IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

Rene Struik <rstruik.ext@gmail.com> Thu, 30 May 2013 20:00 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF2921F929F for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIDrhnu5zzsa for <cfrg@ietfa.amsl.com>; Thu, 30 May 2013 13:00:33 -0700 (PDT)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 2C81021F901F for <cfrg@ietf.org>; Thu, 30 May 2013 13:00:33 -0700 (PDT)
Received: by mail-ob0-f180.google.com with SMTP id eh20so1493488obb.11 for <cfrg@ietf.org>; Thu, 30 May 2013 13:00:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=sf1Trt4FPnxrKxmgYq7DESnJmVTA62iV8GbkRYEDjcA=; b=hix1WBTeJH5gZ3GCjzgQYVGSObvDT6xsMKgpXNazLY2+dI8TakHw3pZaqG2Kq1oKbd wiepVZHV8xSqFaqWkFIPpbBkVL8g5brzR4yPD8vDAkThQandm+ZKSHwk8vfOd4KzLmMS pODbwWKYtrDWvMguoTTjyDz07dkiyOh8rAqzkles1w8ZZlw03Y/Cz8iY8/sARlEI+08i C15CpwaMl+Uu3LHGvwyecN7DqMP+NaB0Bcu1Og3dvYj2Ep85spSkrirAYCGuePyNE9bv GOlkWgzHe7ZB4P6hQO8aOSKm/CF1rwMbRKkERE6fM3kHbO/ALh0B0gXTmiME+QT6g+cH 785g==
X-Received: by 10.60.135.102 with SMTP id pr6mr4624191oeb.138.1369944032663; Thu, 30 May 2013 13:00:32 -0700 (PDT)
Received: from [192.168.1.102] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.4.27]) by mx.google.com with ESMTPSA id nt17sm43253006obb.13.2013.05.30.12.59.53 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 May 2013 12:59:54 -0700 (PDT)
Message-ID: <51A7AFA5.6010501@gmail.com>
Date: Thu, 30 May 2013 15:59:33 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
References: <20130528162226.1401.91015.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com> <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com> <3C4AAD4B5304AB44A6BA85173B4675CAB02596AF@MSMR-GH1-UEA03.corp.nsa.gov>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CAB02596AF@MSMR-GH1-UEA03.corp.nsa.gov>
Content-Type: multipart/alternative; boundary="------------020207090408040702000902"
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 20:00:36 -0000

Dear colleagues:

The observation that some AEADs have the property that one can truncate 
the authentication tag without affecting AEAD unsecuring operations was 
brought up by Rogaway and Wagner in their 2003 "Critique on CCM" paper 
(Section 3.4). It is therefore kind of interesting to see that the same 
observation applies to the OCB mode.

Whether or not it is good to build-in protection against poor policy 
choices and management thereof is a matter of taste. History suggests 
that lots of security vulnerabilities arise precisely because of these 
poor choices (or lack of knowledge of impact of policy on security 
services offered). One could shield against poor choices in various 
ways, e.g., by using as key k:=Hash(K, TagLength).

Best regards, Rene

Ref: CCM Mode Critique (Rogaway, Wagner,  IACR ePrint 2003-070)
http://eprint.iacr.org/2003/070

On 5/30/2013 3:21 PM, Igoe, Kevin M. wrote:
>
> I agree with Richard.  The implicit assumption is that the length of 
> the authentication tag has either been
>
> agreed upon during the handshake or was a previously agreed upon 
> parameter.  If you change the length
>
> of the authentication tag in the live traffic, it almost certainly 
> won't pass authentication tag verification
>
> by the intended recipient.  Offhand, I don't see a security problem here.
>
> *From:*cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] *On Behalf 
> Of *Richard Barnes
> *Sent:* Wednesday, May 29, 2013 11:45 AM
> *To:* Manger, James H
> *Cc:* cfrg@ietf.org
> *Subject:* Re: [Cfrg] Attacker changing tag length in OCB
>
> James,
>
> Don't most current AEAD modes have this property?  Namely, that 
> there's no protection on the length of the authentication tag.  Off 
> the top of my head, it seems that GCM, CCM, and SIV all have this 
> property.
>
> So while it might be nice for OCB to fix this issue, implementations 
> processing AEAD messages will still have to enforce minimum tag 
> lengths on their own.
>
> --Richard
>
> On Tue, May 28, 2013 at 8:47 PM, Manger, James H 
> <James.H.Manger@team.telstra.com 
> <mailto:James.H.Manger@team.telstra.com>> wrote:
>
> >       Title           : The OCB Authenticated-Encryption Algorithm
> >       Filename        : draft-irtf-cfrg-ocb-02.txt
> > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02
>
> OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and 
> 96-bit tags are simply truncated 128-bit tags. The tag length is not 
> mixed into the ciphertext. It never affects any input to an AES operation.
>
> Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128 
> algorithm it is trivial to produce a valid output from the 
> AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes.
>
> Is this ok?
>
> Another consequence is that an attacker wanting to change the 
> additional data (eg from saying "TOP SECRET" to "PUBLIC") while 
> keeping the same plaintext only has to defeat the shortest tag a 
> recipient accepts, regardless of the tag applied by the originator.
>
> Is this ok? It doesn't feel ok.
>
> Of course if a recipient accepts 64-bit tags an attacker can forge 
> messages with a probability of 2^-64. However, that doesn't seem to be 
> exactly the same as forging a message with the same plaintext as a 
> message originally authenticated with a 128-bit tag.
>
> Would OCB be better if the algorithms with different tag lengths 
> couldn't affect each other? Perhaps restricting the nonce to <126 bits 
> (instead of <128 bits) and encoding the tag length in 2 bits.
>
> --
> James Manger
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> http://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email