[jose] FW: GCM nonce reuse question
"Jim Schaad" <ietf@augustcellars.com> Fri, 29 March 2013 02:02 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D1821F89AF for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-2cgVkjrWNR for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 7015921F8967 for <jose@ietf.org>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 154122CA20 for <jose@ietf.org>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com>
Date: Thu, 28 Mar 2013 19:01:58 -0700
Message-ID: <006701ce2c21$65accf10$31066d30$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0068_01CE2BE6.B950B630"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQDc/nSECiQAb+v2IzCf58qtgKDeAZqeRckw
Content-Language: en-us
Subject: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:02:36 -0000
For those people not on the CFRG list - Jim From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com] Sent: Thursday, March 28, 2013 4:15 AM To: Jim Schaad Cc: cfrg@irtf.org Subject: Re: GCM nonce reuse question Hi Jim, From: Jim Schaad <jimsch@augustcellars.com> Date: Wednesday, March 27, 2013 6:43 PM To: David McGrew <mcgrew@cisco.com> Cc: "cfrg@irtf.org" <cfrg@irtf.org> Subject: GCM nonce reuse question David, In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it. There are known problems with not having a unique set of values for IVs and Key pairings. Do these problems apply to having a different set of auxiliary data as well as the plain text? Yes. The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1 but apparently they are not described generally enough. They should read "plaintext or associated data values". Specifically the current way that GCM mode is being used in JOSE is Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text) Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text) As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags. Can't do that. Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical. Many thanks for calling this out, Jim. David Jim
- [jose] FW: GCM nonce reuse question Jim Schaad
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Richard Barnes
- Re: [jose] FW: GCM nonce reuse question Vijay Bharadwaj
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Manger, James H
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Matt Miller
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes