Re: [Cfrg] Request For Comments: OCB Internet-Draft

[David McGrew <mcgrew@cisco.com>]

Hi Ted,

thanks for this contribution.  I have not yet read it through, but  
after I do I'll send you my thoughts.  I have a comment on the  
security considerations being discussed.  This topic was already  
worked through for GCM and CCM, and it would be best to use similar  
language for OCB.

On Jul 15, 2011, at 9:45 AM, Ted Krovetz wrote:

>
>> If you know how "partial" that is, it would be useful for the draft.
>
>> Ted, I think you can be rather more specific.
>
>
> In my opinion the point of the nonce-reuse warning is to impress  
> upon security engineers that catastrophe strikes if a nonce is  
> reused during encryption, and so they should make nonce reuse  
> impossible. If nonce reuse is impossible, then it is irrelevant how  
> bad the damage is when nonces are reused.
>
> RFC writers need to walk a fine line: RFCs are primarily a  
> description of technology, but should include enough high-level  
> context to inform against poor usage. I think the current warnings  
> on nonce reuse do this, but if you can suggest a scenario where the  
> current advice is being heeded and yet it is still useful to know  
> how bad not heeding it would be, I'm open to adding some  
> quantifications.
>
> It may be worth adding a few paragraphs to the OCB paper describing  
> and quantifying the damage, but I'm a bit reluctant to do so in the  
> ID.

The draft should include text like that of Section 5.1.1 of RFC 5116,  
ideally using the same wording where possible, ideally in a subsection  
entitled "Nonce Reuse".  I think this text, adapted from that section,  
is appropriate:
<text>
The inadvertent reuse of the same nonce by two invocations of the OCB  
encryption operation, with the same key, but with distinct plaintext  
values, undermines the confidentiality of the plaintexts protected in  
those two invocations, and undermines all of the authenticity and  
integrity protection provided by that key.  For this reason, OCB  
should only be used whenever nonce uniqueness can be provided with  
assurance.   Note that it is acceptable to input the same nonce value  
multiple times to the decryption operation.   The security  
consequences are quite serious if an attacker observes    two  
ciphertexts that were created using the same nonce and key values,  
unless the plaintext and AD values in both invocations of the encrypt  
operation were identical.  First, a loss of confidentiality ensues  
because he will be able to infer relationships between the two  
plaintext values. Second, a loss of integrity ensues because the  
attacker will be able to recover secret information used to provide  
data integrity. Knowledge of this key makes subsequent forgeries  
trivial.
</text>
Here I am assuming that the newer version of OCB is still vulnerable  
to Fergusen's collision attack (http://www.cs.ucdavis.edu/~rogaway/ocb/fe02.pdf 
); please correct me if I'm wrong.
David

> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg