Re: [Cfrg] Attacker changing tag length in OCB
Dan Brown <dbrown@certicom.com> Fri, 31 May 2013 13:37 UTC
Return-Path: <prvs=986394ad09=dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2975321F85F4 for <cfrg@ietfa.amsl.com>; Fri, 31 May 2013 06:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id steTGQjiX80Y for <cfrg@ietfa.amsl.com>; Fri, 31 May 2013 06:36:57 -0700 (PDT)
Received: from mhs061cnc.rim.net (mhs061cnc.rim.net [208.65.73.35]) by ietfa.amsl.com (Postfix) with ESMTP id BB28621F85EB for <cfrg@ietf.org>; Fri, 31 May 2013 06:36:56 -0700 (PDT)
X-AuditID: 0a412830-b7fa06d00000178b-03-51a8a7707e62
Received: from XCT103CNC.rim.net (xct103cnc.rim.net [10.65.161.203]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by mhs061cnc.rim.net (SBG) with SMTP id 71.91.06027.077A8A15; Fri, 31 May 2013 08:36:48 -0500 (CDT)
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.02.0328.009; Fri, 31 May 2013 09:36:47 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, "'cfrg@ietf.org'" <cfrg@ietf.org>, "'rstruik.ext@gmail.com'" <rstruik.ext@gmail.com>
Thread-Topic: [Cfrg] Attacker changing tag length in OCB
Thread-Index: Ac5dtCi7MmzPOt07Aki0uwqUdA76tAATBNmQ
Date: Fri, 31 May 2013 13:36:46 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF516D126@XMB111CNC.rim.net>
References: <9A043F3CF02CD34C8E74AC1594475C7343D5551D@uxcn10-tdc02.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7343D5551D@uxcn10-tdc02.UoA.auckland.ac.nz>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0033_01CE5DE2.5E1AF4A0"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLJsWRmVeSWpSXmKPExsXC5bjwtG7B8hWBBi/PC1oc3dXGYvHy3XNW i9U3nrM4MHtcbDzA5LFz1l12jyVLfjIFMEfJ2yQllpQFZ6bn6dvZpKTmZJalFiGzEuQzvu86 w1iwJqji6ZpmlgbGvb5djJwcEgImEqdvNDNC2GISF+6tZ+ti5OIQEmhnkli0dSmUs4lR4s2H PhaQKjYBVYn7R88xgyREBKYzSmw5doAJJCEsYC5xcNpPZhBbRMBC4vWBu+wQtpFE/402NhCb Bah5Re9EsBpeATeJ32segdlCAmESqw5PBKvhFAiX2PviMdhJjAKyErvPXgebzywgLnHryXwm iFNFJB5ePM0GYYtKvHz8jxXCVpQ4sWwFG0R9L6PEwZVhELsEJU7OfMIygVFkFpJRs5CUzUJS BhE3kLh/qIMVwtaWWLbwNTOEbSux/+pKKFtRYkr3Q3YI21Ti9dGPjAsYOVYxCuZmFBuYGSbn JesVZebq5aWWbGIER6qGwQ7G9+8tDjEKcDAq8fBqTV4RKMSaWFZcmXuIUQVoxqMNqy8wSrHk 5eelKonw5s8BSvOmJFZWpRblxxeV5qQWH2L8zAgMxonMUtzJ+cD0klcSb2xgQCxHFMYxNLI0 N7Q0MzYzNTE0GzzCSuK8fMGTAoUE0hNLUrNTUwtSi2DeZuLgPMQowcElJVKcmpeSWpRYWpIR D0rz8cXARC/VwFgicUONv3rV6dmXtL8lykRsqO+tm3wjdG762VafhYYPJwSHc6SJKd1ji8x6 kZHDtKV6+cpbnLLSyS0/592R23xnteCiuIddXQubbBunTfSxMdp5INE3nnc/h9JupVkek6MO Ny3b87ji02am08mBxxfEyzQGHZBdqWn7zn/zNP+AxNzEK7YWWUosxRmJhlrMRcWJALMEX/PQ AwAA
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 13:37:02 -0000
> -----Original Message----- > From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of > Peter Gutmann > > Rene Struik <rstruik.ext@gmail.com> writes: > > >History suggests that lots of security vulnerabilities arise precisely [DB] Temporarily taking generality (and frivolity) to the limit: a) History has taught us: better safe than sorry. b) History has taught us: if ain't broke, don't fix it. c) History has taught us: keep it simple. My interpretation is that under the generic cliché-pastiche criteria above, the two proposed OCB fixes on this list pass (a), but fail on (b) and (c). *** More specifically, can (or has) somebody formalize(d) the problem here, and proved that some method actually fixes solve the problem. I liken the AEAD-security here to be the symmetric-key equivalent to IND-CCA for PKE. I'm not aware of any IND-CCA-type definitions or proofs that soften the integrity-protection compared to the confidentiality-protection. Intuitively, I agree that this softened-authentication (e.g. tag shorter than key) mode has merit: confidentiality has to withstand future cryptanalysis, whereas cryptanalysts cannot go back in time to impersonate. *** Speaking of history, fixing, PKE, MACs, and authentication: I recall the incident of ECIES proposed in IEEEP1363 (and include in SEC1-v1). It was based on provably secure construction, but various tweaks were introduced to add some bonus features (i.e. additional unencrypted input to the MAC, sound familiar?), which proved to be flawed fixes (which had to be fixed in turn, in IEEE 1363, SEC1-v2 and ISO 18033-2). In other words, let's not tweak OCB until we're certain of why and how. Of course, that's a single data point. I defer to the wisdom of the learned historians to make an inference based on a broader data set.
- Re: [Cfrg] Attacker changing tag length in OCB Peter Gutmann
- Re: [Cfrg] Attacker changing tag length in OCB Dan Brown