Re: [Cfrg] Attacker changing tag length in OCB
Ted Krovetz <ted@krovetz.net> Wed, 29 May 2013 14:28 UTC
Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4519B21F8E76 for <cfrg@ietfa.amsl.com>; Wed, 29 May 2013 07:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46IObsYoLFNW for <cfrg@ietfa.amsl.com>; Wed, 29 May 2013 07:28:32 -0700 (PDT)
Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3F36821F8A7B for <cfrg@irtf.org>; Wed, 29 May 2013 07:28:31 -0700 (PDT)
Received: by mail-pd0-f172.google.com with SMTP id 10so8956652pdi.31 for <cfrg@irtf.org>; Wed, 29 May 2013 07:28:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=4CEvazokVI/f+KX6n7d2HHendKnXw8htKBmRiKfm6vM=; b=OtSW2kpYgQ2kftn9RDE7k2iRhd786S6Dgn85lX4Xlx3qqWP+NBVbK7KiuKq/WmyYwJ niOBFDWDofUl4KVLjc/o+vigjrZgEREQBH3SBm+Y8SXGvzkleRvcJvKBY/eIsqc2VKtH miRe9KzlQWB+61N538gaGq8O7apQ/QhfRJvbNxygZKv4k5A1DGyF59/CbQAJQLqJ4Lfe CITGtMZfn8w+CQWp7m1QZSEufsEv0OMFU+Y5ztG0MGVWVuxxQo3i7PaVbtJOWzPQmT4V cyTbDiuDgR2mC4fTXlxNiv/qf7IUOjDXkPSfrcK/jQunp/3ppXvb9eFcDvrHTh63VsUj uUxA==
X-Received: by 10.66.189.130 with SMTP id gi2mr3705181pac.89.1369837711673; Wed, 29 May 2013 07:28:31 -0700 (PDT)
Received: from [192.168.1.162] (c-67-166-145-119.hsd1.ca.comcast.net. [67.166.145.119]) by mx.google.com with ESMTPSA id ve6sm871377pbc.21.2013.05.29.07.28.30 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 29 May 2013 07:28:30 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com>
Date: Wed, 29 May 2013 07:28:29 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <60CBDD6C-93EA-40D8-8E70-4A17E9EA0736@krovetz.net>
References: <20130528162226.1401.91015.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQkG0C6mRzIEud3Z00z8wB4/Pp6FDbXqcjR65whFMw0pmffVNzXRdKSU/zadY/KM3gq9Nfkj
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 14:28:38 -0000
James, Thanks for looking over the document. I didn't mean for this announcement to get posted here, but a few small edits caused an auto-announcement. Sorry. As for your concerns... AEAD_AES_128_OCB_TAGLEN128 and AEAD_AES_128_OCB_TAGLEN64 are different algorithms and a protocol will specify or negotiate one or the other, but not allow both simultaneously under the same key. If for some reason a protocol did want to allow tags valid under either algorithm, then the two algorithms would need to operate under different keys. Just like if you wanted to accept messages with tags valid under either HMAC or CBC-MAC, you'd use different keys for each. In other words, you are right. Shorter tags are simple truncations of longer tags. But, only a very poorly engineered system would be affected by this fact. -Ted
- [Cfrg] I-D Action: draft-irtf-cfrg-ocb-02.txt internet-drafts
- [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Igoe, Kevin M.
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB David McGrew (mcgrew)
- Re: [Cfrg] Attacker changing tag length in OCB Richard Barnes
- Re: [Cfrg] Attacker changing tag length in OCB Rene Struik
- Re: [Cfrg] Attacker changing tag length in OCB Ted Krovetz
- Re: [Cfrg] Attacker changing tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown