Re: aes128gcm: why verify padding?

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 27 January 2017 07:25 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42AB2128874 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 26 Jan 2017 23:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.12
X-Spam-Level:
X-Spam-Status: No, score=-10.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryYUKZt9PJuP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 26 Jan 2017 23:25:04 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7E3124281 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 26 Jan 2017 23:25:03 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cX0qa-00033I-54 for ietf-http-wg-dist@listhub.w3.org; Fri, 27 Jan 2017 07:21:24 +0000
Resent-Date: Fri, 27 Jan 2017 07:21:24 +0000
Resent-Message-Id: <E1cX0qa-00033I-54@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ilariliusvaara@welho.com>) id 1cX0qU-000322-KH for ietf-http-wg@listhub.w3.org; Fri, 27 Jan 2017 07:21:18 +0000
Received: from welho-filter2.welho.com ([83.102.41.24]) by titan.w3.org with esmtp (Exim 4.84_2) (envelope-from <ilariliusvaara@welho.com>) id 1cX0qO-000453-NZ for ietf-http-wg@w3.org; Fri, 27 Jan 2017 07:21:13 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1CAC71AD26; Fri, 27 Jan 2017 09:20:45 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id ISJxhPd32IMd; Fri, 27 Jan 2017 09:20:44 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C78A5C4; Fri, 27 Jan 2017 09:20:44 +0200 (EET)
Date: Fri, 27 Jan 2017 09:20:41 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20170127072041.GA16072@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnUo-tf69AzJC=OUy2rjDZwedTd5Ua9mhOiJBqaA0VKrYw@mail.gmail.com> <SYXPR01MB16150F4D3D19CC69D18E1A09E57D0@SYXPR01MB1615.ausprd01.prod.outlook.com> <CABkgnnV_OatRWyZBE3Rak22gS1jrOZKjCGwOePpbqJCAeJFM4Q@mail.gmail.com> <SYXPR01MB1615DD56268D7EF9929F3DBFE5720@SYXPR01MB1615.ausprd01.prod.outlook.com> <20170123073623.GA28101@LK-Perkele-V2.elisa-laajakaista.fi> <SYXPR01MB1615798CC057FB3232B2FA4BE5720@SYXPR01MB1615.ausprd01.prod.outlook.com> <CABkgnnW4e+FOz+gsu6vZ2d9WOSv9Yohn+OejrNom9HCBiMrRWQ@mail.gmail.com> <SYXPR01MB1615AE56D810A0372AF811FCE5750@SYXPR01MB1615.ausprd01.prod.outlook.com> <CABkgnnWoSWCeV_TUwDY1J00ivY0TDgU_9NhiSWZpM4_F6XAYfA@mail.gmail.com> <SYXPR01MB1615C769ADDAF813BB32A65DE5760@SYXPR01MB1615.ausprd01.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <SYXPR01MB1615C769ADDAF813BB32A65DE5760@SYXPR01MB1615.ausprd01.prod.outlook.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Received-SPF: none client-ip=83.102.41.24; envelope-from=ilariliusvaara@welho.com; helo=welho-filter2.welho.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=2.599, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cX0qO-000453-NZ a66c1edf35fb3292f8c694ec0b2157ae
X-Original-To: ietf-http-wg@w3.org
Subject: Re: aes128gcm: why verify padding?
Archived-At: <http://www.w3.org/mid/20170127072041.GA16072@LK-Perkele-V2.elisa-laajakaista.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33387
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Jan 27, 2017 at 01:50:15AM +0000, Manger, James wrote:

> I was hoping for an anti-truncation mechanism that didn't depend in a
> not-completely-obvious-to-me manner on a seemingly quite separate aspect:
> the KDF. For instance, even with no KDF (for key or nonce) having a byte
> distinguishing start/middle/end would be sufficient to authenticate you
> have received an authentic prefix or suffix or complete message.

Actually, if you don't use KDF to obtain the nonce base together with
the key, attacker can corrupt messages unless you actually verify that
the start block is in its proper place.

This is because if attacker can choose noncebase, attacker can reorder
the blocks so all decrypt properly.

Using KDF prevents this because attacker can't produce suitably
related noncebase pairs for the same key



-Ilari