Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00: unsafe to optionally hash A's length

David Wagner <daw@cs.berkeley.edu> Wed, 13 June 2012 19:34 UTC

Return-Path: <daw@cs.berkeley.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC6E21F8595 for <cfrg@ietfa.amsl.com>; Wed, 13 Jun 2012 12:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siPmKtWtpYq3 for <cfrg@ietfa.amsl.com>; Wed, 13 Jun 2012 12:34:57 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (taverner.CS.Berkeley.EDU [128.32.153.193]) by ietfa.amsl.com (Postfix) with ESMTP id D70F521F8569 for <cfrg@irtf.org>; Wed, 13 Jun 2012 12:34:54 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (localhost.localdomain [127.0.0.1]) by taverner.cs.berkeley.edu (8.14.2/8.14.2) with ESMTP id q5DJYsDf024473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Jun 2012 12:34:54 -0700
Received: (from daw@localhost) by taverner.cs.berkeley.edu (8.14.2/8.14.2/Submit) id q5DJYssj024472; Wed, 13 Jun 2012 12:34:54 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <201206131934.q5DJYssj024472@taverner.cs.berkeley.edu>
To: cfrg@irtf.org
Date: Wed, 13 Jun 2012 12:34:54 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] draft-mcgrew-aead-aes-cbc-hmac-sha2-00: unsafe to optionally hash A's length
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 19:34:58 -0000

David Wagner  wrote:
>Manger, James H wrote:
>>I am not certain that the way the length of the additional data (A) is
>>optionally hashed is safe.
>>
>>1. Legitimate user sends A and C = S || T, where T = HMAC(A || S || len(A)).
>>
>>2. Attacker intercepts & rearranges the message, sending an empty A' and
>>C' = A || S || len(A) || T.
>>
>>3. Recipient verifies T' = HMAC(S'), since len(A) = 0 = MIN_LEN_A so AL
>>is empty.
>>  T' = HMAC(S') = HMAC(A || S || len(A)) = T
>>The verification passes! Yikes! The recipient now gets garbage from the
>>decryption.
>
>Doesn't the length field take care of this concern?

Oops, I was confused.  I missed the following statement in Section 2.1
of the draft:

   5.  The octet string AL is computed as follows.  If len(A) =
       MIN_LEN_A, then AL is the zero-length string.  Otherwise, it is
       equal to the number of bits in A expressed as a 64-bit unsigned
       integer in network byte order.

Consequently, my email was wrong, and James Manger was perfectly correct.
 Thank you to Santosh Chokhani for pointing out my error.

So I think James Manger has a good point.  Now that I re-read James's
email more carefully, the special case for len(A) = MIN_LEN_A looks
unsafe to me, too.

The rationale does not explain why it is safe to include this special
case.  Some commentary on the rationale (Section 4):

:  The MIN_LEN_A parameter is included
:  so that it is possible to use CBC-HMAC in a way that corresponds to
:  existing uses of CBC and HMAC.  Some existing systems (such as ESP or
:  IEEE 1619.1) make use of those algorithms, but do not include the
:  length of the associated data in the HMAC input.  These systems can
:  be secure because the length of the associated data is fixed, or can
:  be inferred by other means.  The MIN_LEN_A parameter allows the AL
:  field to be zero-length when both the encrypter and the decrypter
:  know the length of the associated data field.  This enables
:  implementations of CBC-HMAC to be compatible with existing systems
:  that do not include the length of A in the HMAC input.

This justifies why the special case provides compatibility, but does
not justify why the special case is secure.

Here's one possible way to handle this that might meet the security and
compatibility needs.  For each of the existing algorithms, you could
create a separate partner algorithm that does not support authenticated
data.  In those algorithms, A and AL are always the empty string.  It is
assumed that the sender and recipient have an out-of-band way to agree on
the algorithm used, with no possibility of confusion and no possibility
for them to get out of sync on this; the security of the scheme relies
upon this assumption.