IETF Logo Mail Archive

Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 20 November 2014 16:58 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83C91A0318 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 08:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.095
X-Spam-Level:
X-Spam-Status: No, score=-15.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AuFuz0t0FG9 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 08:58:47 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 247091A1A1F for <cfrg@irtf.org>; Thu, 20 Nov 2014 08:58:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2250; q=dns/txt; s=iport; t=1416502727; x=1417712327; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=GaEmk1n2F4xALrmCvQrROXyt0EsIpgYQRCTuxlfYT/c=; b=RS6JpRIdIXcABK7qFq7NXHCXLInuMFpvhQPitQlRrsBI6OLLY5YdVEB4 Yw77bkRELmgv5mPGZT0VaBaDQVi9dnqMKxbQLubLyf601v0rI+lQUMxTg JZsZcbBJEQpUskUMIuMJ7k3DkPX8pMArUscXOcCEJQ5xXSnDfwPEdBUnK 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAO8cblStJA2B/2dsb2JhbABaDgiCeFVZBMtVh0kCgQcWAQEBAQF9hAIBAQECAQEYIj8FBwQCAQgRBAEBCxQFBAcyFAkIAgQBDQUIiDAJDdUgAQEBAQEBAQEBAQEBAQEBAQEBAQEBF5BXMQcGgyeBHgWSV4ReiF+HCY4/gjaBBUBtAQGBRoEDAQEB
X-IronPort-AV: E=Sophos;i="5.07,425,1413244800"; d="scan'208";a="98581699"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-8.cisco.com with ESMTP; 20 Nov 2014 16:58:46 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id sAKGwkWv000360 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 20 Nov 2014 16:58:46 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.11]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.03.0195.001; Thu, 20 Nov 2014 10:58:46 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "jberliner@caa.columbia.edu" <jberliner@caa.columbia.edu>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
Thread-Index: AQHQBNgy+hai7H1VaUOeV292N6fTXZxqEQ0AgAAG0QD//6LhEA==
Date: Thu, 20 Nov 2014 16:58:45 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340420BE7E5EA@xmb-rcd-x04.cisco.com>
References: <546E0AE5.3040601@w3.org> <CACsn0cn+KX9J1NSUFhKV32iWL4KLHEPOKcXea3cD20QK2YeeaA@mail.gmail.com> <CAP4fkhhBs1QHj5OFoukJdBt2L=EL0PEZ8yefC8S-JRFM=4WX=Q@mail.gmail.com>
In-Reply-To: <CAP4fkhhBs1QHj5OFoukJdBt2L=EL0PEZ8yefC8S-JRFM=4WX=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.89.1.67]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/qrIA7rnyFu0IYRTHHsIFQtEVWT8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 16:58:52 -0000

>  -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Jonathan Berliner
> Sent: Thursday, November 20, 2014 11:25 AM
> To: Watson Ladd
> Cc: cfrg@irtf.org
> Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for
> Cryptographic Algorithms in the W3C Web Cryptography API
> 
> I'm relatively new to this group so take this with some salt, but this bothered
> me:
> 
> I don't like the usage of "nonce" and "random" in these sentences:
> "AES-CBC mode is not CCA secure. It is secure against chosen plaintext
> attacks (CPA-secure) if the IV is random, but not if the IV is a
> nonce[rogaway11evaluation]."
> 
> "AES-CFB is not CCA secure. It is CPA-secure if the IV is random, but not if the
> IV is a nonce [rogaway11evaluation]."
> 
> I read Rogaway's paper
> (http://web.cs.ucdavis.edu/~rogaway/papers/modes.pdf), but I think we
> can define this better:
> 
> "Nonce" - a value/number/string used only once.
> "Random number" - a value/number/string that doesn't follow a pattern (or
> what-have-you).
> 
> This doesn't mean that "nonces" are insecure. "Non-random nonces" are
> insecure, but "random nonces" are secure.

I don't think that Rogaway wants to imply that using nonces necessarily imply insecurity; instead, what he is saying is that if we assume that we use nonces (and make no other assumption beyond that), that does not imply security.  That is, we're not looking for things we know will lead to weakness; we're looking for the necessary assumptions we need to make to know that the cryptography is strong.

> According to the flow of the
> document, "random IVs" are also insecure, because they may be used more
> than once.

Actually, if the IV's are actually chosen at random, we can show that the probability of selecting the same IV twice is negligible.

> 
> I think I understood Rogaway's intent here, that non-randomness is the
> problem, not one-timeness. Based on a cursory survey of parlance used on
> the Internet, I think others would be confused by this, because "nonces" can
> also be "random."

Just because others use terminology is an imprecise way doesn't mean we should.

v2.23.0 | Report a Bug | By Email