aes128gcm: vulnerable to truncation attacks
"Manger, James" <James.H.Manger@team.telstra.com> Mon, 23 January 2017 02:52 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635B8129531 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 Jan 2017 18:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.793
X-Spam-Level:
X-Spam-Status: No, score=-8.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2sBb8SEfNn5V for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 22 Jan 2017 18:52:46 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DBC1129575 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 22 Jan 2017 18:52:45 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cVUgd-0008SP-Ph for ietf-http-wg-dist@listhub.w3.org; Mon, 23 Jan 2017 02:48:51 +0000
Resent-Date: Mon, 23 Jan 2017 02:48:51 +0000
Resent-Message-Id: <E1cVUgd-0008SP-Ph@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <James.H.Manger@team.telstra.com>) id 1cVUgX-0008RZ-Ta for ietf-http-wg@listhub.w3.org; Mon, 23 Jan 2017 02:48:45 +0000
Received: from ipxcvo.tcif.telstra.com.au ([203.35.135.208]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <James.H.Manger@team.telstra.com>) id 1cVUgQ-0002he-7h for ietf-http-wg@w3.org; Mon, 23 Jan 2017 02:48:40 +0000
X-IronPort-AV: E=Sophos;i="5.33,272,1477918800"; d="scan'208,217";a="20334565"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipocvi.tcif.telstra.com.au with ESMTP; 23 Jan 2017 13:48:05 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8416"; a="383131979"
Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcavi.tcif.telstra.com.au with ESMTP; 23 Jan 2017 13:48:05 +1100
Received: from wsapp5863.srv.dir.telstra.com (10.75.131.32) by wsmsg3755.srv.dir.telstra.com (172.49.40.196) with Microsoft SMTP Server (TLS) id 8.3.485.1; Mon, 23 Jan 2017 13:48:04 +1100
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5863.srv.dir.telstra.com (10.75.131.32) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 23 Jan 2017 13:48:03 +1100
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.101.126) by wsapp5585.srv.dir.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 23 Jan 2017 13:48:03 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ysTdghYOWHhNdcR8++OfNZQX0N/d0b86mI4T0gXfjS4=; b=tacGfCg0EkOjNR6R2IlamPJIyiLPpcn8uZyxqhxTIDsdNT7PWwd8Yvb40sjjQAb9PCdOpv4ZeikYx1VTuma4LMme8MCdAeV1s9ThBMMQT4bIZTqvL7lDUSK9X/o2crDcJHVi4iSU0MeqNVUnSUZOjDDyvQq7LubXjevxL4QxHRs=
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com (10.175.209.15) by SYXPR01MB1613.ausprd01.prod.outlook.com (10.175.209.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Mon, 23 Jan 2017 02:48:02 +0000
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) by SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) with mapi id 15.01.0860.021; Mon, 23 Jan 2017 02:48:03 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: aes128gcm: vulnerable to truncation attacks
Thread-Index: AdJ1HoQK8Yqsd9ulSaycdXGhz74bdQ==
Date: Mon, 23 Jan 2017 02:48:03 +0000
Message-ID: <SYXPR01MB16150B64E1F19E560321ACDFE5720@SYXPR01MB1615.ausprd01.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.41.142.244]
x-ms-office365-filtering-correlation-id: 1da3ee0e-df1e-4cc0-cd44-08d4433a4052
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1613;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1613; 7:mwO/9Wk1bXyFXwdrHTv4FgvEmlSgOn3P1KsgnZKycw0xBoWTSVvn6YFwGS6OGpnngRcUP8dJb3kRJkIgf534NvwrrAcz2DuXhwF5md5T97/aTVhjnJuI8PVvL+XNndrCARC8iL+0bLg/iADLI0olhwZIAqj2nzE/UKLh9zV6Ub9KZIVgADXyi8h2ZspP/Y5bYOA067mH++Fs3SE4y7cLagHJdhYYTon6nCcwpWPwZQCI37ECNP6NU+vW1PDUKR0oAA2DY92i8UgQUHjkmJjzVysrKWoZHsfXhswSKF+ias6whqRsLCWJZbr+5Wtur7rqIq0QYuSK46Bh5oIUbrC4p5G18ejXBvF+DG2Kf7BcQYsW8JVsEqpG07hLNncY1lcyjxkhSY06LRlighL69d+c3dHxQvWXr6Zz8n7JBHBcj267z1NxW+4z/0ghWymD8v3snOPTYzZgsql9pLaAN+kziw==
x-microsoft-antispam-prvs: <SYXPR01MB1613938F5C6DB2F6D3B02E67E5720@SYXPR01MB1613.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:SYXPR01MB1613; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1613;
x-forefront-prvs: 0196A226D1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(189002)(199003)(92566002)(8936002)(66066001)(81166006)(33656002)(110136003)(97736004)(7696004)(2900100001)(8676002)(6916009)(7736002)(5660300001)(6116002)(790700001)(575784001)(42882006)(102836003)(122556002)(3660700001)(86362001)(3846002)(81156014)(107886002)(5640700003)(25786008)(2906002)(101416001)(53936002)(2501003)(6436002)(77096006)(450100001)(3280700002)(74316002)(105586002)(6306002)(106356001)(6506006)(55016002)(189998001)(50986999)(38730400001)(9686003)(68736007)(54356999)(5630700001)(99286003)(54896002)(2351001); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1613; H:SYXPR01MB1615.ausprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SYXPR01MB16150B64E1F19E560321ACDFE5720SYXPR01MB1615ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2017 02:48:03.0853 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1613
X-OriginatorOrg: team.telstra.com
Received-SPF: none client-ip=203.35.135.208; envelope-from=James.H.Manger@team.telstra.com; helo=ipxcvo.tcif.telstra.com.au
X-W3C-Hub-Spam-Status: No, score=-0.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, TRACKER_ID=1.306, W3C_NW=0.5
X-W3C-Scan-Sig: mimas.w3.org 1cVUgQ-0002he-7h 89056555d253ac22bdd6cb23b613cd34
X-Original-To: ietf-http-wg@w3.org
Subject: aes128gcm: vulnerable to truncation attacks
Archived-At: <http://www.w3.org/mid/SYXPR01MB16150B64E1F19E560321ACDFE5720@SYXPR01MB1615.ausprd01.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33354
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
There is a serious flaw in aes128gcm that allows a message to be truncated while authenticated decryption still succeeds. aes128gcm produces 1 or more AEAD records, where all but the last match the given record size. This allows you to authenticate the end of the stream when you receive at least 2 records. But if you only receive 1 record you cannot tell if you have a complete message or a truncated message with a tampered record size. The problem is that the record size in the header is not authenticated. For example, the "Encryption with Multiple Records" example in the spec consists of the following ciphertext (in base64url), which decrypted to "I am the walrus": uNCkWiNYzKTnBN9ji3-qWAAAABoCYTGHOqYFz-0in3dpb-VE2GfBngkaPy6bZus_ qLF79s6zQyTSsA0iLOKyd3JqVIwprNzVatRCWZGUx_qsFbJBCQu62RqQuR2d Truncating this ciphertext after the 1st record, and increasing the record size field in the header from 26 to 27 gives: uNCkWiNYzKTnBN9ji3-qWAAAABsCYTGHOqYFz-0in3dpb-VE2GfBngkaPy6bZus_qA This successfully decrypts to "I am th". It needs to fail, either with an authentication failure or a premature end failure. Suggestion: include the record size in the derivation of the key and nonces. Passing the 20 bytes <16-byte salt><4-byte records size> as the 'salt' parameter of the HKDF Extract call might work. Though putting including the record size in the cek_info and nonce_info values that are fed to HKDF Expand calls might be even better. -- James Manger
- aes128gcm: vulnerable to truncation attacks Manger, James
- Re: aes128gcm: vulnerable to truncation attacks Martin Thomson