IETF Logo Mail Archive

Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)

Neil Madden <neil.e.madden@gmail.com> Mon, 08 April 2024 10:08 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4CB0C14F74E for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ygl8-gsNQI1d for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:08:22 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C21DFC14F739 for <cfrg@irtf.org>; Mon, 8 Apr 2024 03:08:22 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-516d8764656so868828e87.1 for <cfrg@irtf.org>; Mon, 08 Apr 2024 03:08:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712570901; x=1713175701; darn=irtf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=mnuOsFusZCfgi9O03MMXkC2aViTy5viNA1EOgFc8a3g=; b=Q594FwYj3YHg9IIO+aYMJmWoEp265WxysO0fqAGbInkTSugzBa1ck7tc419OJhKxRr VUF+plf40kr2QwdZL6Ar3GPCqqOn1NA37mtFvDaUR5383jWgxcp4EGU//KgpjmstPROS dmgFHMR+0PU4gZ95E1vvCxJsN8j6EWV2dOGAMGKQz6GTY3+DdR6S92bl6PsEHD8tZv7d xVG3XYDWW73q1AbZS4THYaBNnNgtgmHf4gTKlCJ9K6/9qupudBRZ9T589sq8s8ic5fLd XP7ey5YdeisH5CSaRNfc7skCwsjlwz0UOTd2eR2rkTwwjQ2X+buPOeCBuZ8Xz0zZzEzD QUYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712570901; x=1713175701; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mnuOsFusZCfgi9O03MMXkC2aViTy5viNA1EOgFc8a3g=; b=TS2hP2QeSzQRUc7tug3BYhknTxN9/XU+1C38ZRQRK3zQ+AcmRL+NTAT6cJW8SI1tNj 4oZxuvViwE6l4zHMwthYSImGLPAga/VEUVgZiT2lTSWE1XhouKv2yaCaMfPNIBYKF1KE dcTT0jvUtF4LII+H++8wOc39+BNiVWQ64zVoV6QKjSkA8EC+JkFa+7LBkpsbYVwlwgMf DzL9D+rdF2r831ljS05//+5aDy4MEd6ImQG8nVcq3lWsnXfVtWRbbrl+wJ6eHFZHI1px dZzgH4hq77YSve2Lj++D4w4VReU104DY8QdHvtrRzro3nbSucsWXGi4ofpGljfXYKgd/ 4ZiA==
X-Forwarded-Encrypted: i=1; AJvYcCX6gOYPJKoB954ENJCfY++3SN1io+syGK7Yiy/jLZOrupJe1JcCcXyQnrXXVmTLzlt1gtjVRmNE3GYi/fYc
X-Gm-Message-State: AOJu0Yyyrums7dLVwKL3JrrDRYVFIb/bLr7vDaURDUQ3TLk1eWbatBbO jDtVKuQvtpTCdTI/cOgmR3c2OF2AwOUw6V8UaH6I4NIZXeHLR4Jp
X-Google-Smtp-Source: AGHT+IFEm+2cky/fIl7RHQYx06QG5R3Y5DJgNlgOJGcvNn3ANN3KltHGgS6iEzOgLIocJ1o1+btv5w==
X-Received: by 2002:a05:6512:715:b0:513:9d6b:6d6d with SMTP id b21-20020a056512071500b005139d6b6d6dmr4685856lfs.5.1712570900436; Mon, 08 Apr 2024 03:08:20 -0700 (PDT)
Received: from smtpclient.apple (243.211.93.209.dyn.plus.net. [209.93.211.243]) by smtp.gmail.com with ESMTPSA id n15-20020a5d67cf000000b00345555956c6sm5381104wrw.92.2024.04.08.03.08.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Apr 2024 03:08:20 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-8CB0D224-A9AF-4EF0-8ED0-2C25D2AF9702"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Mon, 08 Apr 2024 11:08:09 +0100
Message-Id: <04C6D6E9-2D50-4289-AF0E-398F95B01723@gmail.com>
References: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, cfrg@irtf.org
In-Reply-To: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com>
To: Karthik Bhargavan <karthik.bhargavan@gmail.com>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rJixw7vqVNzmL15eRSHciMPY6S0>
Subject: Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 10:08:26 -0000

On 8 Apr 2024, at 07:58, Karthik Bhargavan <karthik.bhargavan@gmail.com> wrote:
> 
> 
> Hello Neil,
>  
>> Are you quoting someone here, or is this your opinion? My own opinion (as the erratum reporter) is that RFC 9180 seriously misrepresents the security analysis it is supposed to be based on. At least in a JOSE context, that misrepresentation could lead to serious security vulnerabilities.
>> 
>> For example, suppose you use HPKE AKEM with JOSE to encrypt an OAuth access token to be consumed by two APIs: A and B (each with their own public keys). The lack of Insider Auth security means that when A receives an access token from a legitimate client, they can use it to create arbitrary forged access tokens to send to B.
> 
> I am not sure I fully understand this vulnerability. An authenticated HPKE ciphertext sent from S to A cannot be resent by A to B.
> Insider-Auth security typically only applies to KCI-style attacks. Could you explain a bit more what your concern is?
> I'd like to have a concrete sense of which security property is being violated here.

HPKE only defines an interface for encrypting messages to a single recipient. Therefore standards like JOSE, which support multiple recipients, have to come up with an approach to support that. The obvious thing to do, and what is being proposed for JOSE, is to do what the existing ECDH-ES (ECIES) modes do: generate a random data encryption key (DEK) and use that to encrypt the message using an AEAD. Then run HPKE for each recipient to encrypt the DEK. You then concatenate all the wrapped DEKs and encapsulated keys with the ciphertext and send it. 

To decrypt, each recipient finds their encapsulated key, decapsulates it and decrypts the DEK and then uses that to decrypt the rest of the message. 

But the lack of Insider Auth security for HPKE makes this completely unsafe (when using an authenticated KEM) because when A receives such a message from S, she can use the DEK she recovers to create arbitrary forged messages to send to B that appear to come from S. 

This is why my own draft adding an authenticated version of ECIES to JOSE includes a commitment to the plaintext as associated data to the AKEM [1]. I wrote a more detailed explanation of the problem and solution on my blog (after some discussion on this list) [2]. 

Now, you can (I believe) do a similar solution in HPKE. However, the point is that nobody knows they *need* to do this because the HPKE RFC doesn’t mention it and only categorises the security weakness in terms of KCI, which is irrelevant to this attack. Both attacks are a consequence of a lack of Insider Auth security, however, and this lack in HPKE was known from the security analysis and should have been communicated. 

[1]: https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04#section-2.1
[2]: https://neilmadden.blog/2021/02/16/when-a-kem-is-not-enough/

— Neil

v2.23.0 | Report a Bug | By Email