Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces

Dan Harkins <dharkins@lounge.org> Fri, 24 February 2017 21:26 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E9A5129515 for <cfrg@ietfa.amsl.com>; Fri, 24 Feb 2017 13:26:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAFnBaN5utqZ for <cfrg@ietfa.amsl.com>; Fri, 24 Feb 2017 13:26:15 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 52293129511 for <cfrg@irtf.org>; Fri, 24 Feb 2017 13:26:15 -0800 (PST)
Received: from thinny.local (ext-104-36-248-13.arubanetworks.com [104.36.248.13]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id B81363E000A; Fri, 24 Feb 2017 13:26:14 -0800 (PST)
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <CAJm83bB22+9L3Rcn43hyDuGx1=ncse5cLYCm+dAP9hCPqnd8Hw@mail.gmail.com> <288933e2-c982-1761-9b14-3b6215978bb6@lounge.org> <47B1124D-F656-49A7-9385-A06F68428B27@cisco.com>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <b79e12c7-eb75-058b-1bfc-957774e7ca46@lounge.org>
Date: Fri, 24 Feb 2017 13:26:11 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <47B1124D-F656-49A7-9385-A06F68428B27@cisco.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/txBMODTtnAtTAbS0ZAFImhkeMtY>
Subject: Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 21:26:16 -0000

   Hi David,

On 2/24/17 4:26 AM, David McGrew (mcgrew) wrote:
> Hi Dan,
>
>
>
> RFC 5116 does allow zero-length nonces and provide guidance around their use.   From that doc:
>
>        A nonce N.  Each nonce provided to distinct invocations of the
>        Authenticated Encryption operation MUST be distinct, for any
>        particular value of the key, unless each and every nonce is zero-
>        length.  Applications that can generate distinct nonces SHOULD use
>        the nonce formation method defined in Section 3.2, and MAY use any
>        other method that meets the uniqueness requirement.  Other
>        applications SHOULD use zero-length nonces.
>
>
>     Each AEAD algorithm MUST accept any nonce with a length between N_MIN
>     and N_MAX octets, inclusive, where the values of N_MIN and N_MAX are
>     specific to that algorithm.  The values of N_MAX and N_MIN MAY be
>     equal.  Each algorithm SHOULD accept a nonce with a length of twelve
>     (12) octets.  Randomized or stateful algorithms, which are described
>     below, MAY have an N_MAX value of zero.
>
>
> Clearly SIV modes can and should set N_MIN to zero.  I guess the N_MIN=1 got missed during the review of RFC 5297.  (I recall discussing the N_MAX guidance during the review process, but I think N_MIN went unnoticed.)

   Yes, SIV _can_ accept a zero-length nonce but since SIV is unique in that
it is both a probabilistic AEAD mode and a deterministic "keywrapping" mode
that also accepts AAD such a change might create some confusion. (Option 
3 of
Daniel's question).

>
> If N_MIN can be changed in RFC 5297 from 1 to 0 with an Errata, that would be the best way to go.   Otherwise, I suggest creating new IANA entries for the existing SIV modes that reference that RFC, but change N_MIN to zero.

   I can see why one would want to use SIV deterministically as a better
keywrapping scheme than AES-Keywrap (accepts AAD, no odd length requirements
on plaintext, no padding needed, has a security proof) but I don't see why
someone would want to use it probabilistically with a zero length nonce.
RFC 5116 is for AE modes not deterministic keywrapping modes and if someone
wants to use SIV in its AE mode then what's wrong with mandating he or she
passes at least a 1 byte nonce?

   Unless you can think of a way to avoid the confusion I'd rather not make
the change.

   regards,

   Dan.

> Best,
>
> David
>
> On 2/23/17, 9:08 PM, "Cfrg on behalf of Dan Harkins" <cfrg-bounces@irtf.org on behalf of dharkins@lounge.org> wrote:
>
>>    Hi Daniel,
>>
>> On 2/23/17 3:12 PM, Daniel Franke wrote:
>>> The IANA considerations section of RFC 5297 (Synthetic Initialization
>>> Vector (SIV) Authenticated Encryption Using the Advanced Encryption
>>> Standard (AES)) gives N_MIN as 1. However, S2V is perfectly capable of
>>> accepting zero-length arguments. Furthermore, passing a zero-length
>>> argument to S2V is distinct from not passing that argument at all (as
>>> done in the case deterministic encryption). How should an
>>> implementation behave when provided with a zero-length nonce?
>> The registry that RFC 5297 updated with its IANA Considerations was
>> created by RFC 5116 to specify parameters for nonce-based AEAD modes. So
>> when using RFC 5297 through that interface you're saying you want to
>> use a nonce. RFC 5297 places the most minimal of requirements on such
>> use: N_MIN of 1 octet.
>>
>>    The registry does not say what to do if someone tries to use the
>> mode in a way that is not defined for the registry so officially I
>> don't know what the answer is. We can evaluate your suggestions though.
>>
>> (As an example, AES-GCM can take a nonce of 16 octets but the registry
>> makes N_MIN = N_MAX = 12. What do you do if you send 16 octets to
>> AES-GCM through this interface? Got me.)
>>
>>> Should it return an error, since its length is under N_MIN?
>>    That would seem like the prudent thing to do since it is in violation
>> of the registry parameters.
>>> Should it pass it along to S2V just like any other nonce input?
>>    Since the registry mandates N_MIN as 1 then passing a zero length
>> nonce "just like any other nonce input" seems wrong. So I'd say don't
>> do that.
>>
>>> Or should it treat this as a request for deterministic encryption and
>>> not pass any nonce to S2V?
>>    Well the registry is not for deterministic encryption so I would
>> say using it that way is not appropriate and would not think this
>> is correct.
>>
>>    Seems to me that if you want to use AES-SIV (or any of the AEAD
>> modes from RFC 5116) in a way that is not defined by RFC 5116 then
>> use them through some raw interface and not the constrained one
>> created by RFC 5116. You'll note that the RFC 5116 interface also
>> assumes that all AAD is a single blob and does not support AES-SIV's
>> vector of AAD. What do you do with this registry if you need/want
>> to pass a vector of AAD to AES-SIV? Well, I'd say you don't use this
>> registry as your interface.
>>
>>    Hope this helps,
>>
>>    Dan.
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg