Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS
Watson Ladd <watsonbladd@gmail.com> Thu, 21 March 2019 00:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 583C1130E70 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 17:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHXCA8VbW0GH for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2019 17:46:18 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4AAB130DEA for <cfrg@irtf.org>; Wed, 20 Mar 2019 17:46:17 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id y62so3282902lfc.13 for <cfrg@irtf.org>; Wed, 20 Mar 2019 17:46:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2xGXVqEUMk8dP8BydGoreM50frnYuDj7mgKLhn4mq3Y=; b=eu14AWX/BNzAWqwEbIWinNH1Fh3usavSLeqNKLnbzXzePjpDljN1I80R2mI3M+P345 2+hrUR/LzxfgWJspf5vvzR67jXgnYIvL85ZpLte7+2kBVWRMySK3x2ALsZx16JCYmJjp GxsjLi7FEmivdhs0/0zL5PmNotb2dlEdylu/0h1ZyPRcxSAqmxY+sriBWToreE6jreUU uiLkxQue7a0/hCM/lR//fF536eVxXYqMrVcoCd3PILsngjRN1uLBra/b/qWC3wO5NeK+ BDA1t0uX6JXYruTSlbbjGl0qWixbPvVwQ6a5zgVprpAAo+sSkdGyDSswuN3dj5/LH0kD JtXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2xGXVqEUMk8dP8BydGoreM50frnYuDj7mgKLhn4mq3Y=; b=aDEsk+CRSw2d8gK+wwcpHtuNzkbfoQu34x6x/DuJ8GhITsBPJaq+tkihXOoME6IEVn BYdjBigdE7FAc4Tzxaxu99Bzzb/AxStacXjILyaH8MvrbDV1XLlzwsSIGsWwLfJGzjPw jO+6ln2uGoVnK+tU7myjukdVB85CTfG9RUpZw9E6QnA2He+XArzLW7BscvMF/kMM+OGK HWTTNADmzdoSlym7eJrdJIZ51JNcgaJyeabx8kq4nOfqQAOcMPVdivqzpB2MalApfhk3 9n+UP1bRZO0L/ecWEH68Psffmmcsgr88uf00K4ZQvuJeJt1VDpFLzUWoP/HHjRM0nN6v fD3A==
X-Gm-Message-State: APjAAAW06fGjUt5ZtLCn+clo6lF826DJAezIdGepCHQ2lL59++ywcI4A +JhO3DpAFpKk/0pasSUnSFDKquVKxtWrGXK0M60=
X-Google-Smtp-Source: APXvYqwa1VP+2IHBH1Cx2YeYbKOAc8cGsEjMxKKmCJtNGquztVDumzHa35ykRh7ftim1jqzktlR2yvzg1EDhsIdwyis=
X-Received: by 2002:a19:ca02:: with SMTP id a2mr362012lfg.88.1553129175970; Wed, 20 Mar 2019 17:46:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAH3f58FsfPoLquUh-ZgQe-X4EoCgiJAF7zf5X1M_r+zEA@mail.gmail.com> <CAJm83bDnyHx+wA21xsodL+tZkXSjDceFtyqPVNAnVOLJZVgmJA@mail.gmail.com> <CAN2QdAG8szTQyCw41XkioW7de3WxF59UaWmLazk3ak4wX8ps4Q@mail.gmail.com> <CAMbs7ktP_pmC5x256U38L0f_MXTWh9=Xy0KZ79AH=PtROxA5pQ@mail.gmail.com>
In-Reply-To: <CAMbs7ktP_pmC5x256U38L0f_MXTWh9=Xy0KZ79AH=PtROxA5pQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 20 Mar 2019 17:46:03 -0700
Message-ID: <CACsn0cmedxYQoQSoCFLj3xWoSNPKSzy6RaCPC6P+L98ShEwLBA@mail.gmail.com>
To: Aanchal Malhotra <aanchal4@bu.edu>
Cc: Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>, ntp@ietf.org, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000d2f8e30584901074"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hl8h8MS6fimlVPHhEo4ravTmKFc>
Subject: Re: [Cfrg] [Ntp] Last minute annoying discovery about NTS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 00:46:21 -0000
I've managed to convince myself Daniel is right and there is no problem. On Wed, Mar 20, 2019, 1:31 PM Aanchal Malhotra <aanchal4@bu.edu> wrote: > This reference for KDM security might be useful. > https://eprint..iacr.org/2010/513.pdf > <https://eprint.iacr.org/2010/513.pdf> > > On Wed, Mar 20, 2019 at 1:29 PM Watson Ladd <watson= > 40cloudflare.com@dmarc.ietf.org> wrote: > >> On Wed, Mar 20, 2019 at 1:18 PM Daniel Franke <dfoxfranke@gmail.com> >> wrote: >> > >> > Are you certain the standard security definitions don't suffice? If >> > the S2C key were directly being encrypted under itself, then a >> > circular-secure cipher would be needed. Ditto if you were to encrypt >> > the S2C key under the master key and also encrypted the master key >> > under the S2C key. We're producing the cookie by encrypting the S2C >> > key under the master key, and then for transmission we're encrypting >> > the resulting ciphertext under the S2C key. But at no point does the >> > master key ever get encrypted under the S2C key; the master key never >> > leaves the server even as ciphertext. So I don't think we actually >> > have a loop here. >> >> Any sort of encryption of a function of the key is a call the experts >> situation. So the question for the experts: if E_K(M) is an AEAD >> scheme, and K1, K2 keys >> is E_{K1}(E_{K2}(K1)) a sane thing to do, or is it a problem from a >> proof perspective? What if I am allowed to change the inner or outer >> schemes to any AEAD scheme? >> >> > >> > On Wed, Mar 20, 2019 at 3:34 PM Watson Ladd >> > <watson=40cloudflare.com@dmarc.ietf.org> wrote: >> > > >> > > Dear all, >> > > >> > > I really apologize for sending this message so late in the process, >> > > but there is a problem with NTS in draft-17. >> > > >> > > The cookie encrypts S2C and C2S under a key known to the server, but >> > > then the response encrypts the cookie under S2C. This creates a >> > > situation where we are encrypting plaintext that depends on the key, >> > > which complicates the security analysis. (And by complicates I mean >> > > there are contrived ciphers meeting the ordinary security notion that >> > > would be completely insecure in such a protocol: one has to not use >> > > generic analysis: it's a pain to deal with. see >> > > https://eprint.iacr.org/2010/144.pdf) >> > > >> > > One solution would be for the cookie to contain the new keys which the >> > > server picks at random (and of course the client strips them out >> > > before sending the rest of the cookie to the server). Again, I >> > > apologize for only just noticing this detail. >> > > >> > > Sincerely, >> > > Watson Ladd >> > > >> > > _______________________________________________ >> > > ntp mailing list >> > > ntp@ietf.org >> > > https://www.ietf.org/mailman/listinfo/ntp >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp >> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Watson Ladd
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Aanchal Malhotra
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Watson Ladd
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Daniel Franke
- Re: [Cfrg] [Ntp] Last minute annoying discovery a… Dan Brown