IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Brendan Moran <brendan.moran.ietf@gmail.com> Mon, 14 November 2022 21:53 UTC

Return-Path: <brendan.moran.ietf@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEFFBC14F724 for <cose@ietfa.amsl.com>; Mon, 14 Nov 2022 13:53:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InF6qJtkZ6YP for <cose@ietfa.amsl.com>; Mon, 14 Nov 2022 13:53:41 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13AF3C14F734 for <cose@ietf.org>; Mon, 14 Nov 2022 13:53:41 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id fz10so7687296qtb.3 for <cose@ietf.org>; Mon, 14 Nov 2022 13:53:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=GnfLSb0Lyg1uMDiorFKAvCA/lUIMXi61XJpJ79Ot73M=; b=qkom9xjBhnhUkBjJnTm6JODXScoNWMVzkdOPW++aPpxsTZ7j1/1ciw7xqhLpzV9Pqe F4cAyvweVMwy/Y/U1CXs9GKEETN8NdhhTV5dy3AcDLq62AKed7X9UwnitjljkwSo+t6O hbM1nKtQJdfnEFrecsqkcVxtnq7xQ5QNxfeLpan6ZsL82S5QjVXeae30FLTfsoR5ZQ2D RgKowcF7uQ74bnNv0B4XtOPTiM5SNp8n7EWouMG8bPAxKOKe+QbL7cOkVZhv4u9k6kw7 +1G7/qqtOejOT8gjAR+O7rc8DKDvo965YVTdY4/zS8OfM+nXdi4mYiwkMqy0O31kRqfd b6Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GnfLSb0Lyg1uMDiorFKAvCA/lUIMXi61XJpJ79Ot73M=; b=FArizXWultLkYwG6fPAVNP5eVKW+jPnLEqNyeVhl4pe5IFvGNk7G7KbF1zEipwQjZl l9tantOftARFUUh7oJN92BRUDSX7PUXFIWrp2aKkpBiUCzcuijwyrAFeeN8Ykq+qGwAb 2c5MEgId5dxCxWQIJVfmFmXhnRmMObNzOhW69zyt7PSrZVbQfqxZLkOKv563kT1bZbMA 9cEP+Gmk6WMoVt7p1WLQUhzYQCQp1tKmGf7vrcvwk6wilon/6NaOzTqvIP5BRi/morKh iRyYyAF5sC6pvD8P1xcnp2u79DcPe7I7dg3Spszbf2pYsRufcwHoLO6DcugnLwaGWlkh YULA==
X-Gm-Message-State: ANoB5pk1R9ve52HnbqTKhFCUadY1sPL+209G2q23EbmEiKsb6bovvXN2 T1QTTaSlA4HDGWrHV9OoCbZqfJSxB972rsuNCJc=
X-Google-Smtp-Source: AA0mqf7Xq/fKplBy48NhOBMEaLAGVbJWLJgAmFpuZ06ADsyDD4BWSRgl0GUo1VK5PL5z0tg7Bh4BjfXb4hJp+VYvx7g=
X-Received: by 2002:a05:622a:191c:b0:3a5:6373:f83a with SMTP id w28-20020a05622a191c00b003a56373f83amr14279884qtc.506.1668462819873; Mon, 14 Nov 2022 13:53:39 -0800 (PST)
MIME-Version: 1.0
References: <CO1PR00MB13086039D60B9997AE5F5928F54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <SA1PR00MB1310AB40F32B3B2E9FC36D31F5239@SA1PR00MB1310.namprd00.prod.outlook.com> <ADE35F26-5BF8-4205-A8B5-36C1F55E8207@vigilsec.com> <32d84d35531543469a4a196a7b137cb1@amazon.com> <39D0918E-F757-4205-9D27-882E4587F95A@vigilsec.com> <CAPmVn1N7brE5SsgTU9n3ubCY3NExZfrgobkubRx7671LbU5Tcg@mail.gmail.com> <CAPmVn1OJgeVGkjBnjh-1zQcvptWDqSnE4YiAd7wM7-Eh-0xg=A@mail.gmail.com> <CH0PR11MB54440ECC855D3FF9ABB28551C13C9@CH0PR11MB5444.namprd11.prod.outlook.com> <0FC770F8-8E4E-44EA-AC55-BB5E1C8EAF27@vigilsec.com> <CAPmVn1OT9sHngCQwbParMdMLH-EVfuJvtsOxqTXF6Ku2d9Dg3A@mail.gmail.com> <6E40DA4A-71A5-4B1B-93A7-EC9C7E298376@vigilsec.com> <CACTP9nvAHGxQYrwt0hX=KuUH4AY+-fU67=GRW+XhtXqX6xUpOw@mail.gmail.com>
In-Reply-To: <CACTP9nvAHGxQYrwt0hX=KuUH4AY+-fU67=GRW+XhtXqX6xUpOw@mail.gmail.com>
From: Brendan Moran <brendan.moran.ietf@gmail.com>
Date: Mon, 14 Nov 2022 21:53:27 +0000
Message-ID: <CAPmVn1OiP60jo+tiDZU4Rx1F6g_JU2gc+yEVPayiNQ0QvnWrvg@mail.gmail.com>
To: David Brown <david.brown@linaro.org>
Cc: Russ Housley <housley@vigilsec.com>, Scott Fluhrer <sfluhrer@cisco.com>, "Arciszewski, Scott" <scottarc@amazon.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/J-S7M-dQxzwo-5i1bDb-rUMIqwQ>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 21:53:45 -0000

There are two variants of AES-GCM in firmware encryption that we could use.

1) out-of-order receipt, on-the-fly decryption. This is what Scott's
proposal enables. It comes with a catch: an attacker can modify the
ciphertext and it won't be detected until the last block of ciphertext
is received; meanwhile the attacker-controlled plaintext is present on
the recipient. This may have a risk if the attacker has a way to
recover any of the plaintext from the recipient.

2) ciphertext stored in NVM, decrypt during image swap. I think this
may be the simplest case. A single tag for the whole image is probably
acceptable, which would mean the tag can be verified post-download.
The tag could also be verified prior to swap. The only time that
decryption might occur without the tag being verified is if a swap
resume needs to be executed after a mid-swap failure. It's possible
that there is a workaround for this scenario, but it involves the
bootloader re-encrypting the already-swapped blocks of firmware image
in order to verify the GCM tag; I don't think it's safe to assume this
will always be the case. It does limit the attacks against an AES-GCM
implementation of SUIT to those that have physical access to the
target and can induce faults (e.g. reboots) at just the right moment
to interrupt the swap process. Even then, the system still has a hash
of the plaintext available to verify the image once decrypted.

Best Regards,
Brendan

On Mon, Nov 14, 2022 at 9:38 PM David Brown <david.brown@linaro.org> wrote:
>
> I'm not sure this is quite right. As I understand what Scott/Brendan is suggesting in #2 is that we use AES-GCM, and we verify the tag when the initial message is received. Then, when we piece-by-piece decrypt it, the tag is not verified, because we are not verifying the entire image.
>
> I like this approach, because we don't have to say that it is AES-CTR. But, I'm a little concerned that our implementation is effectively implementing this after the tag has been verified. I think we limit damage from ciphertext modification because after the entire image is decrypted, we validate a signature over the plaintext.
>
> This gives us the best of both, and would be acceptable to mcuboot.
>
> David
>
> On Tue, Nov 8, 2022 at 4:20 AM Russ Housley <housley@vigilsec.com> wrote:
>>
>> I am not sure that #2 meets the requirement.  At least one bootloader implementer has said that it is hard enough to finds space for the signature value, but adding authentication tags on top of that is too hard.
>>
>> Russ
>>
>> On Nov 8, 2022, at 5:24 AM, Brendan Moran <brendan.moran.ietf@gmail.com> wrote:
>>
>> Am I correct in understanding that we have three options as far as the SUIT use case goes?
>>
>> We register an algorithm identifier for AES-CTR, mark it as deprecated.
>> We take a variant of AES-GCM to cfrg; one where plaintext data explicitly IS returned before the tag is verified. If cfrg review determines it is appropriate, we register an algorithm identifier, and mark it as deprecated.
>> We use a block-wise AEAD that is already in COSE and accept that there is a payload inflation due to the additional tags.
>>
>> Best Regards,
>> Brendan
>>
>> On Mon, Nov 7, 2022 at 6:29 PM Russ Housley <housley@vigilsec.com> wrote:
>>>
>>> Scott:
>>>
>>> The AES-CCM specification says:
>>>
>>>    If the T value is not correct, the receiver MUST NOT reveal any
>>>    information except for the fact that T is incorrect.  The receiver
>>>    MUST NOT reveal the decrypted message, the value T, or any other
>>>    information.
>>>
>>> My reading of the NIST AES-GCM specification has a similar requirement:
>>>
>>>    If T = T′, then return P; else return FAIL.
>>>
>>> So, your technique works from a math perspective, but it does not honor this requirement.
>>>
>>> Russ
>>>
>>>
>>> On Nov 7, 2022, at 8:46 AM, Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org> wrote:
>>>
>>> Here’s how out-of-order GCM works:
>>>
>>> The decryption part is easy; if you know where the ciphertext fragement falls within the overall message, then it is obvious how to select the AES input to decrypt it properly.
>>>
>>> What’s less obvious is the integrity piece; that is, how to compute the GCM tag (so that you can compare the value you compute to the tag included with the ciphertext).  Yes, it can be done; to see how it is done, we need to explore how GCM tags are computed:
>>>
>>> With GCM, we take the ciphertext (and the AAD), and convert them into a series of 16 byte values M_n, M_{n-1}, M_{n-2}, …, M_1; this mapping is quite simple (so 16 bytes of the ciphertext are placed into a single M_i value).  Once we do that, we compute:
>>>
>>>    M_n H**n + M_{n-1} H**{n-1} + … + M_1 H**1
>>>
>>> (and then, we add in a value that depends on the nonce, and that’s the tag – that part isn’t affected by out-of-the-order processing.
>>>
>>> Now, the multiplication operations (both in evaluating H**n and multiplying M_n with H**n), and the addition operations are both in GF(2**128); these are not the traditional schoolbook operations, instead, the multiplication looks odd, and the addition operation can be implemented by bitwise xor’ing the two values together); however all the traditional ways of rearranging operations work (and any GCM implementation will already have the appropriate multiplication logic already).
>>>
>>> So, when we need to implement out-of-order evaluation of the above polynomial, that is, if we get the parts of the ciphertext that corresponds to M_a, M_{a-1}, …, M_b, (where c = a-b), what we can do is evaluate the intermediate polynomial:
>>>
>>> M_a H**c + M_{a-1} H**{c-1} + ... + M_b H**0.
>>>
>>> Once we have that, we can compute H**b (which can be done with log(b) multiplications), and multiply the polynomial with that.  The result of that is:
>>>
>>> M_a H**a + M_{a-1} H**{a-1} + … + M_b H**b.
>>>
>>> We can add that to the running sum.
>>>
>>> Once we have all the fragments, we have the sum; if you add them all together, that’s the formula GCM expects, and so we can compute the expected tag.
>>>
>>> Just some notes:
>>>
>>>
>>> If the ciphertext fragment you have doesn’t happen to fall on nice 16 byte boundaries, you can zero fill in the first and last word and it still works.  For example, if you have a two byte fragment that falls across a 16 byte boundary ABCD, you would process this as the two words 0000000000000AB and CD00000000000000
>>> One thing that this depends on is that you get all the fragments, and you get each one exactly once; if you get one of the fragments twice and add both to the running sum, well, this doesn’t work.
>>>
>>>
>>> From: Brendan Moran <brendan.moran.ietf@gmail.com>
>>> Sent: Monday, November 7, 2022 6:33 AM
>>> To: Russ Housley <housley@vigilsec.com>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
>>> Cc: Arciszewski, Scott <scottarc@amazon.com>; cose@ietf.org; s.fluhrer@cisco.com
>>> Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
>>>
>>> Sorry, I had the wrong email address for Scott.
>>>
>>> I’m trying to understand some of the concerns that have been raised. I understand that AES-GCM is not exposed to the concerns that Sophie and has raised?
>>>
>>> If we used AES-GCM with out of order reception and on-the-fly decryption, would that mitigate the risks?
>>>
>>> Best Regards,
>>> Brendan
>>>
>>> On Mon, 7 Nov 2022 at 11:03, Brendan Moran <brendan.moran.ietf@gmail.com> wrote:
>>>
>>> I talked with Scott Fluhrer today about this use case and he’s pointed out that GCM can be processed out of order.
>>>
>>> Scott, would you be able to elaborate on this?
>>>
>>> Best Regards,
>>> Brendan
>>>
>>> On Wed, 26 Oct 2022 at 22:51, Russ Housley <housley@vigilsec.com> wrote:
>>>
>>> Scott:
>>>
>>>
>>> Introducing AES-CTR and/or AES-CBC into COSE tokens that already support AES-GCM will open the GCM implementations to new security issues. Namely, potential padding oracle vulnerabilities.
>>>
>>>
>>> I think that adding a reference to the existing paragraph in the Security Considerations will address this concern:
>>>
>>>    With AES-CBC mode, implementers SHOULD perform integrity checks prior
>>>    to decryption to avoid padding oracle vulnerabilities [Vaudenay].
>>>
>>>
>>> At minimum, the Security Considerations section of draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out: Applications that encrypt or decrypt with AES-GCM *MUST NOT* support AES-GCM or AES-CTR with the same cryptographic materials, due to the existence of cross-protocol issues. One way to safeguard users from potential misuse is to use a separate "type" for keys used with unauthenticated encryption modes; similar to how COSE distinguishes MACs from Signatures.
>>>
>>>
>>> I suggest an addition paragraph in the Security Considerations:
>>>
>>>    To avoid cross-protocol concerns, implementations MUST NOT use the
>>>    same keying material with AES-CTR and AES-GCM.  Likewise,
>>>    implementations MUST NOT use the same keying material with AES-CTR
>>>    and AES-CCM.
>>>
>>>
>>> Additionally, I'd like to recommend sharing this draft with the CFRG mailing list to ensure it has the appropriate level of oversight from the IETF's cryptography experts.
>>>
>>>
>>> AES-CTR and AES-CBC are not new cryptographic modes.  New techniques deserve CFRG review, but AES-CTR and AES-CBC have been included in RFCs for many years.
>>>
>>> Russ
>>>
>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cose
>>>
>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cose
>>>
>>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email