IETF Logo Mail Archive

Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API

David Gil <dgil@yahoo-inc.com> Thu, 20 November 2014 17:51 UTC

Return-Path: <dgil@yahoo-inc.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5D91A1A17 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 09:51:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.021
X-Spam-Level:
X-Spam-Status: No, score=-16.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_66=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_8CwhamKDcx for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 09:51:28 -0800 (PST)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2B461A1B8E for <cfrg@irtf.org>; Thu, 20 Nov 2014 09:51:26 -0800 (PST)
Received: from omp1002.mail.ne1.yahoo.com (omp1002.mail.ne1.yahoo.com [98.138.87.2]) by mrout2.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id sAKHoNA4011181 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <cfrg@irtf.org>; Thu, 20 Nov 2014 09:50:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1416505823; bh=vLelbmWDCmDGHaDvtrJoZ87iyZ5aaZOWlRa8oGVfi74=; h=References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To; b=HK6UA5pQfDlWw5u3QPA5zYayiR394mIh+mapoDegeBwYtVVWdyPnVa01tiRQlGdWu 9dEh1RLL1UifnorAxUD89B3oGTOZtmCA+4kHA6duq+yx+siPAHr+IbGtc8KkbIAGKk KAh1MpX8tMT1o1x90V7Dw+OgBfu/6SKmSdPPOQSA=
Received: (qmail 35501 invoked by uid 1000); 20 Nov 2014 17:50:22 -0000
Received: (qmail 36459 invoked by uid 60001); 20 Nov 2014 17:50:22 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1416505822; bh=5waVKP0UNiecq1w6PRkNpFsMyjQ5R4dGvIntsHfByhE=; h=References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Uksh0TG9k+PsNf4NIsLmON0bfVGjsx1JqiIfDkPXp9rtGX5dbbkze9HoPTopXam209Zb6zc0tCCZ0fYSbAK6Vlz0P1g+WKQaR10xhKrXbPuNfOTf/wsCJBHFgmbzwfEcrRIcfTSSfZNcYqRZniR8ifP0eRE6aIvr6DbWco/AOKo=
X-YMail-OSG: CWSp2_YVM1kSeHQhjPnKHJIjGgb8F5IWeP2xUpXUu7PhPH9 ZeL2Z6NdV3uHkiPk825Lrv2IVWGh71b8U6pLl_xR4GQRDeGtEvkXUKdtpPU1 n6eXDWDSzt6bb52qTzUx.KiPowxTF61g_1C6qETXZnMEUTPOnO9EPUoiJuUj mOtDnj8BxZ8nO2NaxixaDkEGo8FBvd47kuBRmEHi8aPm2JXmDwl1ELsdr8bx XrblLW1AlnfbWxtGzw9cs1nmEJpiEEU1wze0jUq6N_1emWBap0TdenjXMkWz J_En2EBYX_0O9YRarpE4D7nWw9q0-
Received: from [209.131.50.54] by web310003.mail.ne1.yahoo.com via HTTP; Thu, 20 Nov 2014 09:50:22 PST
X-Rocket-MIMEInfo: 002.001, Pk9uIDIwLzExLzIwMTQgMTc6NTgsIFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSB3cm90ZToKPj4.IEZyb206IENmcmcgW21haWx0bzpjZnJnLWJvdW5jZXNAaXJ0Zi5vcmddIE9uIEJlaGFsZiBPZiBKb25hdGhhbiBCZXJsaW5lcgo.Pj4gIkFFUy1DRkIgaXMgbm90IENDQSBzZWN1cmUuIEl0IGlzIENQQS1zZWN1cmUgaWYgdGhlIElWIGlzIHJhbmRvbSwgYnV0IG5vdCBpZiB0aGUKPj4.IElWIGlzIGEgbm9uY2UgW3JvZ2F3YXkxMWV2YWx1YXRpb25dLiIKPj4.IFsuLi5dCj4.PiBUaGlzIGRvZXNuJ3QgbWVhbiABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.203.740
References: <546E0AE5.3040601@w3.org> <CACsn0cn+KX9J1NSUFhKV32iWL4KLHEPOKcXea3cD20QK2YeeaA@mail.gmail.com> <CAP4fkhhBs1QHj5OFoukJdBt2L=EL0PEZ8yefC8S-JRFM=4WX=Q@mail.gmail.com> <A113ACFD9DF8B04F96395BDEACB340420BE7E5EA@xmb-rcd-x04.cisco.com> <546E248E.8020305@elzevir.fr>
Message-ID: <1416505822.31934.YahooMailNeo@web310003.mail.ne1.yahoo.com>
Date: Thu, 20 Nov 2014 09:50:22 -0800
From: David Gil <dgil@yahoo-inc.com>
To: Manuel Pégourié-Gonnard <mpg@elzevir.fr>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "jberliner@caa.columbia.edu" <jberliner@caa.columbia.edu>, Watson Ladd <watsonbladd@gmail.com>
In-Reply-To: <546E248E.8020305@elzevir.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/xlrTCKvxcnx8p-K62XY8oam3AQs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Gil <dgil@yahoo-inc.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 17:51:30 -0000

>On 20/11/2014 17:58, Scott Fluhrer (sfluhrer) wrote:
>>> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Jonathan Berliner
>>> "AES-CFB is not CCA secure. It is CPA-secure if the IV is random, but not if the
>>> IV is a nonce [rogaway11evaluation]."
>>> [...]
>>> This doesn't mean that "nonces" are insecure. "Non-random nonces" are
>>> insecure, but "random nonces" are secure.
>> 
>> I don't think that Rogaway wants to imply that using nonces necessarily imply
>> insecurity; instead, what he is saying is that if we assume that we use
>> nonces (and make no other assumption beyond that), that does not imply
>> security.  That is, we're not looking for things we know will lead to
>> weakness; we're looking for the necessary assumptions we need to make to know
>> that the cryptography is strong.
>
> I agree, but I think the sentence quoted above would be clearer this way:
> 
> "AES-CFB is not CCA secure. It is CPA-secure if the IV is random, but it is not
> enough for the IV be be a nonce [rogaway11evaluation]."

Could we please just use the terminology that every paper on crypto uses?

Standard jargon: IVs are always uniform (computationally hard 
pseudo)random strings. Nonces are strings that are used only once.

As Watson noted, an IV of sufficient length is with high probability
a nonce; best is to set len(IV) = 2*s, where s is the target security
strength.

v2.23.0 | Report a Bug | By Email