IETF Logo Mail Archive

Re: [Cfrg] Attacker changing tag length in OCB

Richard Barnes <rlb@ipv.sx> Wed, 29 May 2013 15:44 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0220021F94C3 for <cfrg@ietfa.amsl.com>; Wed, 29 May 2013 08:44:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.041
X-Spam-Level:
X-Spam-Status: No, score=-1.041 tagged_above=-999 required=5 tests=[AWL=-0.616, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snUmnIqac43O for <cfrg@ietfa.amsl.com>; Wed, 29 May 2013 08:44:37 -0700 (PDT)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id EAC6F21F94F5 for <cfrg@ietf.org>; Wed, 29 May 2013 08:44:35 -0700 (PDT)
Received: by mail-ob0-f175.google.com with SMTP id xn12so7320360obc.6 for <cfrg@ietf.org>; Wed, 29 May 2013 08:44:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=wC6+zr15AFJBsaKIj4N0NPtk5sd55sVf3AWQZg1Ahs0=; b=G8ilLAiGY/AWGCZeZuocoBSlgJVD21CGIul5P1JzoAgNrE46PgmEFYXqy9Tmbq+L+0 GOKOswIw003yDq2sfgtpMTfpCiZ34K9FhRVs/s93wMnUQKoUfbobLl/Fazwc33O3eAJK HIJQmFXSpDsU1/braslKoyTu8o23pCzsU+mIObENXUWKzyAKhTOzCBPsvjrqXmZYeATe suAgsMSpLjwEz37vaOeH3Gn8SSNqgboLd8u/Yc0OfnzMeAca2o0tF9sSSmq3I94W00ns jDW0f/ch+ZVRGOUa1HseItLKev1WIHT8SvdPLaE6pNR8GWVgnZru6fwMGp7ke2LzyGh2 ev2A==
MIME-Version: 1.0
X-Received: by 10.60.34.135 with SMTP id z7mr1983550oei.68.1369842272638; Wed, 29 May 2013 08:44:32 -0700 (PDT)
Received: by 10.60.17.9 with HTTP; Wed, 29 May 2013 08:44:32 -0700 (PDT)
X-Originating-IP: [192.1.51.101]
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com>
References: <20130528162226.1401.91015.idtracker@ietfa.amsl.com> <255B9BB34FB7D647A506DC292726F6E1151AC7071C@WSMSG3153V.srv.dir.telstra.com>
Date: Wed, 29 May 2013 11:44:32 -0400
Message-ID: <CAL02cgSt_qYpXfQLAXoAa6bbMXoYiSBAUe9gHQ1JO3M2GbOOhw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="089e0122acb40f29ae04dddd4283"
X-Gm-Message-State: ALoCoQnZI4cbOIsBtVW2Rao3wEsip8EZRi3z/CKJTZKAAEgXtW4Ze/O7d/Nm8hiEB+T7u9Zfz4Be
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Attacker changing tag length in OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 15:44:41 -0000

James,

Don't most current AEAD modes have this property?  Namely, that there's no
protection on the length of the authentication tag.  Off the top of my
head, it seems that GCM, CCM, and SIV all have this property.

So while it might be nice for OCB to fix this issue, implementations
processing AEAD messages will still have to enforce minimum tag lengths on
their own.

--Richard



On Tue, May 28, 2013 at 8:47 PM, Manger, James H <
James.H.Manger@team.telstra.com> wrote:

> >       Title           : The OCB Authenticated-Encryption Algorithm
> >       Filename        : draft-irtf-cfrg-ocb-02.txt
> > http://tools.ietf.org/html/draft-irtf-cfrg-ocb-02
>
> OCB with tag lengths of 64, 96, and 128 bits are defined. 64-bit and
> 96-bit tags are simply truncated 128-bit tags. The tag length is not mixed
> into the ciphertext. It never affects any input to an AES operation.
>
> Consequently, given a valid output from the AEAD_AES_128_OCB_TAGLEN128
> algorithm it is trivial to produce a valid output from the
> AEAD_AES_128_OCB_TAGLEN64 algorithm -- just drop the last 8 bytes.
>
> Is this ok?
>
> Another consequence is that an attacker wanting to change the additional
> data (eg from saying "TOP SECRET" to "PUBLIC") while keeping the same
> plaintext only has to defeat the shortest tag a recipient accepts,
> regardless of the tag applied by the originator.
>
> Is this ok? It doesn’t feel ok.
>
> Of course if a recipient accepts 64-bit tags an attacker can forge
> messages with a probability of 2^-64. However, that doesn’t seem to be
> exactly the same as forging a message with the same plaintext as a message
> originally authenticated with a 128-bit tag.
>
> Would OCB be better if the algorithms with different tag lengths couldn’t
> affect each other? Perhaps restricting the nonce to <126 bits (instead of
> <128 bits) and encoding the tag length in 2 bits.
>
> --
> James Manger
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email