IETF Logo Mail Archive

Re: [Cfrg] GCM nonce reuse question

Mike Jones <Michael.Jones@microsoft.com> Tue, 02 April 2013 15:00 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0F721F8652 for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 08:00:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvou3S8Jhx-e for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2013 08:00:43 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 33B0F21F8AE8 for <cfrg@irtf.org>; Tue, 2 Apr 2013 08:00:40 -0700 (PDT)
Received: from BL2FFO11FD010.protection.gbl (10.173.161.201) by BL2FFO11HUB009.protection.gbl (10.173.161.111) with Microsoft SMTP Server (TLS) id 15.0.664.0; Tue, 2 Apr 2013 15:00:33 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.664.0 via Frontend Transport; Tue, 2 Apr 2013 15:00:32 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0318.003; Tue, 2 Apr 2013 15:00:24 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
Thread-Topic: GCM nonce reuse question
Thread-Index: Ac4rPAw7MkpmLDvlR4e6aC3llihwKgAccr0AAONxSwAAHM3xgAAAVAuAAAAxzlA=
Date: Tue, 02 Apr 2013 15:00:23 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675A60AB@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B183F0C52@xmb-rcd-x04.cisco.com> <9DF44126-18A2-4C28-A470-B3B2DB4A48A3@ve7jtb.com>
In-Reply-To: <9DF44126-18A2-4C28-A470-B3B2DB4A48A3@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943675A60ABTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(164054002)(189002)(377424002)(66654001)(377454001)(52604002)(24454001)(47736001)(50986001)(71186001)(59766001)(54356001)(5343655001)(55846006)(47976001)(49866001)(80022001)(5343635001)(31966008)(77982001)(63696002)(20776003)(65816001)(512954001)(16297215001)(66066001)(79102001)(76482001)(33656001)(46102001)(51856001)(16236675001)(56776001)(16406001)(56816002)(54316002)(15202345001)(81342001)(74502001)(69226001)(74662001)(47446002)(4396001)(44976002)(53806001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB009; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08041D247D
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Jim Schaad <jimsch@augustcellars.com>
Subject: Re: [Cfrg] GCM nonce reuse question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 15:00:46 -0000

Actually, I was about to ask a similar question.  It's actually my assumption that it likely OK to perform multiple draft-mcgrew-aead-aes-cbc-hmac-sha2 operations where the Plaintext, Initialization Vector, and Key inputs are constant and the Additional Associated Data varies.  My reasoning is as follows...

The Authentication Tag outputs are the result of HMAC-SHA-2 operations over a combination of the AAD and Ciphertext using the HMAC Key.  For there to be a problem with the above, there would have to be a problem with using the same HMAC key on multiple distinct inputs.  But for there to be a problem with using the same HMAC key on multiple distinct inputs, I believe that effectively rests on whether there's a problem using the underlying hash function on multiple inputs.  Which if true, would mean that the cryptographic hash function doesn't have the desired cryptographic properties in the first place.

I'll readily admit that there could easily be a flaw in my chain of logic.  But on the surface of it, it seems like draft-mcgrew-aead-aes-cbc-hmac-sha2 operations should be OK in the multiple recipients case in a way that GCM isn't.

Thoughts?

                                                            -- Mike

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Tuesday, April 02, 2013 7:41 AM
To: David McGrew (mcgrew)
Cc: Mike Jones; Jim Schaad; cfrg@irtf.org
Subject: Re: GCM nonce reuse question

David,

For draft-mcgrew-aead-aes-cbc-hmac-sha2 is the issue the same for using the same MAC_KEY, ENC_KEY  , IV  and plaintext with different AEAD.

I am guessing no good can come of that, but is it a known problem?

The other question is if doing the same thing but making the MAC_KEY different, while keeping the same ENC_KEY  for each AEAD avoids the problem?

The question comes up when trying to use encryption to multiple recipients where you are trying to use the same IV and ENC_KEY but allow for integrity protecting the algorithm identifier and other data that may be different for each recipient.

I expect that the simple solution of not integrity protecting the algorithm and key_id for the key wrapping and allowing RSA-OAEP to be replaced with RSA1_5 or other alg substitution attacks is no longer a recommended practice.

Perhaps using the AEAD to integrity protect the envelope information is something that only really works in the single recipient case, and some other method is needed for multiple recipients.

Thanks
John B.

On 2013-04-02, at 10:32 AM, "David McGrew (mcgrew)" <mcgrew@cisco.com<mailto:mcgrew@cisco.com>> wrote:


Hi Mike,

From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Date: Monday, April 1, 2013 8:54 PM
To: David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, Jim Schaad <jimsch@augustcellars.com<mailto:jimsch@augustcellars.com>>
Cc: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Subject: RE: GCM nonce reuse question

Hi David,

In reading this thread and http://tools.ietf.org/html/draft-mcgrew-iv-gen-02, I believe that it's OK, however if the usage is:

(Recipient #1 ciphertext, Recipient #1 authentication tag) = GCM(Key, Recipient #1 data, nonce #1, plain text)
(Recipient #2 ciphertext, Recipient #2 authentication tag) = GCM(Key, Recipient #2 data, nonce #2, plain text)

where nonce #1 and nonce #2 are guaranteed to be distinct?  Am I reading things correctly in that regard?

Yes, that looks good.

David


                                                                Thanks,
                                                                -- Mike

From: cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
Sent: Thursday, March 28, 2013 4:15 AM
To: Jim Schaad
Cc: cfrg@irtf.org<mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] GCM nonce reuse question

Hi Jim,

From: Jim Schaad <jimsch@augustcellars.com<mailto:jimsch@augustcellars.com>>
Date: Wednesday, March 27, 2013 6:43 PM
To: David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>
Cc: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: GCM nonce reuse question

David,

In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.

There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?


Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".

Specifically the current way that GCM mode is being used in JOSE is

Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)

As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.


Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.

Many thanks for calling this out, Jim.

David

Jim

v2.23.0 | Report a Bug | By Email