IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Brendan Moran <brendan.moran.ietf@gmail.com> Mon, 07 November 2022 11:36 UTC

Return-Path: <brendan.moran.ietf@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379F1C057109 for <cose@ietfa.amsl.com>; Mon, 7 Nov 2022 03:36:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n37kM4AuduQw for <cose@ietfa.amsl.com>; Mon, 7 Nov 2022 03:36:31 -0800 (PST)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61B12C152575 for <cose@ietf.org>; Mon, 7 Nov 2022 03:33:22 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id ud5so29286749ejc.4 for <cose@ietf.org>; Mon, 07 Nov 2022 03:33:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lAjd+JNeiD6pbycXAH/j28IixZDbwnX1PWldltWcs68=; b=QO5ASaLH5VBYDuar0klNloecKud+3pkompHs+w9nAJEr2lGpxrhHPs5cLbkiWxxPQH 7xWAo1pvFMNYCJeXR1JGo/rfRY6BghHoEP/e7d9RLMW4QVJ7WG0nYHcbbbWM3r8MDeGi ySOmAbkhXqTMJHJpXyVzBKrSlIDrferI8ofr8764aBEJgPwUSCMxsaM3t5PLnYipRK+n vBnyOiwCODZ1JDbqNTvX2Y+kKmNL4f9TwLqdaJmpeKesLCbYqahfX84qAW8RcTqVDBG0 q6xLisNzxbV6eXpy8fbOm4nZP73wXiVhiQN6EGf5ciQRldjzuT4aq/BWntE678mTqj0X q4Gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lAjd+JNeiD6pbycXAH/j28IixZDbwnX1PWldltWcs68=; b=uDx+k/52II/ObVwxLsJzr1ikWvJL0n3OgYU/Aytr1vsU9NQJ/p/SPUUMQP//Ac6XaU MXH6l1iMlR0PpUR7Vvbdoh7SW809+R2gts4d0xNx+0tWtsn8x34fWQkXBc9It7nw3OsL nAx74xpl0NSDab/CLvLCeqdUttmYDVzUEmP2WzVHvkAcoOe7MOKyGuryMqwzhu3sYO67 W2AxneIa2OHkwdXD+pQhhDlFsSY/gFngfgeQEuqwFnFLxp868CTzM8EgKjtkHnLTKorl RB5ySibbEkMNOYHF1YA8citOmVNo7Ir6d9QxTVS0BhezKHLaJnv6gU56lJT2SJALsz5Z AbiQ==
X-Gm-Message-State: ACrzQf3oF9vtQRiVOi2vj+3JQM6IVTPVRSYmxz0oJXZpjxK8KF7ULyl9 TSKptoedXqp+A1SC4snXOLCatAiqkuUWWL97y5kEL+7+oCb1Vg==
X-Google-Smtp-Source: AMsMyM5aiWS3hq7L5dw/9/fWb6m12893A3MV3gxD1zDtFhoxdXPfGS+mJbC3JxcY/PhRHwR+EkUP6BJSWNo7+wOPgQM=
X-Received: by 2002:a17:907:a0c7:b0:7ad:d945:553d with SMTP id hw7-20020a170907a0c700b007add945553dmr37192247ejc.95.1667820800821; Mon, 07 Nov 2022 03:33:20 -0800 (PST)
MIME-Version: 1.0
References: <CO1PR00MB13086039D60B9997AE5F5928F54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <SA1PR00MB1310AB40F32B3B2E9FC36D31F5239@SA1PR00MB1310.namprd00.prod.outlook.com> <ADE35F26-5BF8-4205-A8B5-36C1F55E8207@vigilsec.com> <32d84d35531543469a4a196a7b137cb1@amazon.com> <39D0918E-F757-4205-9D27-882E4587F95A@vigilsec.com> <CAPmVn1N7brE5SsgTU9n3ubCY3NExZfrgobkubRx7671LbU5Tcg@mail.gmail.com>
In-Reply-To: <CAPmVn1N7brE5SsgTU9n3ubCY3NExZfrgobkubRx7671LbU5Tcg@mail.gmail.com>
From: Brendan Moran <brendan.moran.ietf@gmail.com>
Date: Mon, 07 Nov 2022 11:33:09 +0000
Message-ID: <CAPmVn1OJgeVGkjBnjh-1zQcvptWDqSnE4YiAd7wM7-Eh-0xg=A@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, "sfluhrer@cisco.com" <sfluhrer@cisco.com>
Cc: "Arciszewski, Scott" <scottarc@amazon.com>, "cose@ietf.org" <cose@ietf.org>, s.fluhrer@cisco.com
Content-Type: multipart/alternative; boundary="00000000000061cfe605ecdfca3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/NNs301zA832DP8uA6lcKroZzedU>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2022 11:36:35 -0000

Sorry, I had the wrong email address for Scott.

I’m trying to understand some of the concerns that have been raised. I
understand that AES-GCM is not exposed to the concerns that Sophie and has
raised?

If we used AES-GCM with out of order reception and on-the-fly decryption,
would that mitigate the risks?

Best Regards,
Brendan

On Mon, 7 Nov 2022 at 11:03, Brendan Moran <brendan.moran.ietf@gmail.com>
wrote:

> I talked with Scott Fluhrer today about this use case and he’s pointed out
> that GCM can be processed out of order.
>
> Scott, would you be able to elaborate on this?
>
> Best Regards,
> Brendan
>
> On Wed, 26 Oct 2022 at 22:51, Russ Housley <housley@vigilsec.com> wrote:
>
>> Scott:
>>
>> Introducing AES-CTR and/or AES-CBC into COSE tokens that already support
>> AES-GCM will open the GCM implementations to new security issues. Namely,
>> potential padding oracle vulnerabilities.
>>
>>
>> I think that adding a reference to the existing paragraph in the Security
>> Considerations will address this concern:
>>
>>    With AES-CBC mode, implementers SHOULD perform integrity checks prior
>>    to decryption to avoid padding oracle vulnerabilities [Vaudenay].
>>
>> At minimum, the Security Considerations section of
>> draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out:
>> Applications that encrypt or decrypt with AES-GCM *MUST NOT* support
>> AES-GCM or AES-CTR with the same cryptographic materials, due to the
>> existence of cross-protocol issues. One way to safeguard users from
>> potential misuse is to use a separate "type" for keys used with
>> unauthenticated encryption modes; similar to how COSE distinguishes MACs
>> from Signatures.
>>
>>
>> I suggest an addition paragraph in the Security Considerations:
>>
>>    To avoid cross-protocol concerns, implementations MUST NOT use the
>>    same keying material with AES-CTR and AES-GCM.  Likewise,
>>    implementations MUST NOT use the same keying material with AES-CTR
>>    and AES-CCM.
>>
>> Additionally, I'd like to recommend sharing this draft with the CFRG
>> mailing list to ensure it has the appropriate level of oversight from the
>> IETF's cryptography experts.
>>
>>
>> AES-CTR and AES-CBC are not new cryptographic modes.  New techniques
>> deserve CFRG review, but AES-CTR and AES-CBC have been included in RFCs for
>> many years.
>>
>> Russ
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>

v2.23.0 | Report a Bug | By Email