Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

"Manger, James H" <> Wed, 21 November 2012 01:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB7E821F873A for <>; Tue, 20 Nov 2012 17:32:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.77
X-Spam-Status: No, score=-0.77 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l8RN4qcjA3v6 for <>; Tue, 20 Nov 2012 17:32:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1D04221F872E for <>; Tue, 20 Nov 2012 17:32:33 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.83,290,1352034000"; d="scan'208,217"; a="102349744"
Received: from unknown (HELO ([]) by with ESMTP; 21 Nov 2012 12:32:31 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6902"; a="94034603"
Received: from ([]) by with ESMTP; 21 Nov 2012 12:32:31 +1100
Received: from ([]) by ([]) with mapi; Wed, 21 Nov 2012 12:32:30 +1100
From: "Manger, James H" <>
To: "David McGrew (mcgrew)" <>, 'IRTF CFRG' <>, Tolga Acar <>
Date: Wed, 21 Nov 2012 12:32:22 +1100
Thread-Topic: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Thread-Index: AQHNx2ETlyAzLxb67Eq9P0wOuMXhUZfzWrow
Message-ID: <>
References: <003801cdc5bc$ce464e50$6ad2eaf0$> <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E115009143A4WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Nov 2012 01:32:37 -0000

There are two risks:

1.       The CBC padding is processed before the MAC is verified

2.       The plaintext is used before the MAC is verified

The draft could make the CBC padding processing even safer by being even more lenient: only consider the least significant 4 bits of the last byte (ie modulo the block length). That is guaranteed to be in [0,15] so it always gives a valid padding length (0 means 16 bytes of padding). Such padding processing can never fail so it can never act as a padding oracle even if it is accidentally performed before the proper MAC integrity check.

Mind you, I would expect many implementations to use existing implementations for the padding that will not be changed to be lenient. Hence the Security Considerations should say that it is crucial that the MAC is verified before the CBC padding is processed.

If you operate in a streaming mode (ie you don’t want to buffer the whole ciphertext before outputting anything) then corrupted plaintext can be produced, and a MAC failure will only be reported later (or never, if the end of the ciphertext is never received). draft-mcgrew-aead-aes-cbc-hmac-sha2-01 “prevents” this by performing the MAC verification (step 3) before the decryption (step 4), but that ordering will be ignored by APIs that support streaming.

In Java, for instance, the Cipher class has an update(ByteBuffer input, ByteBuffer output) methods that can be called any number of times (outputting plaintext) before calling doFinal(...), at which point an exception is thrown if the integrity check fails. As an example, the BouncyCastle implementation of AES/GCM/NoPadding decryption returns plaintext from the update(...) calls; it does not buffer the plaintext until the integrity check in the doFinal(...) call.

The Security Considerations section hints at this issue by talking about a “single atomic operation”:
   There are security benefits to providing both confidentiality and
   authentication in a single atomic operation, as done in this note.
   This tight binding prevents subtle attacks such as the padding oracle
Perhaps add that “while a streaming implementation of decryption can calculate some plaintext before all the ciphertext has been processed, the authenticity is not ensured until all the ciphertext has been processed”.

James Manger

·         Section 2.2, step 3. When MAC verification fails, the draft recommends halting the operation before CBC decryption. We have seen timing and error-code based attacks against TLS’ MAC-then-Encrypt scheme. I realize that the draft is prescribing E-t-M. Nonetheless, considering a potential flaw in HMAC-SHA2 series (I don’t know of any, but …), I’d suggest not halting the operation even after MAC check fails, but continuing on to CBC decryption, and then returning an error that doesn’t distinguish between a MAC and a decryption (pad check) error. Yes, this would consume more CPU cycles only to waste them *under an attack*, which is not necessarily bad.

Your suggestion aims to hide from an attacker whether or not the authentication check passed or failed, by removing the (significant) timing difference in whether decryption is performed or not.  I don't see what security advantage this provides.   In many scenarios an attacker could tell whether or not a message was accepted anyway, by observing that the receiver acted on that message.

·         Section 2.2, step 5. Unspecified error case of invalid padding (link to my comment above).

The draft does consider invalid padding, and takes a conservative in what you send, liberal in what you accept policy.   The sender is required to use PKCS/PEM style padding, but the receiver is only told to consider the final octet of the padding (which is the only octet that matters).   The Step you mention says:

                                                                           If the final octet has
       a value outside that range, then all of the data used in the
       processing of the message is zeroized and discarded, and the AEAD
       decryption operation returns an indication that it failed, and
       the operation halts.

This could be amended by saying that "If the padding string does not have the form described in Step 3, the message MAY be rejected".

I think that the liberal-in-what-you-accept policy is the best option here, but I could be convinced otherwise.   The citations for padding schemes mentioned earlier are silent on this issue.