IETF Logo Mail Archive

Re: [COSE] COSE Support for AES-CTR and AES-CBC

Brendan Moran <brendan.moran.ietf@gmail.com> Tue, 08 November 2022 10:25 UTC

Return-Path: <brendan.moran.ietf@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA36C1522B0 for <cose@ietfa.amsl.com>; Tue, 8 Nov 2022 02:25:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CblxBV7shFo for <cose@ietfa.amsl.com>; Tue, 8 Nov 2022 02:25:45 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7623EC14CF14 for <cose@ietf.org>; Tue, 8 Nov 2022 02:25:01 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id k2so37389434ejr.2 for <cose@ietf.org>; Tue, 08 Nov 2022 02:25:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0Mg7N/utqnyVAZeBCKNmRWihhL2o7+1sb5zoGDGwA9Q=; b=NqWset4cHfkiCQfhYZhRsQMR+wz0bPiVEdFfTnKUntbun1UAuNVJv0VptF48N9zG9i k04DmdEaoi2ktHcOPb+GspglaftbX8n5hfB/i6DWWlR9sxkARSGi1KQREoJ9kiLxh5Vp ZMMTrAK4BX4gWYCYOCe2NIu10Dv/L/LoKDsmnk/TjBw1oUORneqddaA5KRrJsqAN83Lx PEOBmHkd7jhctNkH7voUt6hNESUTH0H/mlpDC7bRnLkXId7xEUvs4DG1l7uYT3YoCH6y um/PMTGLq6k8xfLYeVxARV6PtxiJ3LYDSIB+iYO3UdRv/i/+qf/I4QsFiDn0t5fnxi9D Tsug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0Mg7N/utqnyVAZeBCKNmRWihhL2o7+1sb5zoGDGwA9Q=; b=HxtMwoqoY2TTwPHS+lsKpWebruPnt8O0vxglM6G/nJOtKOo3WoF6Cxg7CVXJnvLS+s lxUnkZVSXGy85PmbwqqaA5uIgJGv3/DIzrYxFaopIRQg5lGNZWDGxPj4ZYou0S1SdILf u8TB3J08I7Cck77cdlwiEJJjpkwpg20w0T5HwvDMebAtqM7Srs9yq0Mmaaybdulcyke6 IP6xT55qbAp8b2+2VLwa71pBjmf1CGJ3cqwFwjzE9Jtwo6zo6wcyBRCSApI2t5o2Um4v nKQ0Q/O3Wfj9BVRYGMqJXsc1O5B9pZgtS1tlc38j0H9az6OOqYxTdcd5cp8n8LLZ2hdW +Njw==
X-Gm-Message-State: ACrzQf3uuQeDBehKHEBU0qAJfc/U6Ea9YD+d12OQjTvKjGJUVWcX3iL2 ihEHwRMao1yp1XMMh95lwUUhnlt07qRks2RpTMY=
X-Google-Smtp-Source: AMsMyM4LvNiz6eV/kpWDo0VXDYTc1s4enIWkPLwwytBM06un+TercORHV2RltLKEOT/+WTnVO1vY/tcxhhYjCMxlMqw=
X-Received: by 2002:a17:907:a0c7:b0:7ad:d945:553d with SMTP id hw7-20020a170907a0c700b007add945553dmr42028159ejc.95.1667903099962; Tue, 08 Nov 2022 02:24:59 -0800 (PST)
MIME-Version: 1.0
References: <CO1PR00MB13086039D60B9997AE5F5928F54E9@CO1PR00MB1308.namprd00.prod.outlook.com> <SA1PR00MB1310AB40F32B3B2E9FC36D31F5239@SA1PR00MB1310.namprd00.prod.outlook.com> <ADE35F26-5BF8-4205-A8B5-36C1F55E8207@vigilsec.com> <32d84d35531543469a4a196a7b137cb1@amazon.com> <39D0918E-F757-4205-9D27-882E4587F95A@vigilsec.com> <CAPmVn1N7brE5SsgTU9n3ubCY3NExZfrgobkubRx7671LbU5Tcg@mail.gmail.com> <CAPmVn1OJgeVGkjBnjh-1zQcvptWDqSnE4YiAd7wM7-Eh-0xg=A@mail.gmail.com> <CH0PR11MB54440ECC855D3FF9ABB28551C13C9@CH0PR11MB5444.namprd11.prod.outlook.com> <0FC770F8-8E4E-44EA-AC55-BB5E1C8EAF27@vigilsec.com>
In-Reply-To: <0FC770F8-8E4E-44EA-AC55-BB5E1C8EAF27@vigilsec.com>
From: Brendan Moran <brendan.moran.ietf@gmail.com>
Date: Tue, 08 Nov 2022 10:24:48 +0000
Message-ID: <CAPmVn1OT9sHngCQwbParMdMLH-EVfuJvtsOxqTXF6Ku2d9Dg3A@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Scott Fluhrer <sfluhrer@cisco.com>, "Arciszewski, Scott" <scottarc@amazon.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cb0aee05ecf2f358"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/hlbMeWRIlwdjs7Q381-TwmwHJGk>
Subject: Re: [COSE] COSE Support for AES-CTR and AES-CBC
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2022 10:25:49 -0000

Am I correct in understanding that we have three options as far as the SUIT
use case goes?

   1. We register an algorithm identifier for AES-CTR, mark it as
   deprecated.
   2. We take a variant of AES-GCM to cfrg; one where plaintext data
   explicitly IS returned before the tag is verified. If cfrg review
   determines it is appropriate, we register an algorithm identifier, and mark
   it as deprecated.
   3. We use a block-wise AEAD that is already in COSE and accept that
   there is a payload inflation due to the additional tags.

Best Regards,
Brendan

On Mon, Nov 7, 2022 at 6:29 PM Russ Housley <housley@vigilsec.com> wrote:

> Scott:
>
> The AES-CCM specification says:
>
>    If the T value is not correct, the receiver MUST NOT reveal any
>    information except for the fact that T is incorrect.  The receiver
>    MUST NOT reveal the decrypted message, the value T, or any other
>    information.
>
> My reading of the NIST AES-GCM specification has a similar requirement:
>
>    If T = T′, then return P; else return FAIL.
>
> So, your technique works from a math perspective, but it does not honor
> this requirement.
>
> Russ
>
>
> On Nov 7, 2022, at 8:46 AM, Scott Fluhrer (sfluhrer) <
> sfluhrer=40cisco.com@dmarc.ietf.org> wrote:
>
> Here’s how out-of-order GCM works:
>
> The decryption part is easy; if you know where the ciphertext fragement
> falls within the overall message, then it is obvious how to select the AES
> input to decrypt it properly.
>
> What’s less obvious is the integrity piece; that is, how to compute the
> GCM tag (so that you can compare the value you compute to the tag included
> with the ciphertext).  Yes, it can be done; to see how it is done, we need
> to explore how GCM tags are computed:
>
> With GCM, we take the ciphertext (and the AAD), and convert them into a
> series of 16 byte values M_n, M_{n-1}, M_{n-2}, …, M_1; this mapping is
> quite simple (so 16 bytes of the ciphertext are placed into a single M_i
> value).  Once we do that, we compute:
>
>    M_n H**n + M_{n-1} H**{n-1} + … + M_1 H**1
>
> (and then, we add in a value that depends on the nonce, and that’s the tag
> – that part isn’t affected by out-of-the-order processing.
>
> Now, the multiplication operations (both in evaluating H**n and
> multiplying M_n with H**n), and the addition operations are both in
> GF(2**128); these are not the traditional schoolbook operations, instead,
> the multiplication looks odd, and the addition operation can be implemented
> by bitwise xor’ing the two values together); however all the traditional
> ways of rearranging operations work (and any GCM implementation will
> already have the appropriate multiplication logic already).
>
> So, when we need to implement out-of-order evaluation of the above
> polynomial, that is, if we get the parts of the ciphertext that corresponds
> to M_a, M_{a-1}, …, M_b, (where c = a-b), what we can do is evaluate the
> intermediate polynomial:
>
> M_a H**c + M_{a-1} H**{c-1} + ... + M_b H**0.
>
> Once we have that, we can compute H**b (which can be done with log(b)
> multiplications), and multiply the polynomial with that.  The result of
> that is:
>
> M_a H**a + M_{a-1} H**{a-1} + … + M_b H**b.
>
> We can add that to the running sum.
>
> Once we have all the fragments, we have the sum; if you add them all
> together, that’s the formula GCM expects, and so we can compute the
> expected tag.
>
> Just some notes:
>
>
>    - If the ciphertext fragment you have doesn’t happen to fall on nice
>    16 byte boundaries, you can zero fill in the first and last word and it
>    still works.  For example, if you have a two byte fragment that falls
>    across a 16 byte boundary ABCD, you would process this as the two words
>    0000000000000AB and CD00000000000000
>    - One thing that this depends on is that you get all the fragments,
>    and you get each one exactly once; if you get one of the fragments twice
>    and add both to the running sum, well, this doesn’t work.
>
>
> *From:* Brendan Moran <brendan.moran.ietf@gmail.com>
> *Sent:* Monday, November 7, 2022 6:33 AM
> *To:* Russ Housley <housley@vigilsec.com>; Scott Fluhrer (sfluhrer) <
> sfluhrer@cisco.com>
> *Cc:* Arciszewski, Scott <scottarc@amazon.com>; cose@ietf.org;
> s.fluhrer@cisco.com
> *Subject:* Re: [COSE] COSE Support for AES-CTR and AES-CBC
>
> Sorry, I had the wrong email address for Scott.
>
> I’m trying to understand some of the concerns that have been raised. I
> understand that AES-GCM is not exposed to the concerns that Sophie and has
> raised?
>
> If we used AES-GCM with out of order reception and on-the-fly decryption,
> would that mitigate the risks?
>
> Best Regards,
> Brendan
>
> On Mon, 7 Nov 2022 at 11:03, Brendan Moran <brendan.moran.ietf@gmail.com>
> wrote:
>
> I talked with Scott Fluhrer today about this use case and he’s pointed out
> that GCM can be processed out of order.
>
> Scott, would you be able to elaborate on this?
>
> Best Regards,
> Brendan
>
> On Wed, 26 Oct 2022 at 22:51, Russ Housley <housley@vigilsec.com> wrote:
>
> Scott:
>
>
> Introducing AES-CTR and/or AES-CBC into COSE tokens that already support
> AES-GCM will open the GCM implementations to new security issues. Namely,
> potential padding oracle vulnerabilities.
>
>
> I think that adding a reference to the existing paragraph in the Security
> Considerations will address this concern:
>
>    With AES-CBC mode, implementers SHOULD perform integrity checks prior
>    to decryption to avoid padding oracle vulnerabilities [Vaudenay].
>
>
> At minimum, the Security Considerations section of
> draft-ietf-cose-aes-ctr-and-cbc-01 needs to call this risk out:
> Applications that encrypt or decrypt with AES-GCM *MUST NOT* support
> AES-GCM or AES-CTR with the same cryptographic materials, due to the
> existence of cross-protocol issues. One way to safeguard users from
> potential misuse is to use a separate "type" for keys used with
> unauthenticated encryption modes; similar to how COSE distinguishes MACs
> from Signatures.
>
>
> I suggest an addition paragraph in the Security Considerations:
>
>    To avoid cross-protocol concerns, implementations MUST NOT use the
>    same keying material with AES-CTR and AES-GCM.  Likewise,
>    implementations MUST NOT use the same keying material with AES-CTR
>    and AES-CCM.
>
>
> Additionally, I'd like to recommend sharing this draft with the CFRG
> mailing list to ensure it has the appropriate level of oversight from the
> IETF's cryptography experts.
>
>
> AES-CTR and AES-CBC are not new cryptographic modes.  New techniques
> deserve CFRG review, but AES-CTR and AES-CBC have been included in RFCs for
> many years.
>
> Russ
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
>
>

v2.23.0 | Report a Bug | By Email