Re: aes128gcm: vulnerable to truncation attacks

Martin Thomson <martin.thomson@gmail.com> Mon, 23 January 2017 23:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9557E12941A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 Jan 2017 15:37:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.72
X-Spam-Level:
X-Spam-Status: No, score=-9.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgQ3z8VO-sck for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 23 Jan 2017 15:37:00 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64E2C129411 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 23 Jan 2017 15:37:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cVo8i-0002yJ-H9 for ietf-http-wg-dist@listhub.w3.org; Mon, 23 Jan 2017 23:35:08 +0000
Resent-Date: Mon, 23 Jan 2017 23:35:08 +0000
Resent-Message-Id: <E1cVo8i-0002yJ-H9@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1cVo8f-0001GX-14 for ietf-http-wg@listhub.w3.org; Mon, 23 Jan 2017 23:35:05 +0000
Received: from mail-qt0-f174.google.com ([209.85.216.174]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <martin.thomson@gmail.com>) id 1cVo8Y-0005XX-Iz for ietf-http-wg@w3.org; Mon, 23 Jan 2017 23:34:59 +0000
Received: by mail-qt0-f174.google.com with SMTP id v23so152478358qtb.0 for <ietf-http-wg@w3.org>; Mon, 23 Jan 2017 15:34:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OXIUk+rc4Bh3qUQlDVi/m5M2WuV0KzXN7B0pxwp5KLk=; b=Dc9SSCCoZ+A1fHahabQiHlNbDwSbfVazLJcZAY9lc0YoXADlKDhm0cHfRVvGKufA7C btGqNdzJV1dnvQ9AQQNdDctA9kOjpT9X/upDx34HURvtm2ila+t2TFEll/09mtSCqcp8 W07b22Nvm1Oj3rwfJ8q4EWddtyiB2crk1z3iNTZrOgYM0N173n3LDQaG/WtZZyUVTfuk n21lHaI1V3QR+nwlPHU8BHrNjO8DnTcFGCdGaHBtcIicvAHmThBN78gb4HhcrxPKDbFk FUkhkEV3+wG5zV2lI21UsfcPJ8pnz2JuGml+9u5QiZKgQJIrDaJriFPDRbQfV+b+EV7N oJBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OXIUk+rc4Bh3qUQlDVi/m5M2WuV0KzXN7B0pxwp5KLk=; b=nGe6/qxa7iHERjROKb7Mv80CeB+mFGNU/R8wR5/n+uRUpNWkPmfK13ouZb1lSTJxFi GIXVosWG8O9EGjBBxxIQ1ui3v55eUzS5qmcv7+TfInLGDPutpqP6DEIgxD4uUDrODg7l NeKywXfC9qB55wIFs0IuJooEX1V4Voo/ubMXbDg41NTQdKn84JfktH0kZMscSBH5gEgS ROwrGf7ImRMb7LH4KekVzgFH81fOH3/GMN+fLnxV7/Lcz2ZTYpIY9rrQ5gya1etY5bSc 52dwiSuDerYbkyqphK+f7aSjqC7jDw3idpB1drW/TnDJpM7wOtX2S7J3+3V942o+SaJy JYFQ==
X-Gm-Message-State: AIkVDXIJgFZ9F/aFNN0hWSa62o7+LRHvBSNCPhg0NO7KDb60Fier7oDNbpKpTKNF+d4NrnQwhTvh05qzgUeZ+Q==
X-Received: by 10.55.164.85 with SMTP id n82mr27906561qke.316.1485214472177; Mon, 23 Jan 2017 15:34:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.112 with HTTP; Mon, 23 Jan 2017 15:34:31 -0800 (PST)
In-Reply-To: <SYXPR01MB16150B64E1F19E560321ACDFE5720@SYXPR01MB1615.ausprd01.prod.outlook.com>
References: <SYXPR01MB16150B64E1F19E560321ACDFE5720@SYXPR01MB1615.ausprd01.prod.outlook.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 24 Jan 2017 08:34:31 +0900
Message-ID: <CABkgnnUgT2==ukoQBF3Lywev7_oAxSuH2aCKP2d6FeHkoCbXUw@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.216.174; envelope-from=martin.thomson@gmail.com; helo=mail-qt0-f174.google.com
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=0.120, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cVo8Y-0005XX-Iz c0c178595df225863e7d932ed548945c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: aes128gcm: vulnerable to truncation attacks
Archived-At: <http://www.w3.org/mid/CABkgnnUgT2==ukoQBF3Lywev7_oAxSuH2aCKP2d6FeHkoCbXUw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33359
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I think that Ilari's recommendation on the other thread also solves
this problem.

On 23 January 2017 at 11:48, Manger, James
<James.H.Manger@team.telstra.com> wrote:
> There is a serious flaw in aes128gcm that allows a message to be truncated
> while authenticated decryption still succeeds.
>
>
>
> aes128gcm produces 1 or more AEAD records, where all but the last match the
> given record size. This allows you to authenticate the end of the stream
> when you receive at least 2 records. But if you only receive 1 record you
> cannot tell if you have a complete message or a truncated message with a
> tampered record size.
>
>
>
> The problem is that the record size in the header is not authenticated.
>
>
>
> For example, the “Encryption with Multiple Records” example in the spec
> consists of the following ciphertext (in base64url), which decrypted to “I
> am the walrus”:
>
>
>
> uNCkWiNYzKTnBN9ji3-qWAAAABoCYTGHOqYFz-0in3dpb-VE2GfBngkaPy6bZus_
>
> qLF79s6zQyTSsA0iLOKyd3JqVIwprNzVatRCWZGUx_qsFbJBCQu62RqQuR2d
>
>
>
> Truncating this ciphertext after the 1st record, and increasing the record
> size field in the header from 26 to 27 gives:
>
>
>
> uNCkWiNYzKTnBN9ji3-qWAAAABsCYTGHOqYFz-0in3dpb-VE2GfBngkaPy6bZus_qA
>
>
>
> This successfully decrypts to “I am th”. It needs to fail, either with an
> authentication failure or a premature end failure.
>
>
>
>
>
> Suggestion: include the record size in the derivation of the key and nonces.
>
> Passing the 20 bytes <16-byte salt><4-byte records size> as the ‘salt’
> parameter of the HKDF Extract call might work. Though putting including the
> record size in the cek_info and nonce_info values that are fed to HKDF
> Expand calls might be even better.
>
>
>
> --
>
> James Manger