Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API

Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu, 20 November 2014 17:27 UTC

Return-Path: <mpg@elzevir.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E611A1BD1 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 09:27:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYceEcGVHQUx for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 09:27:45 -0800 (PST)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [IPv6:2001:4b98:dc0:41:216:3eff:feeb:c406]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC161A1BCA for <cfrg@irtf.org>; Thu, 20 Nov 2014 09:27:45 -0800 (PST)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id C8A97160B3; Thu, 20 Nov 2014 18:27:43 +0100 (CET)
Received: from [IPv6:2a01:e35:8a5d:80b0:caf7:33ff:fe89:5d50] (unknown [IPv6:2a01:e35:8a5d:80b0:caf7:33ff:fe89:5d50]) by thue.elzevir.fr (Postfix) with ESMTPSA id 0E3E4216E5; Thu, 20 Nov 2014 18:27:43 +0100 (CET)
Message-ID: <546E248E.8020305@elzevir.fr>
Date: Thu, 20 Nov 2014 18:27:42 +0100
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "jberliner@caa.columbia.edu" <jberliner@caa.columbia.edu>, Watson Ladd <watsonbladd@gmail.com>
References: <546E0AE5.3040601@w3.org> <CACsn0cn+KX9J1NSUFhKV32iWL4KLHEPOKcXea3cD20QK2YeeaA@mail.gmail.com> <CAP4fkhhBs1QHj5OFoukJdBt2L=EL0PEZ8yefC8S-JRFM=4WX=Q@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340420BE7E5EA@xmb-rcd-x04.cisco.com>
In-Reply-To: <A113ACFD9DF8B04F96395BDEACB340420BE7E5EA@xmb-rcd-x04.cisco.com>
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/v0HkwDqCdrkrM_Z6UuzEXR4_LKQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 17:27:48 -0000

On 20/11/2014 17:58, Scott Fluhrer (sfluhrer) wrote:
>> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Jonathan Berliner
>> "AES-CFB is not CCA secure. It is CPA-secure if the IV is random, but not if the
>> IV is a nonce [rogaway11evaluation]."
>> [...]
>> This doesn't mean that "nonces" are insecure. "Non-random nonces" are
>> insecure, but "random nonces" are secure.
> 
> I don't think that Rogaway wants to imply that using nonces necessarily imply
> insecurity; instead, what he is saying is that if we assume that we use
> nonces (and make no other assumption beyond that), that does not imply
> security.  That is, we're not looking for things we know will lead to
> weakness; we're looking for the necessary assumptions we need to make to know
> that the cryptography is strong.
> 
I agree, but I think the sentence quoted above would be clearer this way:

"AES-CFB is not CCA secure. It is CPA-secure if the IV is random, but it is not
enough for the IV be be a nonce [rogaway11evaluation]."

>> According to the flow of the document, "random IVs" are also insecure,
>> because they may be used more than once.
> 
> Actually, if the IV's are actually chosen at random, we can show that the
> probability of selecting the same IV twice is negligible.
> 
It depends on the length of the IV and how many packets you encrypt with the
same keys. For example, with GCM as used in TLS, only 64 bits of IV are possibly
random. This means, with random IVs, you can expect collisions if you send more
than 2^32 records, which can totally happen in some usages of TLS.

Manuel.