IETF Logo Mail Archive

Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS

Watson Ladd <watsonbladd@gmail.com> Thu, 21 March 2019 00:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 583C1130E70 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 17:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHXCA8VbW0GH for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 17:46:18 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4AAB130DEA for <cfrg@irtf.org>; Wed, 20 Mar 2019 17:46:17 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id y62so3282902lfc.13 for <cfrg@irtf.org>; Wed, 20 Mar 2019 17:46:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2xGXVqEUMk8dP8BydGoreM50frnYuDj7mgKLhn4mq3Y=; b=eu14AWX/BNzAWqwEbIWinNH1Fh3usavSLeqNKLnbzXzePjpDljN1I80R2mI3M+P345 2+hrUR/LzxfgWJspf5vvzR67jXgnYIvL85ZpLte7+2kBVWRMySK3x2ALsZx16JCYmJjp GxsjLi7FEmivdhs0/0zL5PmNotb2dlEdylu/0h1ZyPRcxSAqmxY+sriBWToreE6jreUU uiLkxQue7a0/hCM/lR//fF536eVxXYqMrVcoCd3PILsngjRN1uLBra/b/qWC3wO5NeK+ BDA1t0uX6JXYruTSlbbjGl0qWixbPvVwQ6a5zgVprpAAo+sSkdGyDSswuN3dj5/LH0kD JtXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2xGXVqEUMk8dP8BydGoreM50frnYuDj7mgKLhn4mq3Y=; b=aDEsk+CRSw2d8gK+wwcpHtuNzkbfoQu34x6x/DuJ8GhITsBPJaq+tkihXOoME6IEVn BYdjBigdE7FAc4Tzxaxu99Bzzb/AxStacXjILyaH8MvrbDV1XLlzwsSIGsWwLfJGzjPw jO+6ln2uGoVnK+tU7myjukdVB85CTfG9RUpZw9E6QnA2He+XArzLW7BscvMF/kMM+OGK HWTTNADmzdoSlym7eJrdJIZ51JNcgaJyeabx8kq4nOfqQAOcMPVdivqzpB2MalApfhk3 9n+UP1bRZO0L/ecWEH68Psffmmcsgr88uf00K4ZQvuJeJt1VDpFLzUWoP/HHjRM0nN6v fD3A==
X-Gm-Message-State: APjAAAW06fGjUt5ZtLCn+clo6lF826DJAezIdGepCHQ2lL59++ywcI4A +JhO3DpAFpKk/0pasSUnSFDKquVKxtWrGXK0M60=
X-Google-Smtp-Source: APXvYqwa1VP+2IHBH1Cx2YeYbKOAc8cGsEjMxKKmCJtNGquztVDumzHa35ykRh7ftim1jqzktlR2yvzg1EDhsIdwyis=
X-Received: by 2002:a19:ca02:: with SMTP id a2mr362012lfg.88.1553129175970; Wed, 20 Mar 2019 17:46:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAH3f58FsfPoLquUh-ZgQe-X4EoCgiJAF7zf5X1M_r+zEA@mail.gmail.com> <CAJm83bDnyHx+wA21xsodL+tZkXSjDceFtyqPVNAnVOLJZVgmJA@mail.gmail.com> <CAN2QdAG8szTQyCw41XkioW7de3WxF59UaWmLazk3ak4wX8ps4Q@mail.gmail.com> <CAMbs7ktP_pmC5x256U38L0f_MXTWh9=Xy0KZ79AH=PtROxA5pQ@mail.gmail.com>
In-Reply-To: <CAMbs7ktP_pmC5x256U38L0f_MXTWh9=Xy0KZ79AH=PtROxA5pQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 20 Mar 2019 17:46:03 -0700
Message-ID: <CACsn0cmedxYQoQSoCFLj3xWoSNPKSzy6RaCPC6P+L98ShEwLBA@mail.gmail.com>
To: Aanchal Malhotra <aanchal4@bu.edu>
Cc: Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>, ntp@ietf.org, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000d2f8e30584901074"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hl8h8MS6fimlVPHhEo4ravTmKFc>
Subject: Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 00:46:21 -0000

I've managed to convince myself Daniel is right and there is no problem.

On Wed, Mar 20, 2019, 1:31 PM Aanchal Malhotra <aanchal4@bu.edu> wrote:

> This reference for KDM security might be useful.
> https://eprint..iacr.org/2010/513.pdf
> <https://eprint.iacr.org/2010/513.pdf>
>
> On Wed, Mar 20, 2019 at 1:29 PM Watson Ladd <watson=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
>> On Wed, Mar 20, 2019 at 1:18 PM Daniel Franke <dfoxfranke@gmail.com>
>> wrote:
>> >
>> > Are you certain the standard security definitions don't suffice? If
>> > the S2C key were directly being encrypted under itself, then a
>> > circular-secure cipher would be needed. Ditto if you were to encrypt
>> > the S2C key under the master key and also encrypted the master key
>> > under the S2C key. We're producing the cookie by encrypting the S2C
>> > key under the master key, and then for transmission we're encrypting
>> > the resulting ciphertext under the S2C key. But at no point does the
>> > master key ever get encrypted under the S2C key; the master key never
>> > leaves the server even as ciphertext. So I don't think we actually
>> > have a loop here.
>>
>> Any sort of encryption of a function of the key is a call the experts
>> situation. So the question for the experts: if E_K(M) is an AEAD
>> scheme, and K1, K2 keys
>> is E_{K1}(E_{K2}(K1)) a sane thing to do, or is it a problem from a
>> proof perspective? What if I am allowed to change the inner or outer
>> schemes to any AEAD scheme?
>>
>> >
>> > On Wed, Mar 20, 2019 at 3:34 PM Watson Ladd
>> > <watson=40cloudflare.com@dmarc.ietf.org> wrote:
>> > >
>> > > Dear all,
>> > >
>> > > I really apologize for sending this message so late in the process,
>> > > but there is a problem with NTS in draft-17.
>> > >
>> > > The cookie encrypts S2C and C2S under a key known to the server, but
>> > > then the response encrypts the cookie under S2C. This creates a
>> > > situation where we are encrypting plaintext that depends on the key,
>> > > which complicates the security analysis. (And by complicates I mean
>> > > there are contrived ciphers meeting the ordinary security notion that
>> > > would be completely insecure in such a protocol: one has to not use
>> > > generic analysis: it's a pain to deal with. see
>> > > https://eprint.iacr.org/2010/144.pdf)
>> > >
>> > > One solution would be for the cookie to contain the new keys which the
>> > > server picks at random (and of course the client strips them out
>> > > before sending the rest of the cookie to the server). Again, I
>> > > apologize for only just noticing this detail.
>> > >
>> > > Sincerely,
>> > > Watson Ladd
>> > >
>> > > _______________________________________________
>> > > ntp mailing list
>> > > ntp@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/ntp
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email