wmww144 with SMTP id w144so56828987wmw.1 for <Cfrg@irtf.org>; Fri, 04 Dec 2015 02:53:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=neoQWUwUCX2znOc2qO1mrv0sPXIeOong7Jt0yWxDfJk=; b=EnKk0IQVVZJj2Ys1f962wBoeRiShZnC1289AnR+yJDEu0iPKoeqWv+qTJf1vHvYcHe hWvpalwheb67UJCXIj48ssit+7Xs0Zcbi7T6zsDdBkYGYoz1VZET+jaau7cgDC4f7N9L fXH5+33jSe55ucE8N630jW7Xgcfzr+P6RDERWf14oiVYS0wmUOtTNuRb2fPx/pDlpRxW D3OoM34/m3nAIq+lfgY40m6rVcdfdAjniwg8np9GciHIqOMadxJ2B6YVHG3XsmNfrr1v gCwWz2rPJAd8uK4HEQS9aLch1I4AVp+kfgNRVf7f4TXgAqEhRfBZldAy/rZXYrT3FycQ mZXA==
X-Received: by 10.28.19.20 with SMTP id 20mr4333740wmt.49.1449226384568; Fri, 04 Dec 2015 02:53:04 -0800 (PST)
Received: from icsil1noteb193.epfl.ch (icsil1noteb193.epfl.ch. [128.178.151.41]) by smtp.gmail.com with ESMTPSA id w141sm2911518wmw.24.2015.12.04.02.53.02 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Dec 2015 02:53:02 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_1171596E-BE94-4EA6-8A66-9002439728C5"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <alpine.BSO.2.20.1512031055120.12629@natsu.mindrot.org>
Date: Fri, 04 Dec 2015 11:53:02 +0100
Message-Id: <21946846-1BFB-4170-8E8E-EC6A00BF3AED@gmail.com>
References: <8F1E4FEC-1FED-491B-BC6A-B00C27864414@gmail.com> <alpine.BSO.2.20.1512031055120.12629@natsu.mindrot.org>
To: Damien Miller <djm@mindrot.org>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/cd716Q11B9rCTQ9-9mfO2lag4Dc>
Cc: Philipp Jovanovic <philipp.jovanovic@epfl.ch>, Cfrg@irtf.org, "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 10:53:09 -0000

On 03 Dec 2015, at 01:28, Damien Miller <djm@mindrot.org> wrote:
> On Mon, 30 Nov 2015, Bryan Ford wrote:
>> A few days ago I started a thread on the TLS list on encrypting TLS
>> headers, like SSH has been doing for a long time, to add (limited but
>> useful) protection against passive fingerprinting and traffic analysis
>> attacks. I then learned that there’s a parallel discussion thread
>> touching on the same topic on the SSH mailing list. I don’t want to
>> start yet another discussion thread on the merits of header-encryption
>> in general (see either of those two existing threads if you want to
>> jump in on that :) ) - but I wanted to bring up the technical issue
>> of how header-encryption interacts with the shift toward AEAD cipher
>> designs. This seemed like a potentially interesting CFRG topic.
>> 
>> The general problem (for TLS or SSH or many other protocols) is that
>> we might like to encrypt both the header and the payload, but the
>> header typically includes the length field, and the receiver needs
>> that length field to know how big of a blob to read and pass to the
>> AEAD for decryption and integrity-checking. Thus, we really would
>> like a three-stage receive process: (1) decrypt header to retrieve
>> length, (2) read the cipher text payload, (3) decrypt the payload and
>> integrity-check both the header and payload. Is it worth considering
>> a fairly simple extension to the AEAD abstraction that would support
>> this form of operation?
> 
> Speaking as an application developer, I want a primitive that allows
> me to "seal" zero or more bytes of plaintext to be encrypted and
> authenticated along with zero or more bytes of AAD to be authenticated
> into a self-delimiting blob that preserves the integrity and
> *optionally the privacy* of the lengths of the plaintext and AAD.
> 
> At the other end, I want to, given enough of the header of that blob,
> be able to determine a) how many bytes I need to read to get the whole
> thing, b) how much space I'll need to extract the plaintext (if any) and
> c) how much space I'll need to extract the AAD (if any).

Agreed, that’s exactly what the APEAD interface-extension I proposed is trying to make possible, at least in the case of TLS.  The same APEAD interface extension also solves a slightly different need in the case of DTLS and similar out-of-order datagram-oriented protocols, where the length isn’t a problem but the receiver instead needs to get at an encrypted sequence number somehow in order to know which nonce to use for decryption.

Philipp Jovanovic, my amazing new postdoc, pointed out that the CAESAR cipher competition defined a “secret message number” feature that AEAD submissions can optionally implement:

	http://competitions.cr.yp.to/caesar-call.html <http://competitions.cr.yp.to/caesar-call.html>

…and pointed to a nice explanation by DJB clarifying both the motivation and intended function of this secret message number feature:

	https://groups.google.com/forum/#!searchin/crypto-competitions/secret$20message$20numbers/crypto-competitions/n5ECGwYr6Vk/bsEfPWqSAU4J <https://groups.google.com/forum/#!searchin/crypto-competitions/secret$20message$20numbers/crypto-competitions/n5ECGwYr6Vk/bsEfPWqSAU4J>

This seems like exactly the thing the DTLS case wants, although it doesn’t address the encrypted-length problem in the case of TLS.  I’m curious how many CAESAR cipher submissions actually ended up supporting secret message numbers; does anyone have a sense for this?

It seems like the APEAD extension I proposed is more general than an AEADs with secret message numbers, in that it is easy to build an “AEAD with secret message numbers” from an APEAD.  On encryption, just prepend the secret message number to both the plaintext and the nonce and feed them to the APEAD encrypt interface.  On decryption, invoke the APEAD preview call to decrypt the (not-yet-authenticated) secret message number, prepend it to the nonce, and invoke the full APEAD decrypt-and-authentication function.

Perhaps DJB can comment - is my reasoning sound about the relationship between the proposed APEAD extension and the CAESAR competition’s optional secret message number feature?  Is there anything seriously problematic or unsound from a crypto perspective about such an APEAD interface extension or feature, aside from the well-known risks associated with any use of (“previewed”) data before it’s been integrity-checked?

Cheers
Bryan

v2.23.0 | Report a Bug | By Email