Re: [jose] FW: GCM nonce reuse question
Richard Barnes <rlb@ipv.sx> Fri, 29 March 2013 02:54 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2100521F8735 for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHIFjkNd1JJQ for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:54:25 -0700 (PDT)
Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by ietfa.amsl.com (Postfix) with ESMTP id 18C3721F872E for <jose@ietf.org>; Thu, 28 Mar 2013 19:54:25 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id n1so136806oag.37 for <jose@ietf.org>; Thu, 28 Mar 2013 19:54:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=jkvA8SZLE1moegxTeF2QV7xA5iPyZhaitcSMNKhQsf0=; b=QsoAMrWngLjpTYOo4rObZFpjsp8IoC6oaSTeOFmykSCWIDtu6ZK43kEPY53CQrfm+T NUdpQzUfhU3lL7UbNZvjJnZ7wfOXGQ8uJk4D366btO/xe9TMloyswoHdoYKEgOfXD+0w JKIxvhiaKk6NEu3785wpvLBNDgaCP7TsRHHZEUr60Johbdob/RivD5BcAr/Sam/uMXe/ dsPSWK6UehWWHhNsNbVSmuReqlq/6r0WOWyTl4wEQ8aA1Fm3VIe8xbiL7Cy3YELERPVE gx2I4HwMZBiWVMmFue6/c/adHWOAj4fJVk6JLyobtZkDdQ7mDRTmFaJI60ad65xogXlA ol7Q==
MIME-Version: 1.0
X-Received: by 10.60.3.71 with SMTP id a7mr336354oea.35.1364525664608; Thu, 28 Mar 2013 19:54:24 -0700 (PDT)
Received: by 10.60.160.201 with HTTP; Thu, 28 Mar 2013 19:54:24 -0700 (PDT)
X-Originating-IP: [128.89.254.209]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436759736A@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <006701ce2c21$65accf10$31066d30$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436759736A@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 28 Mar 2013 22:54:24 -0400
Message-ID: <CAL02cgQ8D+K+hsOSNVKCYLFTC4hc5y8ELKFgqtXO9B7s4yQ2Jw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="e89a8f839d51870c4804d90763a7"
X-Gm-Message-State: ALoCoQkRfzBDDcBwb2XGCQKJajfk2t8xl+2XyCbwBgCxr5CNvkxtmbBU04ES2RIeZJNQUDASqYU8
Cc: Jim Schaad <ietf@augustcellars.com>, cfrg@irtf.org, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:54:26 -0000
[trimmed CFRG, since we're talking about JOSE now] Out of curiosity, what text are you planning to add? As I read David's response, he is saying that GCM is unusable with multiple recipients, because multiple header values are fed into GCM with the same nonce. Outlawing GCM is not an acceptable outcome. Instead, we should fix the underlying issue. Namely, we should make the header value the same for all recipients. Or, even better, remove the header from the AAD field. Imagine a world in which the JOSE header is not input as AAD to GCM (i.e., it receives no integrity protection). Instead, we provide an actual "AAD field" that contains the value for that field in the AEAD computation: OLD: header.key.iv.ciphertext.mac NEW: header.key.iv.aad.ciphertext.mac That world is simpler to write code for (since you don't have to keep the encoded header around), supports more applications (since you can actually use the AAD field), and the problems with GCM do not exist. Let's create that world! --Richard On Thu, Mar 28, 2013 at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > I’ll plan to add text to the GCM section of JWA during the current round > of edits pointing this out. David McGrew was also going to get me some > text about constraints on GCM initialization vector values.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf > Of *Jim Schaad > *Sent:* Thursday, March 28, 2013 7:02 PM > *To:* jose@ietf.org > *Subject:* [jose] FW: GCM nonce reuse question**** > > ** ** > > For those people not on the CFRG list –**** > > ** ** > > Jim**** > > ** ** > > ** ** > > *From:* David McGrew (mcgrew) [mailto:mcgrew@cisco.com <mcgrew@cisco.com>] > > *Sent:* Thursday, March 28, 2013 4:15 AM > *To:* Jim Schaad > *Cc:* cfrg@irtf.org > *Subject:* Re: GCM nonce reuse question**** > > ** ** > > Hi Jim,**** > > ** ** > > *From: *Jim Schaad <jimsch@augustcellars.com> > *Date: *Wednesday, March 27, 2013 6:43 PM > *To: *David McGrew <mcgrew@cisco.com> > *Cc: *"cfrg@irtf.org" <cfrg@irtf.org> > *Subject: *GCM nonce reuse question**** > > ** ** > > David,**** > > **** > > In doing a write up I became worried about a security property of the GCM > encryption mode in the way that the JOSE group is currently using it.**** > > **** > > There are known problems with not having a unique set of values for IVs > and Key pairings. Do these problems apply to having a different set of > auxiliary data as well as the plain text?**** > > **** > > ** ** > > Yes. The security issues are summarized in > http://tools.ietf.org/html/rfc5116#section-5.1.1 but apparently they are > not described generally enough. They should read "plaintext or associated > data values".**** > > ** ** > > Specifically the current way that GCM mode is being used in JOSE is**** > > **** > > Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain > text)**** > > Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain > text)**** > > **** > > As the key, nonce and plain text are fixed it would produce the same > encrypted text value but different authentication tags.**** > > **** > > ** ** > > Can't do that. Each invocation of the encryption operation needs a > distinct nonce, unless all of the encryption operation inputs are identical. > **** > > ** ** > > Many thanks for calling this out, Jim.**** > > ** ** > > David**** > > ** ** > > Jim**** > > **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] FW: GCM nonce reuse question Jim Schaad
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Richard Barnes
- Re: [jose] FW: GCM nonce reuse question Vijay Bharadwaj
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Manger, James H
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Matt Miller
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes