IETF Logo Mail Archive

Re: [jose] FW: GCM nonce reuse question

Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com> Tue, 02 April 2013 08:21 UTC

Return-Path: <Vijay.Bharadwaj@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC4C21F9881 for <jose@ietfa.amsl.com>; Tue, 2 Apr 2013 01:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ama7IbZtDuLY for <jose@ietfa.amsl.com>; Tue, 2 Apr 2013 01:21:44 -0700 (PDT)
Received: from na01-sn2-obe.outbound.o365filtering.com (na01-sn2-obe.ptr.o365filtering.com [157.55.158.23]) by ietfa.amsl.com (Postfix) with ESMTP id B8B8021F9864 for <jose@ietf.org>; Tue, 2 Apr 2013 01:21:38 -0700 (PDT)
Received: from BY2SR01CA103.namsdf01.sdf.exchangelabs.com (10.255.93.148) by BY2SR01MB608.namsdf01.sdf.exchangelabs.com (10.255.93.167) with Microsoft SMTP Server (TLS) id 15.0.670.5; Tue, 2 Apr 2013 08:21:32 +0000
Received: from SN2FFOFD002.ffo.gbl (157.55.158.29) by BY2SR01CA103.outlook.office365.com (10.255.93.148) with Microsoft SMTP Server (TLS) id 15.0.670.5 via Frontend Transport; Tue, 2 Apr 2013 08:21:32 +0000
Received: from hybrid.exchange.microsoft.com (131.107.1.27) by SN2FFOFD002.mail.o365filtering.com (10.111.201.21) with Microsoft SMTP Server (TLS) id 15.0.664.0 via Frontend Transport; Tue, 2 Apr 2013 08:21:32 +0000
Received: from df-h14-02.exchange.corp.microsoft.com (157.54.78.140) by DF-G14-02.exchange.corp.microsoft.com (157.54.87.56) with Microsoft SMTP Server (TLS) id 14.3.123.1; Tue, 2 Apr 2013 01:21:31 -0700
Received: from DFM-DB3MBX15-05.exchange.corp.microsoft.com (10.166.18.223) by DF-H14-02.exchange.corp.microsoft.com (157.54.78.140) with Microsoft SMTP Server (TLS) id 14.3.123.1; Tue, 2 Apr 2013 01:21:30 -0700
Received: from DFM-DB3MBX15-07.exchange.corp.microsoft.com (10.166.18.225) by DFM-DB3MBX15-05.exchange.corp.microsoft.com (10.166.18.223) with Microsoft SMTP Server (TLS) id 15.0.620.25; Tue, 2 Apr 2013 01:21:10 -0700
Received: from DFM-DB3MBX15-07.exchange.corp.microsoft.com ([10.166.18.225]) by DFM-DB3MBX15-07.exchange.corp.microsoft.com ([169.254.11.157]) with mapi id 15.00.0620.020; Tue, 2 Apr 2013 01:21:09 -0700
From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [jose] FW: GCM nonce reuse question
Thread-Index: AQDc/nSECiQAb+v2IzCf58qtgKDeAZqeRckwgAB2xQCAAA1RAIAGKX2g
Date: Tue, 02 Apr 2013 08:21:09 +0000
Message-ID: <c0c86017df354a13946d8c3de6a647ec@DFM-DB3MBX15-07.exchange.corp.microsoft.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <006701ce2c21$65accf10$31066d30$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436759736A@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgQ8D+K+hsOSNVKCYLFTC4hc5y8ELKFgqtXO9B7s4yQ2Jw@mail.gmail.com>
In-Reply-To: <CAL02cgQ8D+K+hsOSNVKCYLFTC4hc5y8ELKFgqtXO9B7s4yQ2Jw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.13]
Content-Type: multipart/alternative; boundary="_000_c0c86017df354a13946d8c3de6a647ecDFMDB3MBX1507exchangeco_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.1.27; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454001)(52604002)(377454001)(66654001)(189002)(199002)(16406001)(63696002)(51856001)(16236675001)(33646001)(5343635001)(44976002)(79102001)(54316002)(76482001)(1511001)(81342001)(56816002)(54356001)(876001)(53806001)(56776001)(31966008)(5343655001)(4396001)(74502001)(77982001)(66066001)(59766001)(20776003)(80022001)(47446002)(74662001)(15202345002)(49866001)(65816001)(47736001)(46102001)(47976001)(71186001)(512954001)(50986001)(564824001)(69226001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2SR01MB608; H:hybrid.exchange.microsoft.com; RD:mail7.exchange.microsoft.com; MX:1; A:1; LANG:en;
X-Forefront-PRVS: 08041D247D
X-OriginatorOrg: DuplicateDomain-7923a859-03c9-4312-a77c-440aa45aaf52.microsoft.com
Cc: Jim Schaad <ietf@augustcellars.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 08:21:55 -0000

I was reading the JWE draft today for different reasons, and came here to point out exactly this issue. It was not clear to me why there were multiple headers and integrity values.

Also, it seems to me the header in JWE is defined in a way that is suboptimal for the multiple recipient case. It mixes parameters related to the encryption of payload with CMK (of which you only need one) with parameters related to the encryption of the CMK with the recipient's key (of which you need one per encrypted key). Why not refactor these to look more like CMS? In other words:

Array of recipients, where each is: {alg: <alg>, <recipient identifier such as jwk>, <encrypted CMK>}
Header: <parameters related to compression and CMK encryption, including IV>
Ciphertext: <encoded ciphertext>
Integrity_value: <encoded authentication tag with recipients and header as AAD>

Putting the integrity check at the end reduces the amount of buffering in the implementation that produces the message.

Thoughts?

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Thursday, March 28, 2013 7:54 PM
To: Mike Jones
Cc: Jim Schaad; cfrg@irtf.org; jose@ietf.org
Subject: Re: [jose] FW: GCM nonce reuse question

[trimmed CFRG, since we're talking about JOSE now]

Out of curiosity, what text are you planning to add?

As I read David's response, he is saying that GCM is unusable with multiple recipients, because multiple header values are fed into GCM with the same nonce.

Outlawing GCM is not an acceptable outcome.

Instead, we should fix the underlying issue.  Namely, we should make the header value the same for all recipients.  Or, even better, remove the header from the AAD field.

Imagine a world in which the JOSE header is not input as AAD to GCM (i.e., it receives no integrity protection).  Instead, we provide an actual "AAD field" that contains the value for that field in the AEAD computation:

OLD: header.key.iv.ciphertext.mac
NEW: header.key.iv.aad.ciphertext.mac

That world is simpler to write code for (since you don't have to keep the encoded header around), supports more applications (since you can actually use the AAD field), and the problems with GCM do not exist.  Let's create that world!

--Richard


On Thu, Mar 28, 2013 at 10:06 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
I'll plan to add text to the GCM section of JWA during the current round of edits pointing this out.  David McGrew was also going to get me some text about constraints on GCM initialization vector values.

                                                            -- Mike

From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of Jim Schaad
Sent: Thursday, March 28, 2013 7:02 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] FW: GCM nonce reuse question

For those people not on the CFRG list -

Jim


From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com]
Sent: Thursday, March 28, 2013 4:15 AM
To: Jim Schaad
Cc: cfrg@irtf.org<mailto:cfrg@irtf.org>
Subject: Re: GCM nonce reuse question

Hi Jim,

From: Jim Schaad <jimsch@augustcellars.com<mailto:jimsch@augustcellars.com>>
Date: Wednesday, March 27, 2013 6:43 PM
To: David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>
Cc: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: GCM nonce reuse question

David,

In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.

There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?


Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".

Specifically the current way that GCM mode is being used in JOSE is

Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)

As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.


Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.

Many thanks for calling this out, Jim.

David

Jim


_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email